CERT Alert AA20-302A: Who is Pinging Your Domain Controllers?
Author: Venu Vissamsetty, Founding Engineer at Attivo Networks – Organizations are facing ransomware threats daily. The older ransomware strains only encrypted the local infected system, which limited the damage caused to an organization. The newer ransomware variants use self-propagating techniques to move laterally and spread across the network, crippling the entire organization.
CERT has released an alert (AA20-302A) on “Ransomware Activity Targeting the Healthcare and Public Health Sector.” This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware for financial gain.
According to the CERT alert, Ryuk actors will quickly map the network to enumerate the environment to understand the infection’s scope. To limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory. The group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (RDP) to move laterally throughout the network. The group also uses third-party tools, such as Bloodhound.
Additional research published by DFIR and Sophos on Ryuk indicates that they perform discovery activities after establishing an initial foothold. As part of the discovery process, attackers ping and locate domain controllers using living off the land tools.
Active Directory Protection with ADSecure:
ADSecure prevents and conceals the discovery of sensitive information from Active Directory, provides real-time insights into attackers Active Directory discovery methods, and prevents attacks from moving laterally inside the network.
ADSecure Protection Best Practices:
- Deploy ADSecure on all windows endpoints which can access domain controllers from inside the network or across VPN segments.
- Deploy ADSecure on Citrix VDI infrastructure managed by domain controllers on-premise, in Citrix cloud, or public cloud providers like Azure, AWS, GCP, and others.
- Configure ADSecure to conceal production domain controllers from attackers, provide deceptive controllers domain names, IP addresses and get real-time visibility into who is targeting your organization domain controllers.
- Configure ADSecure to conceal and prevent attackers from discovering members of the “domain admins” and “enterprise admins” groups. Get real-time visibility into who is discovering privilege group members from Active Directory.
- Configure ADSecure to conceal “local administrators” on endpoints. Get real-time visibility into who is discovering local administrators on compromised endpoints.
- Configure ADSecure to conceal critical software distribution and management systems, CI/CD systems, and others in Active Directory. Attackers can target systems like Microsoft SCCM, Jenkins, and more and deploy ransomware across the organization.
- Learn how the ADSecure solution misleads attackers and prevents Kerberos Silver Ticket Attack in the early stages of the attack cycle.
- Learn how to protect and detect attackers exploiting CVE-2020-1472 ZeroLogon and Other Zero-Day Vulnerabilities on Active Directory.
- Learn how to protect against targeted Active Directory Ransomware attacks.
- Learn how to prevent lateral movement using SMB session enumeration.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise