Researchers at the Australian security company, Threat Intelligence Pty Ltd., have created a possibly devastating botnet that exploits infected victims Active Directory Domain Controllers, resulting in internally hosted command and control servers.
Active Directory is a Microsoft directory service for Windows that domain networks & stores information on network components, automates network management of user data, and authenticates and authorizes users while enforcing security policies.
The attack method can use the AD as a central connecting point for any infected node or endpoint in the system, allowing the attacker to enable two-way communication with each other even when segmented into separate security zones.
Hypothetically, if an organization were to get infected by an AD botnet through a phishing attack, the attacker could utilize one of over 50 writable and readable AD user attributes to take over the domain controllers as a central communications point. Ty Miller, Managing Director of Threat Intelligence, further explained, “This means that we can utilize that connection to bypass all of your network access controls and all of your firewall rules because you’ve got that gaping hole where everything can communicate in one central place.”
The AD botnet was demonstrated yesterday at Black Hat 2017 in Las Vegas, where the goal was to create a botnet that could potentially bypass internal firewalls, defeat network segmentation, and leverage an infected organization’s cloud domain controllers to exfiltrate data.
Threat Intelligence suggests a few tips to help mitigate the threat. First, separate your domains into different domains based on security roles. This will help prevent users in one domain from escalating privileges by bypassing network filtering. The company also suggests taking note of any odd values in standard user attributes, monitoring regular changes of personal information attributes, and restricting permissions for standard users to update their attributes.
NNT also suggests:
- Regularly run File Integrity Monitoring checks to detect new or changed system files
- Ensure ex-employees rights are removed promptly to prevent ex-employees retaining access rights
- Regularly review Domain Admin accounts for any change of privilege or new account creation- using Event Log Management solutions like NNT Log Tracker
Read this article on SCMagazine