Active Directory has become a popular pathway for ransomware attacks. Take a deep dive into the exploitation tactics for proactively implementing preventive measures and disrupting threat activity.
Active Directory (AD) is an on-prem identity management product that holds a plethora of identity-related information. About 90 percent of Fortune 1000 companies use Active Directory as a critical component of their network. It helps organizations centrally manage user credentials and network resources. It also monitors Public Key Infrastructure and Role-Based Access Control security features of organizations.
While convenient for companies, Active Directory is rather complex to secure. An attacker can manipulate group memberships, security policies, and permissions in a compromised Active Directory as an impersonated actual employee. Today’s attackers are more deliberate; they seek the most valuable assets to target. Therefore, a defender combating threats requires new ways of thinking and effective cyber security tools.
Table Of Contents
An Insight into Active Directory Exploitation
When organizations measure Active Directory performance, they often overlook security as a parameter alongside service availability. Analyzing recent active directory ransomware attacks reveals the refined sophistication that goes into planning the onslaught of cyberattacks. The ingenious concept is to target an organization’s most critical assets for a strong negotiation. There are fundamentally two steps to a ransomware invasion activity.
Seeking an Entry Point:
Adversaries perform internal reconnaissance when attacking Active Directory and profile a victim moving laterally through the network. However, before anything, getting a foothold on an entry point that leads into a system is essential. Interestingly, as has been seen for many active directory ransomware attacks, entry points are mostly not the outcomes of phishing attacks.
Attackers know that securing vulnerabilities and misconfigurations is a recurring task that defenders frequently overlook. Therefore, they aim for vulnerabilities in operating systems and devices. They also leverage misconfigurations as they too do not require any user interaction. For instance, Active Directory administrators turn to groups to grant users permissions and access rights. However, when permission and access rights are no longer needed, the users leave the group empty but still with active permissions and access rights. An empty group in an Active Directory that has stayed unmonitored is an excellent point to begin for any attacker who already has a user ID.
Post Entry Point Invasion:
Once inside the active directory, the intention is to obtain privileged credentials and garner information about the network. Surfing for privileged accounts can involve multiple strategies, one of which is obtaining a cached credential. Impersonating a profile, attackers create a back door for themselves. They copy crucial data and spread ransomware.
Hackers can use Active Directory to control an entire IT (Information Technology) infrastructure and propagate to every device in the organization. On-prem and cloud solutions both become vulnerable. Hence, comprehensive security measures should extend to all devices on the network.
Active Directory Ransomware Attack Methods
Hackers rely on the following methods to target Active Directory for carrying out ransomware attacks:
Active Directory Group Policy Infection Attack
Ryuk ransomware targets large organizations. In 2019, it attacked the US Coast Guard and locked the victim out of all critical files. Ryuk ransomware’s initial attacks are usually with Emotet or Trickbot malware. Threat actors silently move through the network to identify sensitive information. They steal credentials, collect Active Directory information, and map attack paths. Ryuk uses Active Directory Group Policy Objects to push oblivious users. Through Remote Desktop Protocol, attackers hack Active Directory servers and insert Ryuk into Active Directory logon script. This way, they can infect anyone who would try to log on to the Active Directory server.
Note: Ryuk attacks are specific to their victims and, therefore, complex. Even if an expert removes Ryuk from the system, the files remain encrypted; only threat actors have the key.
Malicious Insertion into Active Directory’s SYSVOL Share
This strain of ransomware spreads by inserting itself into Active Directory’s SYSVOL share. SYSVOL stores domain public files and is readable for all authenticated users, but only users with privileged access to Active Directory can change it. Using Active Directory’s SYSVOL Share, threat actors schedule tasks to infect devices and log files to monitor these devices.
Note: Almost all ransomware begins with compromising a local user account, leading to privileged domain controller rights. This ransomware is dangerous as the attackers proceed when they have already taken admin rights.
Virtual Private Account Vulnerability
The Colonial Pipeline Co. shut down in 2021 for the first time in its 57 years of history. A disabled virtual private account was used as an entry point to inject ransomware into Active Directory. Malicious actors used an easy-to-guess list of passwords or the actual breached passwords available on the Dark Web. Once inside, hackers bypass user account control through CMSTPLUA COM interface. They deploy different self-encryption techniques to avoid detection, and with Active Directory reconnaissance tools, gather details. Hackers encrypt using both symmetric and asymmetric algorithms. It is ensured that all backup solutions are disabled.
Note: Disable accounts are low-hanging fruit for threat actors because they usually have the least protection.
CVE-2019-0604 Vulnerability on SharePoint
During mid-2019, in three offices of the UN, hackers breached numerous servers that managed user passwords, firewalls, and databases. The threat actors had exploited a security hole in Microsoft SharePoint. Even though Microsoft had released the patch for the vulnerability (CVE-2019-0604) on SharePoint, UN had failed to update the software in time. This negligence gave hackers access to UN Active Directory. Almost 4000 UN staff were affected as personal data was compromised.
Note: If United Nations’ IT had acted swiftly to patch the Microsoft SharePoint vulnerability, the attack would not have been possible in the first place.
How to Prevent Ransomware Attacks in Active Directory
Paying ransom is never the ideal situation as it further encourages the efforts of hackers. In companies, well-maintained cyber hygiene works best for preventing cyber-attacks. However, the evolving threats to organizations always require evolving proactive solutions. Here are some critical steps to ensure good cyber hygiene in your company.
Employ Upgraded Attack Detectors
Today ransomware relies on the attacker’s ability to identify valuable assets. As attackers move laterally throughout the network in search, defenders can benefit by detecting this movement. Misdirection technology solutions help derail attackers from the actual course in concealment. As threat actors remain unaware of detraction, their time and resources run out.
Limit and Reduce Privileged AD Accounts
Most Active Directory ransomware attacks occur when privileged accounts get compromised. It is essential to limit the memberships of all privileged groups in Active Directory, including Enterprise Admins, Domain Admins, and Schema Admins.
Although having fewer privileged groups is effective, reducing the extent of privilege for the Active Directory account further enhances security.
Update System Patches as Early as Possible
Software companies release patches and updated versions to their applications to improve security or any gaps that hackers can exploit. Hackers determinedly search for loopholes in systems that are running older versions of software. Ensure your operating system, Active Directory, and software are regularly updated. You can put them to auto-updates too.
Ensure Visibility into AD Accounts for Screening
When it comes to maintaining Active Directory health, it is critical to monitor all accounts’ activity, permissions, and privileges. Remove any credentials and delegated admin accounts that are no longer needed. All users should have only the necessary permissions to perform their job functions.
Create Ransomware Awareness in Team
One of the most effective proactive approaches to protecting Active Directory is creating awareness among your teammates. When malicious attackers seek entry points to systems, their common targets are the people who are unfamiliar with their tactics. For instance, they will send deceptive emails with suspicious links that unfamiliar employees might find benign.
Conduct frequent training sessions so that everyone can play a part in protecting the organization.
Implement a Zero Trust Policy
A zero-trust model means that a company should trust no one accessing the network until the identity is verified. MFA (Multi-Factor Authenticator) is used to validate the identity of an individual or a device before granting access. It also includes implementing Network Access Control (NAC) to ensure unauthorized users shall not enter the network.
Prepare for a Ransomware Event
Preparing a response strategy for troubled times can prove highly beneficial. For instance, access to the Active Directory administration account is often lost during ransomware events. You can establish an emergency Active Directory account that allows access to the system when breaches happen. Moreover, a well-developed incident response plan that explicitly defines roles and communications handles crises faster.
You should also back up all critical data off the network and test its recovery.
Securing Active Directory with GroupID
Although most organizations are familiar with essential security practices for Active Directory, effective compliance is still a challenge. Active Directory management can be time-consuming and can also involve multiple redundant tasks. GroupID is a comprehensive identity and access management solution that helps companies proactively secure Active Directory. Here are some essential features of GroupID:
- Automated Group Management
- Multiple Group Owners
- Self-Service Group and User Management
- Multifactor Authentication
- Password Management
- Reports on Directory Health
Jonathan BlackwellView Profile
Since 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.