A practical approach to Active Directory Domain Services, Part 9: An AD reality check

Active Directory | July 21, 2022 | 5 min read

Have you looked into some of the most well-known Active Directory (AD) attacks from around the world? Do you understand the nuances of these popular attacks and can you put the AD fundamentals you learned in the earlier parts of this blog series to good use? 

Having read about AD breach methodologies and attack types in part 8, let’s learn about some of the world’s most impactful recent AD security breaches. Security breaches ultimately affect one or more of the triad of data security—confidentiality, integrity, and availability of data. To perform a breach, cyberattackers strive to gain access to users, applications, and data, all of which are controlled by the directory services of the organization. That is why AD is a prime target for compromise. 

These three recent real world examples of AD attacks expose the vulnerabilities that many organizations face worldwide: 

  • A supply chain cyberattack at a leading information technology firm.

  • A third-party data breach impacting a reputed automobile company.

  • Security breach in a renowned hotel group.

Let us get right to it.

A supply chain cyberattack at a leading information technology firm 

Increasingly, malicious activities in an organization’s IT supply chain result in unimaginable repercussions for the parent organization as well as its customers. Here’s what happened when a leading IT firm was exploited. 

  • Cyberattackers first gained unauthorized access to user accounts on the firm’s network using a vulnerable and potentially disabled user account. Some reports suggest that an already compromised Microsoft Office 365 account was reused to gain access to the firm’s network.

  • After gaining this initial access, the attackers remained undetected in the AD environment, but remained vigilant of all ongoing network activity.

  • During this time of “lying low”, the attackers assumed escalated access privileges to the network resources, including the servers and software. They tested their attack plan by injecting a malicious code which accessed various applications and altered them. This malcode was targeted at the firm’s flagship software and resulted in the delivery of tainted updates.

  • The attackers at this stage also established backdoors using malicious programs to bypass the standard authentication protocols and other security measures that were in place.

  • Once this initial operation was completed, the attackers retracted. They again found their way back into the firm’s network months later. This strategy gave the attackers enough time to assess the extent of the spread of the injected malcode.

  • AD-DNS integration was exploited. The attackers monitored and meddled with the DNS topology to ascertain the top level domain name servers to exploit, including the dot gov and dot com targets.

  • The cyber activity resumed through the backdoor that was created. This backdoor ensured that the attackers could maintain persistence in the compromised network to regain entry as and when necessary, move laterally as well as continue to escalate their privileges to cause further damage.

  • The main plan now was to ensure that the malicious code, now part of system updates and other associated software delivery, spread from the IT firm to its customers. Some key government agencies and premier privately owned organizations were targeted in this manner.

  • The tainted code resulted in the AD schema being affected. There was even a scenario where the most fundamental of AD data, i.e., user account properties, such as the telephone number associated with user accounts, were tampered with.

  • The compromised and faulty update enabled the attackers to control the affected accounts, change policies and preferences, and expand their botnet.

  • The attackers could now spy on the networks of multiple organizations at once and maintain constant communication with the newly established command-and-control servers.

  • This cyberattack demonstrated some of the most evil impacts of a supply chain attack.

  • After the IT firm ignored multiple warning signs, the malicious activity was finally reported by one of its customers.

  • A period of intensive reconnaissance, remediation, and tangible and intangible repercussions for the IT firm followed.

A third-party data breach attack impacted an international automobile company 

How an organization’s cybersecurity strategies are adopted and how effective they are is influenced by how proactive or reactive a third-party vendor is in protecting its attack vectors.  

Requiring robust risk assessment to be completed by third parties is vital. Security breaches will remain rampant until organizations ensure vendor security assessments are mandatory.

A recent case study is detailed here. One of the subsidiaries of an international automobile company fell prey to a data breach because of its third-party vendor. 

Here’s what happened: 

  • One third-party vendor with privileged access to an automobile company’s directory service, routinely accessed the customer’s AD environment for specific business operations.

  • Whether the access granted by the automobile company to the vendor was role-based is has not been determined.

  • A Zero Trust approach should have been followed to establish a least privilege environment. The chances of misuse of highly sensitive data was implicitly high and that made the entire AD ecosystem vulnerable to security breaches.

  • The vendor, with or without malicious intentions, left some of the highly sensitive data unsecured over the internet for an extended period.

  • This data breach exposed confidential information, paving the way for possible cases of identity theft and other serious consequences resulting from compromised personal information.

  • The vendor, being negligent, caused numerous compliance-related offenses which adversely affected its client.

  • The automobile company incurred both financial and reputational losses in mitigating the damage caused to its customers because of the data breach.

Security breach in a renowned hotel group 

Businesses, especially in the hospitality industry, thrive on the timely upkeep of their databases to ensure smooth day-to-day functioning. 

Strategic decisions, such as mergers and acquisitions, often completely transform the AD topology and necessitate a robust security monitoring solution to ensure that data is not compromised. 

The consequences of any unwelcome cybersecurity event that may arise in the aftermath of a merger, if any, can be catastrophic. 

This has been the case for a renowned hotel group “X”; an event that resulted in grave outcomes after its highly publicized merger with another market leader, “Y”, at the time. 

Here’s how the security attack unfolded: 

  • The attack was initiated as a typical AD attack: A vulnerable user, despite having seemingly low privileges, was first compromised to gain initial access to the network of hotel group Y.

  • Reports indicate this initial compromise was accomplished much earlier, years before there were any talks of a merger with hotel group X.

  • The attackers, we now know, inserted a malicious code, a remote access Trojan, either through a phishing email, or by using the open source scripting tool Mimikatz.

  • The hackers then compromised username and password combinations to move laterally within the compromised domains.

  • They subsequently took over other user account(s) with administrator privileges, and gained access to highly confidential and sensitive databases.

  • At this point, the merger finally took shape. What we now know is that despite the merger, the IT infrastructure of company Y continued to be in use.

  • After years of staying undetected, some anomalous activity by the attackers was uncovered by the security team at hotel group X. An usual database query to access company Y’s database was detected, triggering a red flag notification to the security team and alerting them of potential suspicious network activity.

  • Hotel group X then initiated remediation measures.

  • It was revealed that the attackers had mastered the database and stolen personal information of more than millions of customers through an extended period of unauthorized monitoring of the network activity both pre- and post- merger.

  • This mass theft of data paved the way for numerous potentially disastrous consequences for the customers of the hotel groups X and Y.

  • The lack of any security monitoring systems in place, first at hotel group Y which resulted in the attackers staying undetected for that long, and then at hotel group X post the merger when the scam was exposed, became a much talked about black mark in the history of this brand’s reputation.

These were three attacks I wanted to bring to your attention to strengthen your grasp on how fundamental yet catastrophic a compromise on your AD infrastructure could be. The three attacks, the methodology of each of them, and their impact reflect some of the biggest lessons in cybersecurity today. 

Most cyberattacks target the AD environment. It is only through knowledge and application that you can incorporate and uphold the principles of safety and cybersecurity to protect your AD better. 

AD security requires you to prioritize for it.

Tags : AD / AD attacks / AD configurations / AD design topology / AD DS / AD security / AD vulnerabilities / data breach / least privilege environment / privilege escalation / zero trust approach
Jyotsna J Bhargav