Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Active Directory. Show all posts

Why Active Directory Is A Big Deal?

 


In a cutting-edge study by XM Cyber and the Cyentia Institute, a comprehensive analysis has unveiled a startling reality: a staggering 80% of cybersecurity vulnerabilities within organisations stem from issues related to Active Directory. This might sound like tech jargon, but basically, it's a crucial part of how computers in a company talk to each other.

Active Directory functions as the central nervous system of an organisation's digital environment. Its vulnerabilities, often stemming from misconfigurations and attempts to compromise user credentials, pose significant risks. Tools like Mimikatz further exacerbate these vulnerabilities, enabling malicious actors to exploit weaknesses and gain unauthorised access.

Cloud Computing: New Risks, Same Problems

Even though we talk a lot about keeping things safe in the cloud, it turns out that's not always the case. More than half of the problems affecting important assets in companies come from cloud services. This means attackers can jump between regular computer networks and the cloud, making it harder to keep things safe.

Different Industries, Different Worries

When it comes to who's facing the most trouble, it depends on the industry. Some, like energy and manufacturing, have more issues with things being exposed on the internet. Others, like healthcare, deal with way more problems overall, which makes sense since they have a lot of sensitive data. Tailored strategies are essential, emphasising the importance of proactive measures to mitigate risks effectively.

What We Need to Do

Zur Ulianitzky, Vice President of Security Research at XM Cyber, emphasises the need for a holistic approach to exposure management. With a mere 2% of vulnerabilities residing in critical 'choke points,' organisations must broaden their focus beyond traditional vulnerability patching. Prioritising identity management, Active Directory security, and cloud hygiene is vital in making sure our cloud services are safe.

We need to be smarter about how we protect our computer systems. We can't just focus on fixing things after they've gone wrong. We need to be proactive and think about all the ways someone could try to break in. By doing this, we can make sure our businesses stay safe from cyber threats. Only through concerted efforts and strategic investments in cybersecurity can organisations stay ahead of the curve and protect against the ever-present spectre of cyber threats.



Implementing Zero Trust Principles in Your Active Directory

 

In the past, many organizations relied on secure perimeters to trust users and devices. However, this approach is no longer viable with the geographical dispersion of workers and the need for access from various locations and devices. End-users now require access to corporate systems and cloud applications outside traditional work boundaries, expecting seamless and fast authentication processes.

Consequently, numerous organizations have adopted a zero-trust model to verify users accessing their data, recognizing Active Directory as a critical component of network authentication. Ensuring the security of credentials stored within Active Directory is paramount, prompting the question of how zero trust principles can be applied to maintain security.

The zero trust model, characterized by the principle of "never trust, always verify," requires authentication and authorization of every user, device, and network component before accessing resources or data. Implementing this model involves constructing a multi-layered security framework encompassing various technologies, processes, and policies.

One fundamental step in securing Active Directory environments is enforcing the principle of least privilege, which restricts privileges to the minimum necessary for individuals or entities to perform their tasks. This mitigates the risks associated with privileged accounts, reducing the potential impact of security breaches or insider threats.

Implementing a zero trust model also entails granting elevated privileges, such as admin rights, only when necessary and for limited durations. Techniques for achieving "just-in-time" privilege escalation include the ESAE (Red Forest) model and temporary admin accounts.

Additionally, employing multi-factor authentication (MFA) for password resets enhances security by adding extra layers of authentication beyond passwords. This mitigates vulnerabilities in password reset processes, which are often targeted by hackers through social engineering tactics.

Moreover, scanning for compromised passwords is crucial for enhancing password security. Despite the implementation of zero trust principles, passwords remain vulnerable to various attacks such as phishing and data breaches. Continuous scanning for compromised passwords and promptly blocking them in Active Directory helps prevent unauthorized access to sensitive data and systems.

Specops Password Policy offers a solution for scanning and blocking compromised passwords, ensuring network protection from real-world password attacks. By integrating such services, organizations can enhance their password security measures and adapt them to their specific needs.

Solutions like Specops Software provide valuable tools and support through demos or free trials for organisations seeking to bolster their Active Directory security and password policies.

Enterprise Attack Surface Widening Access Control Gap in Microsoft Active Directory

 

Users in Windows environments may be able to access domains other than those for which they are authenticated due to a security flaw in Microsoft's Active Directory (AD) service that IT administrators may not be aware of. 

The majority of Windows domain-type networks come pre-configured with AD, Microsoft's all-purpose identity management tool for authenticating computers, printers, users, and virtually anything else taking part in an IT environment. According to Frost & Sullivan, tens of thousands of businesses use the service, including 90% of the Global Fortune 1000 corporations.

By using AD to manage authentication across a domain, network administrators may ensure that only authorised users can access the resources that have been assigned to them. 

Nevertheless, Charlie Clark, a security researcher at Semperis, described how a user might circumvent AD's security measures and access domains for which they were not specifically given permission in a study released on March 14. He says that by doing so, an attacker's "attack surface" is greatly enlarged. Obviously, the larger the attack surface, the more likely it is that an attacker will discover an exploitable bug. 

The transitive property of mathematics states that if a = b and b = c, then a = c. In AD, if domain A connects to domain B and domain B links to domain C, domains A and C may or may not be able to access one another depending on whether they share a "transitive trust." According to Microsoft's website, "transitivity controls whether a trust can be extended outside of the two domains with which it was built." 

An external trust—a manually created, nontransitive form of trust in AD—could exist between two domains belonging to two different organisations. The problem, according to Clark, is that one firm can utilise external trust to access sister domains that are part of the same group (referred to by Microsoft as a "forest") as the second, even if no formal external trust has been established for those domains. 

"An authorised user from one domain would only be able to target the precise domain they've established a trust with," as per Clark, assuming what we believed about non-transitive trusts were accurate. They wouldn't be able to go to other domains outside of the forest." 

As opposed to this, "every account within the trusted domain will be able to authenticate against any domain throughout the whole forest in which the trusting domain resides," he stated in his research. 

A malicious user who learns how to move about a forest at will can gain access to things like accounts and data that they shouldn't be able to find.

Clark claims that because it is so simple to take control of one domain inside a forest, it "allows an attacker to have a significantly bigger attack surface from any low-privileged user on a trusted domain." 

On May 4, 2022, Clark informed Microsoft of his initial findings. In an email on September 29, Microsoft stated that "According to our assessment, this submission does not constitute a security issue for servicing. This research doesn't seem to point out any flaws in Microsoft products or services that could allow an attacker to compromise their integrity, accessibility, or confidentiality." The business then concluded the investigation. 

Trust: Why it matters 

Clark spent more than 15 years working as a systems administrator and six years as a pen tester. Every medium-sized to major infrastructure or business I've worked with has had external trusts, he asserts. He claims that if extra safeguards aren't in place, the majority of AD's clients are most likely at risk right now. 

Clark advises administrators to delete all external trusts in order to safeguard against this type of access control misuse in addition to Microsoft's suggestions. The next best thing is to keep track of which users are accessing what if this is not achievable. 

Awareness is ultimately the most crucial factor. A false sense of security could otherwise cause administrators to make mistakes. People can tell that the risk is larger for a trustworthy domain. So they might put more security in place for that domain, Clark says, but they might not put the same level of security in place for the other domains in the forest even though the risk is identical. 

"I think the main thing is to make system admins aware that this is possible," Clark concluded. By knowing this, "they can harden the rest of the domain sufficiently."

Evil Colon Attacks: A Quick Guide

 

The high-tech era has made the emergence of new cyber attacks more common than social media trends. One such case of a rapidly evolving threat is the Evil-Colon attack, which shares similarities with Poison-NULL-byte attacks. Despite the fact that poison-NULL-Byte attacks are now non-functioning, it has been suggested that they could have led to new versions of hacking and malware on your systems in case of inappropriate handling. 

In one of his articles, Leon Juranic, a security researcher at Mend, detailed his encounter with the Evil-colon attack. He mentioned that during auditing a source code he discovered a case where an Evil-Colon could be used to evade the path sanitization process. By using novel strategies, the threat actors were able to exploit the vulnerabilities in applications running on Windows operating systems. The analysis concluded that as Evil-Colon is a specific issue in windows-based services, it is more likely to affect any Windows servers. 

When applications or servers use path-based operations, such as using user input when forming the file path, the information stored in that file can be modified by external code flows, which can cause severe security issues like arbitrary data injection, etc. Leon illustrated the working of Evil-Colon with the example of the Java application WriterFile.jsp source code. 

He stated that the working of Evil-Colon includes creating a file in the directory whereas, with sanitization, the new files will append .txt. After passing a colon character at the end of the user’s input, the file gets created as an Altered Data Stream with an arbitrary file extension. 

Later the file is again created in the directory, but as a colon character was added at the end of the filename and it stripped off the rest of the filename string into Alternate Data Stream, the file is recreated with the .jsp extension. 

He furthermore described how the possibility of altering the files that are created earlier in the applicating workflow can lead to serious security threats. When malicious actors can edit the existing files later in code, it will also allow them to modify the .jsp file content into anything they want. On further searching of the modified file in-depth, you will find a string named EVIL-CONTENT. 

Leon concluded his example by warning that, in real-world scenarios, JSP webshell scripts can allow threat actors to remotely execute codes on vulnerable servers or applications. 

To protect your files and data from the Evil-Colon attacks, it is important to remove colon characters from any possible path operations. The elimination of colon characters can be done by using filters, string check operations, etc.

New Specops Password Policy Detects and Blocks in User's Active Directory

 

Specops Software, a password manager, and authentication solutions vendor published a new report this week explaining how the company’s breached password protection policy can spot over 2 billion known breached passwords in users' Active Directory. 

Specops Breached Password Protection offers a service that scans a user’s Active Directory passwords against a dynamically updated list of vulnerable passwords. The list contains over 2 billion passwords from known data leak incidents as well as passwords used in real assaults happening currently. 

Specops also restrict users from designing passwords vulnerable to dictionary assaults by blocking commonly employed passwords. During a password change, the password scanner blocks any passwords identified in the database with a dynamic response for end-users. Additionally, it designs a custom dictionary containing potential passwords relevant to users work place, including firm names, locations, services, and relevant acronyms. 

According to security analysts at Specops, password attacks work because users set predictable passwords. When asked to set a complex password, users employ familiar steps that attackers can easily crack. For example, starting with a common word, followed by a number and/or special character. The length of the password is also very defensive. 

Specops scanned over 800 million known exploited passwords, up to 83% of passwords were present in vulnerable password databases meaning they were unable to meet regulatory password standards. To finalize the result, security analysts compared the construction rules of 5 different standards against a dataset of 800 million exploited passwords. 

“You can install Specops Password Auditor on any workstation that’s joined to your Active Directory. From the outset, you can download a database from us, which is updated every three months, based on the biggest leaks that have happened in that three-month period, plus the most common hits against our master database, Darren James, password and authentication analyst from Specops explained.

The database downloaded by the user consists of over 800 million of the most commonly breached and leaked password hashes, while our master database, updated daily, contains 2.6 billion hashes. You can export reports showing the results into a script or document to send to members of your organization. From here, Password Policy helps to solve the problem by eliminating breaches and weak passwords and ensuring that passwords are compliant.” 

Seven Common Microsoft Active Directory Misconfigurations

 

The modern IT association has a wide assortment of responsibilities and competing priorities. Therefore, cybersecurity is regularly ignored for projects that quickly affect business operations. Sadly, this working model unavoidably prompts unaddressed vulnerabilities and security misconfigurations in services and Active Directory. Seven of the most common system and Active Directory misconfigurations are:

Misconfiguration 1: Administrative Privileges 
When an attacker has gotten initial access inside an environment, the adversary will endeavor to lift privileges inside the network. Adversaries ordinarily have the objective of getting Active Directory Domain Administrator privileges, or, in simple words, complete control over the Active Directory domain.  

Misconfiguration 2: Network Shares
Network shares give plentiful freedom to an assailant to elevate privileges within a network. For instance, in a past red team assessment, CrowdStrike recognized an unprotected network share that contained a writable IIS webroot. This permitted CrowdStrike to write a web shell to the webroot as a standard domain user and along these lines acquire code execution as the IIS process proprietor on the webserver. 

Misconfiguration 3: Service Accounts with Weak Passwords 
Adversaries will hope to elevate their privileges inside a network by compromising the credentials of privileged accounts. It is normal for service accounts to be conceded administrative privileges to different hosts in an Active Directory environment. Kerberoasting is an assault technique that endeavors to acquire plaintext passwords from service account Kerberos tickets. One approach to assign service accounts is through an attribute called a service principal name (SPN), which attaches a service to a user account. 

Misconfiguration 4: Services Running on Hosts with Multiple Admins 
Although plaintext and hashed credentials might be stored inside the memory of processes like LSASS, most current endpoint detection and response (EDR) solutions intensely monitor and forestall credential access through these processes. An alternative method for credential access exists when services are arranged to run under a client account. Passwords for these accounts can be extracted by any local administrator. 

Misconfiguration 5: Aged Accounts 
As an attacker, aged accounts or accounts with no password expiration policy make ideal targets for adversaries hoping to keep up long haul admittance to an environment. Aged accounts infer to an attacker that password rotation for the client account is either very troublesome or not executed for a specific explanation, for example, shared access among multiple users. 

Misconfiguration 6: Passwords, Passwords, Passwords 
While other misconfigurations permit adversaries to acquire unapproved admittance to network resources and hosts utilizing a solitary compromised account, credential related assaults compromise additional accounts that might be utilized to further an adversary’s actions on objectives. Three routes normally utilized by attackers are distinguishing plaintext passwords, frail passwords with deficient lockout periods, and password reuse. 

Misconfiguration 7: Legacy Systems 
Assailants target legacy systems because of the unpatched critical vulnerabilities that affect them. EternalBlue (MS17-010) and BlueKeep (CVE-2019-0708) are favorite vulnerabilities that are focused on legacy systems as successful exploitation brings about code execution with regards to the system account, giving the assailant complete control of the vulnerable system.