Microsoft is asking customers to patch 2 Active Directory domain controller bugs after a PoC tool was publicly released on Dec. 12.
A proof-of-concept tool has been published that uses 2 Windows Active Directory bugs fixed last month that, when chained, can allow easy Windows domain takeover.
Both vulnerabilities are described as a “Windows Active Directory domain service privilege-escalation” bugs & are of high severity, with a CVSS criticality score of 7.5 out of 10.
“As always, we strongly advise deploying the latest patches on the domain controllers as soon as possible,” Microsoft advised.
‘Straight Path’ to Admin Privileges
These vulnerabilities allow attackers to easily increase privileges to that of domain admin in unpatched Windows Active Directory domain services after impersonating a regular domain user, according to Microsoft’s advisory.
Domain administrators in Windows are users that can modify the configuration of Active Directory servers & can modify any content stored there. Domain admins can create new users, delete users & change their permissions; & can control authorisation & authentication to Windows services.
“When combining these 2 vulnerabilities, an attacker can create a straightforward path to a domain admin user in an Active Directory environment that hasn’t applied these new updates,” states the security alert.
“This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain.”
On Dec. 11, a proof-of-concept (PoC) tool to exploit the bugs was publicly released on Twitter & GitHub, just a few weeks after Patch Tuesday Nov. 2021. Multiple security researchers confirmed that it works & that the exploit is easy.
Systems Have Been Compromised
Microsoft defines the exploit as SAM Name impersonation. Same Account Name (SAM) refers to the sAMAccountName attribute: a logon name used to support clients & servers from previous versions of Windows, such as Windows NT 4.0, Windows 95, Windows 98 & LAN Manager.
Microsoft’s research team published detailed guidance on finding signs of exploitation & identifying compromised servers with a Defender for Identity advanced hunting query that roots out abnormal device name changes: changes that “should happen rarely to begin with,” it stated.
Defender for Identity is a cloud-based security tool that uses on-premises Active Directory signals to identify, detect & investigate advanced threats, compromised identities & malicious insider actions.
The query compares those name changes with a list of domain controllers in your environment, researchers explained.
“To investigate if these vulnerabilities might have been exploited in your environment before the hotfixes were deployed, we highly recommend you follow the step-by-step guide,”
Microsoft recommended, providing these instructions:
- The sAMAccountName change is based on event 4662. Please make sure to enable it on the domain controller to catch such activities. Learn more of how to do it here.
- Open Microsoft 365 Defender & navigate to Advanced Hunting.
- Copy the following query (which is also available in the Microsoft 365 Defender GitHub Advanced Hunting query):
IdentityDirectoryEvents | where Timestamp > ago(1d) | where ActionType == “SAM Account Name changed” | extend FROMSAM = parse_json(AdditionalFields)[‘FROM SAM Account Name’] | extend TOSAM = parse_json(AdditionalFields)[‘TO SAM Account Name’] | where (FROMSAM has “$” & TOSAM !has “$”) or TOSAM in (“DC1”, “DC2”, “DC3”, “DC4”) // DC Names in the org | project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields
- Replace the marked area with the naming convention of your domain controllers
Windows Event 4741
- Run the query & analyse the results which contains the affected devices. You can use Windows Event 4741to find the creator of these machines, if they were newly created
- We recommend investigating these compromised computers& determine that they haven’t been weaponised.
- Make sure to update the devices with the following KBs: KB5008102, KB5008380, KB5008602.
“Our research team continues its effort in creating more ways to detect these vulnerabilities, either with queries or out-of-the-box detections,” Microsoft explained.
The Log4j Apache logging library issue is getting all the attention presently, but security experts outlined that organisations have to find time for dealing with these bugs.
Securing Active Directory is critical, given its role in account authorisation & authentication, & the compromise that can result if vulnerabilities like these are exploited.
“Active Directory is typically the keys to the kingdom,” Tyler Shields, CMO at Jupiter One & a former Forrester Research Analyst, explained on Tues.
“Targeting the system that holds account authorisation & authentication information can result in massive compromise of an enterprise. It’s one of the most commonly deployed account management systems on the planet & must be kept secure & up to date.”
John Bambenek, Principal Threat Hunter at Netenrich, outlined that if an attacker gets domain admin privileges, they can “quite literally do almost anything they want to any machine in an organisation with impunity.”
Ransomware operators, for example, would find these vulnerabilities interesting if they want to “ransom an entire organisation at once,” Bambenek suggested. Using the PoC to install ransomware on every Windows machine in an organisation “would be trivial,” he added.
AD is not only commonplace – it’s also constantly under siege by adversaries, noted Tim Wade, Technical Director, CTO team at AI-based cybersecurity firm Vectra. It’s “the preferred method of progress through an enterprise once an initial foothold has been achieved,” he informed.
A case in point: AD played a part in the SolarWinds attacks, when adversaries hit Active Directory Servers with the Foggy Web backdoor. AD is, unfortunately, a nightmare to secure, as has been outlined by SpecterOps researchers who’ve tried to get the security community to think about the AD problem in terms of “misconfiguration debt”: as in, incremental misconfigurations that build up over time, such that attackers are virtually guaranteed to find an attack path to their objective on any network.
Don’t let these bugs add to that misconfiguration issue, experts stated.
“These 2 bugs … are absolutely worth attention, given the direct line of sight between their presence & full domain compromise” Wade stressed.
”When it rains in information security, it seems to pour – but this isn’t something that network defenders should lose any time patching out of their environment.”