Researchers at the Australian security company, Threat Intelligence Pty Ltd., have created a possibly devastating botnet that exploits infected victims Active Directory Domain Controllers, resulting in internally hosted command and control servers.

Active Directory is a Microsoft directory service for Windows that domain networks & stores information on network components, automates network management of user data, and authenticates and authorizes users while enforcing security policies.

The attack method can use the AD as a central connecting point for any infected node or endpoint in the system, allowing the attacker to enable two-way communication with each other even when segmented into separate security zones.

Hypothetically, if an organization were to get infected by an AD botnet through a phishing attack, the attacker could utilize one of over 50 writable and readable AD user attributes to take over the domain controllers as a central communications point. Ty Miller, Managing Director of Threat Intelligence, further explained, “This means that we can utilize that connection to bypass all of your network access controls and all of your firewall rules because you’ve got that gaping hole where everything can communicate in one central place.”

The AD botnet was demonstrated yesterday at Black Hat 2017 in Las Vegas, where the goal was to create a botnet that could potentially bypass internal firewalls, defeat network segmentation, and leverage an infected organization’s cloud domain controllers to exfiltrate data.

Threat Intelligence suggests a few tips to help mitigate the threat. First, separate your domains into different domains based on security roles. This will help prevent users in one domain from escalating privileges by bypassing network filtering. The company also suggests taking note of any odd values in standard user attributes, monitoring regular changes of personal information attributes, and restricting permissions for standard users to update their attributes.

 

NNT also suggests:

  • Regularly run File Integrity Monitoring checks to detect new or changed system files
  • Ensure ex-employees rights are removed promptly to prevent ex-employees retaining access rights
  • Regularly review Domain Admin accounts for any change of privilege or new account creation- using Event Log Management solutions like NNT Log Tracker

 

Read this article on SCMagazine

 

 

NNT Products
USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
email [email protected]
UK Office
New Net Technologies LLC
Rivers Lodge
West Common
Harpenden
Hertfordshire
AL5 2JN

Tel: 01582 287310
email [email protected]
Connect
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
CIS benchmarking SEWP Cybersecurity 500 Sans Institute
Copyright 2017, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.