Cybersecurity firm Aorato has released Active Directory Vulnerability Disclosure: Weak encryption enables Attacker to change a victim’s password without being logged report, which identifies a new threatening flaw within Active Directory that enables attackers to change a victim’s password despite current security and identity theft protection measures. With 95% of Fortune 500 companies deploying Active Directory, the potential for this particular vulnerability to cause harm and theft is high.
Once the attacker leverages this Active Directory flaw, using the new password, the attacker can impersonate the victim to access various enterprises services and content that require the explicit use of victim’s credentials, such as Remote Desktop Protocol (RDP) Logon and Outlook Web Access (OWA). Unfortunately, despite current security protocols, logged events miss the vital indication of an identity theft attack. The attacker can perform this activity unbeknownst to event logs, making log-based SIEMs and Big Data Security Analytics useless against these kinds of advanced attacks.
“Millions of businesses are blindly trusting Active Directory as a foundation to their overall IT infrastructure. The unfortunate truth is that this trust is naively misplaced, leaving the vast majority of Fortune 500 enterprises and employees susceptible to a breach of personal and company data,” said Tal Be’ery, VP Research at Aorato. Until enterprises acknowledge the inherent risks associated with relying on Active Directory and build a strategy to mitigate risks, we will continue to see attackers walking off with valuable information undetected.
With no inherent solution to mitigate this flaw, Aorato recommends enterprises:
– Detect authentication protocol anomalies;
– Identify the attack by correlating the abnormal use of encryption methods with the context in which the victim’s identity is used; and,
– Apply measures to reduce the attack surface. (Note that these measures only reduce the attack surface and do not eliminate it altogether or solve the root cause.)
To read more about this flaw, please read here.
To learn more about Aorato, please visit: www.aorato.com.
About Aorato
Aorato protects organizations from advanced attacks. Recognizing Active Directory’s pivotal role in the network, Aorato’s flagship product, DAFTM, automatically learns the behaviors of all entities engaging directly, or indirectly, with Active Directory. By profiling the entities, DAFTM builds an interaction graph between all entities in order to detect in real-time suspicious entity behavior. Aorato is backed by strategic investors, including Eric Schmidt (Innovation Endeavors), Accel Partners, and the founders of Imperva and Trusteer.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.