A security firm has discovered a flaw in Microsoft's Active Directory (AD) software that could allow an attacker to change a victim's password and, ultimately, access a range of enterprise services.
On Tuesday, Tal Be'ery, vice president of research for Israel-based Aorato, detailed the attack method that could open widely used Microsoft software to unauthorized access. In a blog post, he explained that Active Directory, deployed in 95 percent of all Fortune 1000 companies, enables by default an older authentication protocol called NTLM.
By using a free penetration testing tool, such as WCE or Mimikatz, an attacker could easily steal the NTLM hash from a targeted individual's device, Be'ery said. With the hash in possession, a hacker who “forces the client to authenticate to Active Directory using a weaker encryption protocol,” could go on to change victims' passwords, and login to other Microsoft services like Outlook Web Access or Remote Desktop Protocol, he explained.
In a Tuesday interview with SCMagazine.com, Be'ery said that he notified Microsoft of the issue in early June, and the tech giant provided an official response on the matter as of July 7 (which he posted at the end of his blog post).
Microsoft attributes the security issue to a known design “limitation,” as opposed to a vulnerability, in Active Directory caused by authentication protocols the service uses (NTLM). But, Be'ery contends that the issue is a “by design flaw" – and newly discovered exploits, such as attackers changing users' passwords and leaving no sign of the attack for log-based SIEMs or data analytics tools, emphasize the seriousness of the issue.
“We found out that the logs are not [catching] that issue of downgrading the encryption,” Be'ery said. “The crucial clues of the attack goes [unnoticed]. If the basis of your security system is on logs then you have no chance of catching that attack,” he added.
In its statement, Microsoft advised enterprises to implement smart card authentication and disable a weaker encryption algorithm, RC4-HMAC (which uses the NTLM hash). Be'ery suggested in his blog post, however, that neither options are practical solutions since smart cards "are expensive and difficult to deploy throughout an enterprise,” and removing older encryption algorithms enterprise-wide could prevent users from accessing older systems.
Instead, Be'ery encouraged companies to monitor authentication protocol anomalies (such as the use of non-default encryption algorithms) as well as changes in typical user behavior (like the kinds of services used or the times they are accessed by employees). Windows computers should also be patched with a Microsoft update that mitigates theft of NTLM hashes, he added.