Hackers have used Active Directory to distribute LockerGoga ransomware inside victim organizations.
Security experts say that Active Directory, built into most Windows Server operating systems, has become the dominant approach to managing Windows domain networks. But its ease of use can also be tapped by hackers. (For more information, see part two of this two-part series.)
“Active Directory is the core identity platform for many businesses around the world,” says Huy Kha, an information security professional at a Dutch law firm who’s an expert on Active Directory security.
“It is used to connect different systems to each other. So that means that it has also become a prime target,” he tells Information Security Media Group. “Why? Because if the attacker can get a foothold inside AD, he can leverage it to access all the systems that are connected on the network.”
Norway’s Computer Emergency Response Team, NorCERT, for example, said that the attack earlier this year against aluminum giant Norsk Hydro involved LockerGoga ransomware “combined with an attack on Active Directory” (see: Hydro Hit by LockerGoga Ransomware via Active Directory).
In April, researchers Oleg Kolesnikov and Harshvardhan Parashar at Securonix reported other attacks that infected organizations with LockerGoga also tapped Active Directory. “In some incidents, the actors have also been using Active Directory management services to distribute the payload in the network,” they wrote, referencing additional research conducted by Nozomi Networks.
Other hackers also regularly target or leverage Active Directory. After gaining initial access to a network, the hacking group APT15 – aka K3chang, Mirage, Vixen Panda, GREF and Playful Dragon – uses a custom-developed tool that can bulk export AD data, NCC Group reports.
Cobalt Strike Beacon
The cybercrime gang known as Carbanak, meanwhile, has been wielding malware known as Cobalt Strike Beacon, says security firm Bitdefender, which conducted a digital forensic investigation at an Eastern European financial institution that was hit by the gang in 2018.
Bitdefender says the malware includes the ability to execute shell command on systems, record keystrokes, take screenshots, escalate privileges “and even deploying memory scraping tools, such as Mimikatz, or enumerating Active Directory hosts,” all of which can help attackers to use the initial system as a springboard for accessing other networked systems
Bitdefender says “day zero” of the attack against the bank involved an employee being phished via a Microsoft Word document containing three exploits, delivering Cobalt Strike beacon to the system, which mapped the organization’s internal network and collected admin-level credentials. The same day, “credentials for one domain administrator were compromised and used throughout the duration of the attack,” which lasted 63 days, before attackers stopped after covering their tracks.
Internal Vulnerabilities at Large
Windows vulnerabilities – including in Active Directory – that can be abused by attackers are widespread.
In a new report titled “Under the Hoodie 2019,” security firm Rapid7 rounds up what it’s seen over the course of its employees conducting 180 penetration testing engagements over a nine-month period ending in May. Rapid7 says 40 percent of its engagements involved pen testers conducting “external compromise” tests to identify “weaknesses and exposures that are exposed to the general internet,” while 36 percent of engagements were primarily focused on internal network assessments, “where the tester is mostly focused on things like Windows Active Directory domains, printers and IoT integrations, and other IT infrastructure not (normally) exposed to the internet.”
By and large, firms have at least one vulnerability a pen tester can exploit, the survey shows. “Across all internal and external network and code audit engagements surveyed, 96 percent saw at least one vulnerability reported by the penetration tester,” Rapid7 says. But some vulnerabilities are worse than others.
Date: July 29, 2019
Source: <span style=”color: #000000;”><a style=”color: #000000;” href=”https://www.healthcareinfosecurity.com/hackers-abuse-active-directory-a-12825?rf=2019-07-26_ENEWS_SUB_HIS__Slot1_ART12825&mkt_tok=eyJpIjoiTURGa1lqVTRNVE0yWVRabCIsInQiOiI5M1wvS2xZazRyOUVSemxoYVFYNCtLdG9qOFwvUkhFWVNMWnhUMmFqTzl4WFZzVjRUcHViOGxZYUpxTFFlc1h5b0VBWTkyXC96Z3NseDlTdnpWdGRFWllLZDEyQStZYkJVQ3pSXC9mV29RZkJ0ZndYRGczK2tGTXBMWTFXSCt3RkNaaUcifQ%3D%3D” target=”_blank” rel=”noopener noreferrer”>Healthcare Info Security</a></span>