Ransomware groups are driving Active Directory exploitation to unacceptable rates
By Carolyn Crandall, Chief Security Advocate, Attivo Networks
GUEST OPINION: Moves to code Active Directory exploitation directly into malware is a growing trend and concern for security professionals.
Attackers target Active Directory (AD) because it represents a skeleton key capable of unlocking the rest of a corporate network, with an estimated base of 90% of enterprises worldwide using it. Indeed, its prevalence means it isn’t just large organisations at risk.
Recent research by EMA found that 50% of organisations had experienced an attack on AD within the past one to two years, and over 40% said that attackers had successfully breached their AD implementation.
This finding highlights that adversaries aren’t just trying to attack AD – they are successfully breaching it at an unacceptable rate.
One of the reasons for the high success rate is the complexity of AD environments. EMA’s research found that 44% of AD security assessments uncovered between 11 and 50 exposures, and one in five found between 51 and 100.
Configuration changes often cause these exposures, and attackers seek them out as they try to escalate their attacks.
Ransomware groups have been particularly aggressive in seeking and exploiting these exposures.
The three evolutions of AD-targeting in ransomware
There have been several clear evolutions in attackers targeting AD with ever-increasing sophistication.
Shipping giant Maersk’s infamous encounter with the NotPetya ransomware can be considered an early encounter. NotPetya used (among other things) the Windows Network Browser Service to list all servers visible in the AD domain and add them to its target list.
Maersk experienced “100% destruction of anything based on Microsoft that was attached to the network.” AD was severely damaged, but Maersk was in some ways fortunate, locating an undamaged copy of AD at an office that had no electricity while the attack took place. From that, they were able to rebuild AD for the rest of the organisation.
Since then, several ransomware groups have emerged that target or use AD to escalate their attacks more specifically.
As previously noted, ransomware gangs increasingly “use tools like PowerShell, Bloodhound, etc., to perform domain reconnaissance and identify paths to high privilege targets” in AD.
For example, one ransomware operator, codenamed DeepBlueMagic, uses “guessed or compromised ‘admin’ AD credentials protected only with single-factor authentication” to attack a corporate VPN. The attacker then used command line queries to find more AD objects to escalate the attack.
The third and most recent evolution of threats targeting AD is in the coding of the malware strains themselves.
Notably, LockBit 2.0, RYUK, MountLocker, and XingLocker contain code that targets specific configurations, misconfigurations, or vulnerabilities in AD.
Last May, MountLocker used the Windows AD Service Interfaces API to identify additional targets inside a corporate network. This activity was noteworthy since the malware was ‘thinking’ like a Windows network administrator, seeking out objects (resources) connected to the network and trying to copy the malware across to that resource.
RYUK and XingLocker reportedly need AD present, or the attacks fail. In the case of XingLocker, the malware queries a compromised device to check whether it is part of the AD and ceases operations if it is not.
As EMA noted in its report, researchers also found LockBit 2.0 ransomware “can now automate the encryption of a Windows domain by using AD group policies. Once executed on the domain controller, the ransomware automatically distributes itself across the domain, disabling existing Microsoft protections along the way.”
Hardening the enterprise defences
Recognising AD’s sustained role in ransomware attacks, Microsoft recommends hardening enterprise environments to “prepare for a worst-case scenario.”
“Each ransomware case is different, and there is no one-size-fits-all approach. But there are things you can do now … Although these changes may impact how your organisation currently works, consider the risk of not implementing them,” it advises.
Responsible organisations should implement identity security solutions that provide visibility into exposed credentials that create potential attack paths and allow access to AD. Visibility into AD and Azure AD exposures and vulnerabilities is essential as well.
AD protection tools and strategies include real-time detection, identifying and remediating exposed credentials on the endpoint, detecting unauthorised AD queries, and hiding and denying access to sensitive or privileged AD objects. These approaches can restrict unauthorised visibility to data and prevent attackers from gaining accurate information on permissions and privileges when querying AD.
Identity threat detection and response (ITDR) solutions are an essential element of AD defence today, as they can help detect and defend against attackers targeting AD infrastructure within the network.
By mitigating AD vulnerabilities and misconfigurations, security teams can efficiently reduce the success rate of ransomware attackers.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise