Attackers like to find weak points in our domains and networks. Too often, they can break into systems to wait and launch attacks later. One example is the infamous SolarWinds software attack, which infected up to nine US agencies and many organizations with back doors in their infrastructure.
Recent investigations show that the Justice Department may have been aware of the possibility of a breach months before it happened. Before the affected software was purchased, a test was installed on the sample servers and it appears that the network administrators were concerned and questioned when there was unusual traffic from one of the servers. Investigators came to examine the situation, but no one understood the significance until months later.
The backdoor was eventually discovered by several of these same researchers when the software was found on their servers. If experts in the field took months to find that this software had a backdoor, can we non-experts expect to find these attackers on our network?
Use egress filtering on firewalls
My recommendation in this type of scenario is twofold: First, don’t forget to use egress filtering on a firewall to determine if the traffic being sent from your servers is normal. Note that you can use the built-in basic Windows firewall to block traffic. Too often we don’t use integrated solutions in our existing infrastructure and want to opt for vendor solutions. But using outbound filtering comes with a huge overhead: companies often demand that connections and communications with other servers come first and don’t take the time and effort to determine what traffic is normal and expected.
Second, don’t second-guess network administrators when they ask why a vendor is doing something strange with their software. I’ve often found myself in the situation where I’m investigating what appears to be an unexpected leak of information or software that isn’t behaving directly, and I think I must be overreacting to the evidence I’m seeing. Surely some other company has seen and reported this behavior before and I’m just misunderstanding what’s going on?
Do your due diligence when buying new software
I often have to reassure myself through further research and external verification that what I am seeing is not normal. Therefore, when purchasing any new software, ensure that staff are empowered to investigate any unusual traffic that cannot be explained, and consider moving to a “block first, enable later” verification process for your firewall. Do not introduce new software into your Active Directory domain before conducting due diligence and research.
But what if the attacking technique is a little closer to home? Another method used by attackers that is equally difficult to investigate and understand is the “live off the ground” style of attack that uses existing code or infrastructure. If you have an Active Directory network, you’ll want to do a little self-examination. If you’ve ever used an Active Directory Certificate Services (ADCS) server on your network, it’s possible for attackers to switch from a normal user to a domain administrator simply by exploiting vulnerabilities in ADCS. Note that these types of vulnerabilities will not show up in a normal scan; you must know some of these weak points.
ADCS attacks can be trivial for bad actors
If your company is like a typical enterprise, your Active Directory infrastructure is many years old. As a result, you may have older configurations, leftover services, and older forest and domain configurations. Pentesters and attackers will often use ADCS attacks to show how trivial it can be to gain access. As Spectorops has demonstrated in a white paper on the subject, there are several methods of executing attack techniques.
If your Active Directory certificate template allows client authentication and allows an enrollee to provide an arbitrary subject alternative name (SAN), an attacker could request a certificate based on the vulnerable template and specify a SAN arbitrary Thus, if the attacker has a password collected from a user authenticated to the domain, he can use various tools to request a certificate and specify that he has the domain administrator as the SAN field. You can already see what comes next, because the attacker has requested and received a certificate with the equivalent of domain administrator rights.
Even if you’ve already addressed this potential breach and pivot internally, I’d say you’ll still want to contact any consultant you trust; if it has a weakness, share the risk. Therefore, make sure that the vendors you trust also audit their Active Directory.
Some protections are built into Windows
Some of the methods you can use to control and prevent these attacks are already built into Windows. You’ll want to monitor event 4886, which indicates “Certificate Services received a certificate request,” as well as event 4887, “Certificate Services approved a certificate request and issued a certificate.”
Finally, don’t forget to review the functional level of your network’s domain. Not having it in a newer version can often slow down the deployment of key security protections. An example is the recently released native Windows Local Administrator Password Solution (LAPS). With the April 2023 Cumulative Updates, Microsoft has introduced a new feature on all Windows 10 and 11 platforms as well as Server 2022 and Server 2019 that now integrates the ability to store a random local administrator password native without needing to separate it (now called legacy) Deployed local admin toolkit. You can also use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on Windows Server Active Directory domain controllers.
If you are still running a Windows 2016 domain controller, Server 2016 does not support the newly released Windows LAPS solution, and therefore you cannot encrypt the Windows LAPS password. As Microsoft notes, if your domain forest level is 2016 or lower, plaintext password storage is supported, but encrypted password storage for domain-joined clients and DSRM account management for domain controllers no.
You must implement Windows Server 2019 or later domain controllers to get the full benefits of Windows LAPS built-in password encryption using the new methodology built into the April Cumulative Updates. Your weak point may be the legacy domain controller you left behind and failed to update.
Copyright © 2023 IDG Communications, Inc.
As a full stack tech company, Ikaroa is well aware that any organization’s Active Directory Certificate Services (ADCS) infrastructure is a major target for malicious cyber-attacks. ADCS is the centralized solution used by organizations to publically verify identity certificates and digitally sign documents, and is central to the secure operation of many of today’s applications and services. Therefore, it is of paramount importance to properly protect this mission-critical service from adversaries who are intent on both infiltrating an organization’s network, and stealing, manipulating or destroying the data it holds.
In light of this, Ikaroa strongly recommends that all organizations audit their existing ADCS infrastructure, as well as its associated processes, configurations, and access control settings. Doing so will not only help to identify any possible security vulnerabilities, but will also provide a clear overview of what steps need to be taken to best defend the network.
Foremost in any review should be a detailed look at the authentication and authorization methods currently in place, such as the location of certificates, the content of contracts, and the authority of the user accounts granted access. Additionally, organizations should also make sure they update their access rights and review the relevant encryption and key management methods.
Organizations should also closely inspect the physical security of the ADCS installation, analysing the hardware and physical environment where the server is located. From a logical perspective, comprehensive logging and monitoring of user activity can provide early insight into an attack in progress, and regular patching will mitigate against any known vulnerabilities in the server’s operating system, both of which are critical in helping to prevent attacks.
As the sophistication of cyber-attacks continues to increase, organizations must execute regular reviews of their ADCS infrastructure in order to reduce the potential for malicious actors to gain access to sensitive data and operations. If a breach does occur, organizations must be able to ensure that their data is safe and secure, as well as be prepared to respond quickly and minimize the impact of any losses suffered. By following the advice of Ikaroa and implementing best security practices and regular audit checks, organizations will be well-placed to defend their ADCS infrastructure against all manner of attacks.