A by-design Active Directory flaw has been uncovered that potentially compromises 95% of Fortune 500 companies, as well as other organizations. The vulnerability is due to weak encryption, which enables attackers to change a victim’s password without being detected – and thereby gain access to other, privileged accounts.
Security experts and Microsoft disagree, however, on the severity of the issue.
According to cybersecurity firm Aorato, once the attacker leverages the Active Directory flaw, using the new password, the attacker can impersonate the victim to access various enterprises services and content, which require the explicit use of victim’s credentials, such as Remote Desktop Protocol (RDP) Logon and Outlook Web Access (OWA). So, with 95% of Fortune 500 companies deploying Active Directory, the potential for this particular vulnerability to cause harm and theft is high.
"Millions of businesses are blindly trusting Active Directory as a foundation to their overall IT infrastructure," said Tal Be'ery, vice president of research at Aorato, in a blog. “The unfortunate truth is that this trust is naively misplaced, leaving the vast majority of Fortune 500 enterprises and employees susceptible to a breach of personal and company data.”
Worse still, an attack can evade existing security and identity theft protection measures. Unfortunately, logged events miss the vital indication of an identity-theft attack, so the attacker can perform this activity unbeknownst to event logs, making log-based SIEMs and Big Data security analytics useless against these kinds of advanced attacks.
According to the firm, the basic anatomy of an attack has several stages:
- Attacker uses a publicly-available free penetration testing tool (such as WCE or Mimikatz) that steals an authentication component, named NTLM hash, from the employee’s device. The NTLM hash resides by default on all devices that connect to enterprise resources.
- Since this authentication component is known to be a security hazard which leads to identity theft attacks, through a Pass-the-Hash (PtH) attack, protections have been placed to prevent its misuse. For example, many enterprises try to limit the use Active Directory’s older – yet still enabled by default –authentication protocol (i.e. NTLM). In other scenarios, enterprises log and audit NTLM activity.
- The attacker forces the client to authenticate to Active Directory using a weaker encryption protocol. At this stage, the attacker uses the Active Directory flaw where the encryption protocol relies on the NTLM hash.
- This activity is not logged in system and third-party logs- even those that specifically log NTLM activity. As a result, no alerts, or forensic data, ever indicate that an attack takes place.
- The attacker proves its so-called legitimate identity to Active Directory using the weaker authentication protocol. Consequently, the attacker is able to authenticate themselves to restricted services and change the password of the victim. The attacker then uses the changed password to fully steal the identity of the victim and access all of the victim’s enterprise resources.
Be'ery added, “Until enterprises acknowledge the inherent risks associated with relying on Active Directory and build a strategy to mitigate risks, we will continue to see attackers walking off with valuable information undetected.”
Aorato disclosed the issue to Microsoft, but the software behemoth said that the issue is not as serious as contended and characterized it as a "limitation."
"This is a well-known industry limitation in the Kerberos Network Authentication Service standard," the company said in a statement sent to media. "Information on how to manage this limitation when using Windows can be found on the Microsoft TechNet site."
Because the conditions required to allow an attack are multi-staged, enterprises have less to worry about than Aorato may indicate.
"It does not seem to be as serious as pictured since the conditions where an actual attack can happen are very complex," Ehsan Foroughi, director of research at Security Compass, told CSOonline, adding, "The logging part is the most troubling issue for forensics sake. But there is not enough there to warrant enterprises to stop using Active Directory tomorrow."
Nonetheless, Aorato recommends that enterprises detect authentication protocol anomalies; identify the attack by correlating the abnormal use of encryption methods with the context in which the victim’s identity is used; and apply measures to reduce the attack surface.