The featured image for this article.

Hardening Active Directory Blunts Ransomware Extortion Attacks

Recent attacks against firms like NTT highlight why businesses must address critical authentication infrastructure and reduce privileged access to stem potential disruption from ransomware.

As ransomware attacks against large businesses and municipalities continue almost unabated, defenders are being forced to take a long look at the security of their critical IT and network infrastructure and decide whether their current approaches can stand up to attackers’ constantly shifting tactics.

For example, we’re seeing more and more extortion-style attacks accompany ransomware. Attackers compromise key system credentials that enable lateral movement and privilege escalation that allow them not only to spread ransomware on more systems, but also to steal company and personal data along the way.

Double Trouble: Ransomware Goes Doxing

That data can be held over the victim’s head as demands for ransoms grow exorbitantly: "Pay up," the message goes, or your data could be publicly leaked and then sold for auction to the highest bidder on any number of deep and dark web marketplaces.

The damage in these instances is three-fold: business disruption from the ransomware, brand and reputation damage from the publication on ransomware "dox" websites, and then the leak or sale of the stolen data.

Locking Down Active Directory is Key

The common denominator in many of these cases is a less-than-hardened Active Directory environment that has been attacked using a number of freely available open-source tools.

Mimikatz and Rubeus are two such tools that have been co-opted into attackers' toolkits. They help streamline a number of dangerous attacks. Mimikatz, for example, can siphon Active Directory credentials from memory and enable damaging Kerberos ticket forgeries. So-called Kerberos "Golden Tickets" provide access to any resource on a domain. (See our write up of Golden Ticket attacks). With even less access, a single service account might be compromised using a Silver Ticket attack.  Active Directory can also be susceptible to attacks such as Kerberoasting, a pervasive attack targeting service account credentials, or Pass-the-Ticket attacks, where valid Kerberos Ticket Granting Tickets (TGTs) are stolen from authenticated users and passed between services for privileged access.

Coming up Short on Identity Attacks

This is often where businesses and government agencies victimized by ransomware come up short in their prevention and recovery efforts. While most do a solid job monitoring and detecting attacks using endpoint detection and response (EDR) technology, or tracing an attackers’ steps through user and event behavior analytics (UEBA), most would be advised to take a further step and ensure they harden Active Directory.

A recent example is NTT Communications, Japan’s largest telecommunications provider and fifth largest business.

According to NTT, the attackers were able to infiltrate its network via an information management server hosted in Singapore and a separate cloud server before reaching the enterprise network and accessing Active Directory, enabling the “remote operation” of the AD server. All affected servers were taken offline upon discovery of the attack, the company said.

NTT recently updated its response to the May ransomware incident. The company’s transparency about the attack and its response has been refreshing; recently it announced that it has been informing additional clients they may have been impacted by the attack (188 in total). It also admitted that information stored on internal files may also have been leaked in the attack and shared that it is deploying UEBA and EDR, as well as embracing a so-called Zero Trust security model. (Zero Trust is a model where nothing inside or outside the network is trusted, and strict access controls and push-based authentication is the preferred model.)

Reduce Privileged Access, Sleep Better

Hardening Active Directory is an essential security strategy in this age of extortion-style attacks where privilege escalation and lateral network movement is essential to an attacker’s approach. While it remains critical to maintain controls over endpoints and monitor user- and device behaviors on the network, businesses must extend that by reducing privileged access and hardening Active Directory.

Technology such as QOMPLX’s, can identify exploitable weaknesses in an Active Directory environment and also alert IT teams to pockets of over-privileged accounts that threat actors may take advantage of.

Organizations should also review password-policy compliance on all accounts: flagging accounts with old passwords; identifying administrator account passwords with no expiration date; and removing stale accounts and machines without successful log-ins during a given time period. Vulnerable assets, such as machines running an operating system that’s no longer supported, also need to be addressed as they are attractive entry points for an attacker.

Get Ground Truth on Identity and Authentication

A provider such as QOMPLX can deliver technology that locks down Active Directory. QOMPLX’s Q:Cyber Identity Assurance maintains a real-time stateful ledger of all appropriately issued and valid Kerberos tickets and observes Kerberos interactions across clients (principals), domain controllers (key distribution centers) and Kerberized services.

Finally, as Active Directory attacks become more common external validation of the Kerberos protocol becomes essential to assure IT teams that every ticket presented by a Kerberos service client was in fact issued by a legitimate key distribution center. Without the "ground truth" of reliable identity and authentication to stand on, the rest of your security monitoring is of little use.

QOMPLX’s technology can verify, in near real-time, that a given Kerberos authentication event was correctly generated and that it is linked to legitimate user interactions and the issuing domain controller. This type of deterministic verification makes it difficult for attackers to abuse authentication protocols and processes.

Michael Mimoso

Published a month ago