How and why threat actors target Microsoft Active Directory | #microsoft | #hacking | #cybersecurity

Credit: Dreamstime

Microsoft Active Directory debuted 22 years ago. In computer age, that’s old technology. Threat actors like old technology because it often has legacy code or processes that are not secured to modern standards or organisations have not kept up with patches and recommended settings.

Derek Melber, chief technology and security strategist for Tenable, discussed Active Directory risks at this year’s RSA conference. Attackers target domains. If they see a device joined to Active Directory, they will continue with the attack. If they don’t see a domain-joined machine, they will go on to another workstation. Below are some examples of how attackers can exploit legacy Active Directory vulnerabilities

sAMAccountName security bypass

Too often we focus on vulnerabilities that make the big headlines and miss those that are probably more impactful. For example, Melber cited the attention the Log4j vulnerability received, but another vulnerability came out the same week that impacts all Active Directory domains called sAMAccountName, which affects all systems that have the November 2021 or later updates. 

It is a security bypass vulnerability in Active Directory Security Accounts Manager, for which Microsoft has issued a fix (CVE-2021-42278).

After installing CVE-2021-42278, Active Directory will perform the validation inspections listed below on the sAMAccountName and UserAccountControl attributes of computer accounts created or modified by users who do not have administrator rights for machine accounts. 

It builds on a foundational default of every Active Directory domain: that a normal domain administrator wouldn’t mind if a non-administrator in the domain joins up to ten computers to that domain.

That might have sounded reasonable ten years ago, but now with the ability to deploy workstations using autopilot or any other technologies we have at our disposal, it no longer makes sense to allow non-administrator users to join workstations to the domain.

This setting has been around for years but many of us have not adjusted it or know about it. You’ll need to go into ADSIedit and set an attribute of ms-DS-MachineAccountQuota. This is the attribute responsible for above limit. By default, its set to “10”. Setting it to “0” disables this limit.

Attackers can combine the CVE-2021-42278 vulnerability with CVE-2021-42287 to “create a straightforward path to a Domain Admin user in an Active Directory environment that hasn’t applied these new updates. 

This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain,” said Daniel Naim, Senior Program Manager for Microsoft Defender for Identity, in a blog post. 

Every Active Directory instance is vulnerable to this especially if you have not installed the updates on your domain controllers.

Misconfigurations that give attackers easy access

Original Source link

Leave a Reply

Your email address will not be published.

eight + 1 =