Tag Archive for: Directory

Hackers’ dwell time decline, but they are able to reach active directory very fast

/in


Even as the cyber threat landscape is becoming more complex and dangerous, there seems to be an increase in the awareness levels on the importance of guarding one’s digital properties and networks. This sounds very good and encouraging. But bad news is that the hackers are able to reach the Active Directory (AD), one of the critical assets for a company, in less than a day. 

AD typically manages identity and access to resources across an organisation, meaning attackers can use AD to easily escalate their privileges on a system to simply log in and carry out a wide range of malicious activity.

According to the latest report by cybersecurity company Sophos, the average dwell time (the time an intruder lurks around in a computer network or a device undetected) has come down to eight days from 10 days in the first half of 2023.

With regard to ransomware attacks, the dwell time comes down to five days. In 2022, the median dwell time decreased from 15 to 10 days.

Also read: India’s AI talent pool on LinkedIn has grown 14-fold since 2016

The Active Adversary Report for Tech Leaders 2023, which provides an in-depth look at attacker behaviours and tools during the first half of 2023, analysed Sophos’ Incident Response (IR) cases from January to July 2023.

“It took on average less than a day—approximately 16 hours—for attackers to reach Active Directory (AD),” he said.

“Attacking an organisation’s Active Directory infrastructure makes sense from an offensive view. AD is usually the most powerful and privileged system in the network, providing broad access to the systems, applications, resources, and data that attackers can exploit in their attacks,” John Shier, field CTO, Sophos, said.

“When an attacker controls AD, they can control the organisation. The impact, escalation, and recovery overhead of an Active Directory attack is why it’s targeted,” he said.

“Getting to and gaining control of the Active Directory server in the attack chain provides adversaries several advantages. They can linger undetected to determine their next move, and, once they’re ready to go, they can blast through a victim’s network unimpeded,” he said.

Full recovery from a domain compromise…

Source…

Active Directory bugs could allow hackers to take control of Windows domain controllers

/in


Following the release of a proof-of-concept (PoC) tool on December 12, Microsoft is advising users to repair two security vulnerabilities in Active Directory domain controllers that it addressed in November.

Active Directory is a directory service that runs on Microsoft Windows Server and is used for identity and access management. Although the tech giant marked the shortcomings as “exploitation Less Likely” in its assessment, the public disclosure of the PoC has prompted renewed calls for applying the fixes to mitigate any potential exploitation by threat actors.

The two flaws, dubbed CVE-2021-42278 and CVE-2021-42287, have a severity rating of 7.5 out of ten and are related to a privilege escalation problem in the Active Directory Domain Services (AD DS) component. Andrew Bartlett of Catalyst IT is credited with detecting and reporting both problems.

While CVE-2021-42278 enables an attacker to tamper with the SAM-Account-Name attribute — which is used to log a user into systems in the Active Directory domain, CVE-2021-42287 makes it possible to impersonate the domain controllers. This effectively grants a bad actor with domain user credentials to gain access as a domain admin user

The Redmond-based company has also provided a step-by-step guide to help users ascertain if the vulnerabilities might have been exploited in their environments. “As always, we strongly advise deploying the latest patches on the domain controllers as soon as possible,” Microsoft said.

“When combining these two vulnerabilities, an attacker can create a straightforward path to a Domain Admin user in an Active Directory environment that hasn’t applied these new updates,” Microsoft’s senior product manager Daniel Naim said. “This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain.”

Microsoft is urging customers to apply patches issued in November for two Active Directory domain controller bugs, following publication of a proof-of-concept tool that leverages these bugs, which when chained can allow easy Windows domain takeover.

The vulnerabilities tracked as CVE-2021-42287 and CVE-2021-42278 allow…

Source…

Report: Active Directory Certificate Services a big security blindspot on enterprise networks

/in


As the core of Windows enterprise networks, Active Directory, the service that handles user and computer authentication and authorization, has been well studied and probed by security researchers for decades. Its public key infrastructure (PKI) component, however, has not received the same level of scrutiny and, according to a team of researchers, deployments are rife with serious configuration mistakes that can lead to account and domain-level privilege escalation and compromise.

“AD CS [Active Directory Certificate Services] is Microsoft’s PKI implementation that provides everything from encrypting file systems, to digital signatures, to user authentication (a large focus of our research), and more,” researchers Will Schroeder and Lee Christensen from security firm SpecterOps said in a new report. “While AD CS is not installed by default for Active Directory environments, from our experience in enterprise environments it is widely deployed, and the security ramifications of misconfigured certificate service instances are enormous.”

How AD CS works

AD CS is used to set up a private enterprise certificate authority (CA), which is then used to issue certificates that tie a user or machine identity or account to a public-private key pair, allowing that key pair to be used for different operations, such as file encryption, signing files or documents and authentication. AD CS administrators define certificate templates that serve as blueprints to how certificates are issued, to whom, for what operations, for how long and what cryptographic settings they have.

In other words, like in HTTPS, a certificate that is signed by the CA is proof that the AD infrastructure will trust a particular public-private key pair. So, to obtain a certificate from AD CS, an authenticated user or computer, generate a key pair and send the public key along with various desired settings to the CA as part of a certificate signing request (CSR). The CSR will indicate the user identity in the form of a domain account in the subject field, the template to be used to generate the certificate, and the type of actions for which the certificate is desired, which is defined in a field…

Source…

Secure SSO for Cloud Applications using existing on premise Active Directory Identities

/in


single sign on userlock

The new release of UserLock 11 provides existing on-premise Active Directory (AD) Identities with secure Single Sign-On (SSO) access to both the corporate network and multiple cloud applications, from wherever they are working. In combination with Multi-Factor Authentication (MFA) it enables on-premise AD identities to securely access Microsoft 365 and other leading cloud applications.

  • For maximum security and ease, Userlock SSO maintains Windows Server Active Directory as the authoritative user directory and extends it to work with the cloud.
  • Given the increased vulnerability of corporate passwords for all organizations, UserLock’s granular Multifactor Authentication (MFA) provides the SSO protection you need without unnecessarily impeding employees.
  • New MFA enhancements have been added to help organizations scale MFA across all employees.

 

Today’s modern hybrid organization relies on Active Directory and the cloud to operate. With the demand for remote work at an unprecedented scale, IT teams need to streamline access to both the corporate network and cloud application from wherever employees are working.

This change in user access requirements creates new security risks that can often lead organizations to adopt either complex, costly or disruptive changes.” said François Amigorena, President & CEO of IS Decisions.

With UserLock, organizations can benefit from an easy-to-use, non-disruptive and affordable SSO solution that leverage’s their existing investment in Active Directory to effectively secure employees access to both the corporate network and multiple cloud applications.”

On-site Federated Authentication

Installed in minutes on a standard Windows server, UserLock SSO supports SAML 2.0 protocol to enable federated authentication of cloud applications. Each user needs to log in only once with their existing AD credentials (and a second factor if required), to seamlessly access all cloud resources.

  • Secure on site authentication is retained, even for remote access
  • Accounts, services, roles and group policies continue to be enforced
  • No need to create and manage a new directory for user ID’s
  • No change or provisioning needed for existing access to…

Source…