A recent spate of attacks on hospitals, government agencies and a major US airport show that nation-state and cyber criminal groups are more interested than ever in Active Directory
Two recent attacks suggest that attacks on Microsoft’s Active Directory continue to be the weapon of choice for everything from criminals wanting to mine Bitcoin to nation-state actors chasing valuable industrial secrets or classified intelligence.
San Francisco International Airport disclosed a breach on April 7 that looked, at first, to be an run-of-the-mill cyber criminal intrusion of web-based portals for employees and contractors. A little more than a week later, however, endpoint security provider ESET published evidence that it said demonstrates a state actor was behind the attack, and that the objective was to harvest Windows credentials like usernames and NTLM passwords for use in deeper attacks against SFO.
Then, on April 16, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published an alert that urged network administrators to patch a critical vulnerability in the popular Pulse Security VPN appliances. CISA said it had evidence that threat actors were exploiting the vulnerability to steal domain administrator credentials from Active Directory. CISA linked these exploits to ransomware outbreaks at some U.S. hospitals and government agencies.
AD Credentials: The Gift that Keeps Giving
Active Directory credentials have an unrivaled value to threat actors. Paired with the availability of open source tools such as Mimikatz that facilitate a host of attacks against Active Directory, even unsophisticated hackers can use their foothold inside enterprise networks to move laterally, expand their control over sensitive IT assets and data and to establish persistent access that is difficult to detect and erase.
“Active Directory is ubiquitous in modern enterprises today - providing the critical infrastructure governing who can do what to whom on the network," said Jason Crabtree, CEO of QOMPLX. "But organizations are consistently falling short in the ongoing maintenance of their Active Directory environments from a preventative perspective."
All Roads Lead to Russia
Let’s dig into the two incidents a little further.
The attack on the SFO websites has many layers, and ESET says they all point to a Russia-linked APT group known as Energetic Bear. (Other threat intelligence groups have labelled this group Dragonfly.)
The compromised websites (SFOConnect[.]com and SFOConstruction[.]com) are relatively low traffic sites, according to airport officials, and are used by employees and airport construction contractors. A forensic examination found an exploit of an Internet Explorer vulnerability was at the heart of the breach. Once in control of the sites, attackers used them as “watering holes”: waiting for airport staff and contractors to log into them and then harvesting credentials and other information.
Energetic Bear in the past has used these types of watering hole attacks against a wide range of targets: U.S.- and Middle East-based energy companies; industrial sites; embassies; government agencies, and more. The watering hole attack is only one link to Energetic Bear; a more interesting link is the use of a distinctive scheme within the exploit code, file://IP/filename.png, which is designed to connect to a remote server using the Windows SMB protocol. This request allows the attacker to steal the user’s IP address, user name, domain name, and NTLM password hash.
Credential Theft Enables Persistence
While the exact description of how stolen credentials were leveraged remains non-public, an attacker with access to the NTLM password hash and user name could easily use a tool like Mimikatz to create Golden Ticket and Silver Ticket Kerberos forgeries, giving them persistent access to any resource on a domain, or access to a specific resource.
"Organizations are learning that NTLM is fundamentally insecure and that its replacement protocol, Kerberos, is secure but only if real-time protocol validation occurs to keep track of all authentication events and maintain a chain of custody for all keys issued on the network,” said Crabtree of QOMPLX.
Another attack scenario that resembles the attack against SFO could be an Overpass-The-Hash attack, which allows an attacker access to Kerberos service tickets and network resources. In such an attack, the attacker attempts to force the connection to the remote server over SMB; Windows will try to authenticate to that remote IP and pass the hash in an attempt to do so. In an instance such as this where the connection is forced over SMB rather than DNS, for example, Kerberos will complete authentication, in essence overpassing the hash. The attacker can look for and steal the NTLM hashes transmitted and use them elsewhere to elevate privileges.
Meanwhile, the CISA alert demonstrates how attacks against Active Directory are going mainstream, and how basic security blocking-and-tackling, such as vigilant patch and configuration management, can put up barriers to these attacks while remaining insufficient. In this case, a patch has been available for Pulse VPN appliances for more than a year to eliminate a directory traversal bug that enabled remote and unauthenticated access to arbitrary files. That flaw ultimately provided attackers with an initial foothold on a network.
Attackers, CISA said in its alert, were also able to obtain the contents of the etc/password file and learn the necessary attributes about users and local system accounts. Publicly available exploit code tested by CISA can be used to leak Active Directory credentials, as well as admin credentials for the VPN.
Access to these credentials allowed the attackers to remain present on compromised machines even after they’d been patched. CISA observed evidence of lateral movement on compromised networks, the collection of files for exfiltration, as well as the execution of ransomware within certain networks.
Networks running Pulse VPNs should not only patch their appliances, but change all Active Directory account passwords, including for administrator and service accounts, as well as audit systems for unauthorized applications and scheduled tasks, and inspect tasks for executables that could allow an attacker to reconnect.
These two incidents are stark reminders of how Active Directory credentials can be abused to facilitate intellectual property theft, data exfiltration, and extortion schemes. Organizations must be vigilant about patching vulnerabilities and ensuring secure configurations of network gear and endpoints.
In addition, organizations should enforce a “least-privilege” model of user access, restricting domain administrator access and limiting the extension of administrative privileges to domain users whenever possible.
“Maintaining a real-time stateful ledger of all appropriately issued and valid Kerberos tickets and observing the totality of Kerberos interactions across clients (principals), domain controllers (key distribution centers) and Kerberized services is a tremendously difficult but important task," said Andrew Sellers, QOMPLX CTO. "By reconstituting all Kerberos and Domain Replication Service (DRS) protocol traffic and performing streaming analytics, QOMPLX provides the most comprehensive, accurate and timely approach to securing enterprise authentication infrastructure.”
Finally, as Active Directory attacks expand in severity via Golden Ticket and Silver Ticket attacks, there must be external validation of the Kerberos protocol to assure that every ticket presented by a Kerberos principal (i.e. service client) was in fact issued by a legitimate key distribution center.
QOMPLX’s technology can verify, in near real-time, that a given Kerberos authentication event was correctly generated and that it is linked to legitimate user interactions and the issuing domain controller. This type of deterministic verification makes it difficult for attackers to abuse authentication protocols and processes.