A newly-discovered Active Directory flaw has the potential to compromise 95% of Fortune 1 000 companies, while remaining undetected.Cyber-security firm Aorato has released a report called “Active Directory Vulnerability Disclosure: Weak encryption enables Attacker to change a victim’s password without being logged”. It identifies a new threatening flaw within Active Directory that enables attackers to change a victim’s password, despite current security and identity theft protection measures.
With 95% of Fortune 500 companies deploying Active Directory, the potential for this particular vulnerability to cause harm and theft is high.
Once the attacker leverages this Active Directory flaw, using the new password, the attacker can impersonate the victim to access various enterprises services and content, which require the explicit use of victim’s credentials, such as Remote Desktop Protocol (RDP) Logon and Outlook Web Access (OWA). Unfortunately, despite current security protocols, logged events miss the vital indication of an identity theft attack.
The attacker can perform this activity unbeknown to event logs, making log-based SIEMs and big data security analytics useless against these kinds of advanced attacks.
“Millions of businesses are blindly trusting Active Directory as a foundation to their overall IT infrastructure. The unfortunate truth is that this trust is naively misplaced, leaving the vast majority of Fortune 500 enterprises and employees susceptible to a breach of personal and company data,” says Tal Be’ery, vice-president: research at Aorato.
“Until enterprises acknowledge the inherent risks associated with relying on Active Directory and build a strategy to mitigate risks, we will continue to see attackers walking off with valuable information undetected.”
With no inherent solution to mitigate this flaw, Aorato recommends enterprises: detect authentication protocol anomalies; identify the attack by correlating the abnormal use of encryption methods with the context in which the victim’s identity is used; and apply measures to reduce the attack surface. Note that these measures only reduce the attack surface and do not eliminate it altogether or solve the root cause