Active Directory flaw opens enterprise services to unauthorized access

Share this article:
Active Directory flaw opens enterprise services to unauthorized access
Microsoft claims the issue is a "well known" design limitation in Active Directory's authentication protocol.

A security firm has discovered a flaw in Microsoft's Active Directory (AD) software that could allow an attacker to change a victim's password and, ultimately, access a range of enterprise services.

On Tuesday, Tal Be'ery, vice president of research for Israel-based Aorato, detailed the attack method that could open widely used Microsoft software to unauthorized access. In a blog post, he explained that Active Directory, deployed in 95 percent of all Fortune 1000 companies, enables by default an older authentication protocol called NTLM.

By using a free penetration testing tool, such as WCE or Mimikatz, an attacker could easily steal the NTLM hash from a targeted individual's device, Be'ery said. With the hash in possession, a hacker who “forces the client to authenticate to Active Directory using a weaker encryption protocol,” could go on to change victims' passwords, and login to other Microsoft services like Outlook Web Access or Remote Desktop Protocol, he explained.

In a Tuesday interview with SCMagazine.com, Be'ery said that he notified Microsoft of the issue in early June, and the tech giant provided an official response on the matter as of July 7 (which he posted at the end of his blog post).

Microsoft attributes the security issue to a known design “limitation,” as opposed to a vulnerability, in Active Directory caused by authentication protocols the service uses (NTLM). But, Be'ery contends that the issue is a “by design flaw" – and newly discovered exploits, such as attackers changing users' passwords and leaving no sign of the attack for log-based SIEMs or data analytics tools, emphasize the seriousness of the issue.

“We found out that the logs are not [catching] that issue of downgrading the encryption,” Be'ery said. “The crucial clues of the attack goes [unnoticed]. If the basis of your security system is on logs then you have no chance of catching that attack,” he added.

In its statement, Microsoft advised enterprises to implement smart card authentication and disable a weaker encryption algorithm, RC4-HMAC (which uses the NTLM hash). Be'ery suggested in his blog post, however, that neither options are practical solutions since smart cards "are expensive and difficult to deploy throughout an enterprise,” and removing older encryption algorithms enterprise-wide could prevent users from accessing older systems.

Instead, Be'ery encouraged companies to monitor authentication protocol anomalies (such as the use of non-default encryption algorithms) as well as changes in typical user behavior (like the kinds of services used or the times they are accessed by employees). Windows computers should also be patched with a Microsoft update that mitigates theft of NTLM hashes, he added.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.

EU conducts massive cyberattack simulation on critical networks

Conducted by the European Union Agency for Network and Information Security, the simulation launched 2,000 attacks on the networks of various critical infrastructure organizations.