Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

4/1/2020
02:00 PM
Jason Crabtree
Jason Crabtree
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Active Directory Attacks Hit the Mainstream

Understanding the limitations of authentication protocols, especially as enterprises link authentication to cloud services to Active Directory, is essential for security teams in the modern federated enterprise.

There was a time when attacks against identity and authentication infrastructure were the domain of well-financed and, likely, state-backed threat actors. These groups crave persistence on critical networks and would invest heavily in tactics that would allow them not only a foothold on vital systems but also stealthy lateral movement from resource to resource.

Access to Active Directory, domain controllers, and exploitation of known weaknesses in the Kerberos authentication protocol were often key in these efforts, and for a long time required significant dwell time in order to, for example, forge Kerberos tickets and move about a network making legitimate service requests.

However, the advent of open source pen-testing tools such as Mimikatz — a credential-dumping tool capable of recovering plaintext or hashed passwords from systems — narrowed the knowledge gap necessary to leverage these types of attacks. Dwell times went from days or weeks to minutes, and what was almost exclusively the domain of advanced persistent threat groups was now also within reach of script kiddies.

Mimikatz, in particular, has been integrated into the arsenals of close to 30 state-sponsored groups and has been used in devastating attacks, including 2017's NotPetya, which burrowed into the supply chain of governments and private sector organizations across Europe, and 2011's hack of Dutch certificate authority DigiNotar, which eventually bankrupted the company.

Since Active Directory is recognized as the de facto identity platform for businesses and governments running Windows, and it enables authentication for numerous enterprise services, it stands to reason that hackers would invest in attacks leveraging it as well. The stateless nature of the Kerberos protocol, which authenticates requests to enterprise services, is especially attractive.

As a stateless protocol, Kerberos transactions during the authentication process are not retained throughout or after the session. This dynamic leaves it vulnerable to known attacks that allow bad actors to forge Kerberos tickets or reuse stolen credentials to move laterally through the network undetected, escalating privileges until they obtain full control over files, servers, and services.

Three Decades of Kerberos
Kerberos is no youngster. Its roots go back 30 years to MIT's Project Athena, and it was quickly adopted as a successor to NTLM (Windows NT LAN Manager), which was Microsoft's standard authentication protocol pre-Windows 2000. NTLM was also plagued by vulnerabilities that put the credentials it processed at risk to theft. Kerberos was superior to pre-existing authentication methods, including NTLM. But backward compatibility with these non-Kerberos methods created exposures, especially with legacy applications that could not be easily discarded.

It became quickly apparent that some Kerberos implementations were shaky, and tools such as Mimikatz, Metasploit, and others developed for legitimate security research have been co-opted many times by threat actors to target these implementations.

Benjamin Delpy, the French researcher who built Mimikatz, along with Alva Duckwall demonstrated at the 2014 Black Hat conference the next iteration of attacks against Kerberos. Delpy's and Duckwall's Golden Ticket attack allows attackers to generate a Kerberos Ticket Generating Ticket (TGT), effectively giving them domain administrator credentials to any computer on the network for the life of the ticket. Newer tools, including CrackMapExec, Bloodhound, DeathStar, Angry Puppy, and Go Fetch, make it easier than ever for attackers to gain a foothold on a target environment in order to quickly forge tickets, replay credentials, or map the plan to expand their control.

In the matter of a few years, dwell time dropped to minutes because of these tools that can rapidly audit a network and provide a path that enables lateral movement and privileged access to the complete networking environment. And even the most resourced defenders, meanwhile, continue to struggle.

UN Hack Demonstrates Defenders' Bind
Most recently, an espionage attack disclosed in January targeted three United Nations offices in Europe. Attackers exploited a vulnerability in Microsoft SharePoint to gain access to Active Directory at the three UN locations, and eventually move laterally on those respective networks.

While attribution has not been made in the UN attack, there are signals of a long-term presence on the organization's network, and a targeting of Active Directory to steal information on hundreds of individuals, as well as human resources information, and other databases and network resources, according to reports. There are close to 4,000 staffers at the three compromised UN offices, and the attack was detected last August, close to a month after the initial intrusion, The New Humanitarian, formerly a UN publication, reported in January.

Dozens of servers hosted by the UN at its Vienna and Geneva offices, as well as at its Office of the High Commissioner for Human Rights (OHCHR) were compromised; some of those servers were used for user and password management, system controls, and network firewalls, The New Humanitarian reported. The attackers were able to view data stored on its servers in Vienna, and they were also able to extract Active Directory listings from the OHCHR, which handles reports of human rights violations.

The UN hack demonstrates that defenders are in a bind and need more visibility into authentication systems to ensure they have not been subverted, and that their other security controls, tools, and processes continue to operate as intended.

Understanding the limitations of authentication protocols like NTLM, Kerberos, and SAML — especially as enterprises link authentication to cloud services to Active Directory — is essential for security teams in the modern federated enterprise.

The smartest organizations will find a way to leverage modern distributed systems and analytics platforms, enhanced by machine learning, to master the huge data sets that cloud deployments will engender, while integrating security operations more closely with development and IT management.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: " How to Evict Attackers Living Off Your Land."

Jason Crabtree co-founded QOMPLX in 2014 with Andrew Sellers. As the CEO of QOMPLX, Mr. Crabtree is responsible for the overall vision and long-term direction of the company, in addition to overseeing all aspects of company operations. Prior to QOMPLX, Jason most recently ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25514
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php.
CVE-2020-25515
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Insecure Permissions via Books > New Book , http://<site>/lms/index.php?page=books.
CVE-2020-14022
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Star...
CVE-2020-14023
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS.
CVE-2020-14024
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuratio...