Active Directory security (AD security) is vital for one simple reason: Active Directory itself is critical.
Active Directory provides the essential authentication and authorization services required for most of your business operations. Weaknesses in your AD security can enable a malicious actor to encrypt or exfiltrate your sensitive data, or even to wipe out your domain controllers (DCs) — bringing your business to a screeching halt.
AD security is a topic I have talked about quite a bit, but today I’m going to take a different approach and analyze some of the top Active Directory attacks from the last few months and offer my perspective on the key lessons that can be learned from them. My hope is this provides actionable steps you can take to fortify the security of your Active Directory environment. I’ll start with a few quick tips and move on to some more in-depth strategies.
Why AD security is more important than ever
Before we dive into the details, let’s zoom out to the big picture about why AD security matters more today than ever. By reviewing recent cyberattacks, I have been able to identify several key trends that are highly relevant to AD security.
Microsoft keeps investing in cloud security controls — so attackers continue to target on-premises environments.
Microsoft recognizes how important it is to get solid baseline security in Microsoft 365 and Azure AD (now Entra ID). They have been steadily rolling out technologies and policies to help organizations safeguard their cloud ecosystems. For example, Azure AD Multi-Factor Authentication (MFA) helps render stolen credentials useless by requiring a second authentication method, such as a phone call, text message, mobile app notification or OAuth token. And Azure role-based access control (RBAC) enables granular control over the level of access that users through the assignment of appropriate roles.
But adversaries who find the doors to the cloud environment bolted shut don’t simply give up. Rather, they look for another way to get inside the network. And that often means attacking the on-premises environment. Indeed, I had no trouble finding a wealth of on-prem Active Directory attacks to present in this post. That means AD security must remain a top focus for organizations.
We are seeing a globalization of the ransomware market.
Another important trend related to AD security is where attacks are coming from. People tend to think about commercial ransomware operators or ransomware as a service as being an Eastern European phenomenon. While it is always difficult to do reliable attribution, it’s clear that we’re starting to see more cyberattacks coming out of other regions, especially Central America, South America and the Middle East. This trend contributes to both the volume and the variety of cyberattacks we’re seeing.
Cybercrime, especially ransomware, is now a business.
Cybercriminals are now operating as multi-million-dollar syndicates. One incident that illustrates this trend is the ransomware attack against Royal Mail, the British postal and courier mail company, by LockBit, a cybercrime gang linked to Russia. The steep ransom demand of $80m (£67m) set off an extended conversation between the two parties — which was captured in chat transcripts that were published, apparently by LockBit. The LockBit representative repeatedly uses the term “negotiation” and says, “I want to make money just like you, you and I have the same motivation in the form of money, your task is to reduce the price as much as possible, my task is to get the maximum amount.” They even invite Royal Mail to “make a counter offer.”
The LockBit gang showed its business mindset in another incident as well. It launched a ransomware attack against the Hospital for Sick Children (SickKids), a teaching and research hospital in Toronto that focuses on providing healthcare to children. Soon after the attack hit the news, the gang took the unprecedented step of apologizing for the cyberattack and providing the hospital with a decryption key. The statement is chock full of business language: It refers to the “partner” who launched the attack, says they “violated our rules” and claim they are no longer “in our affiliate program.” One explanation for these actions is that the LockBit gang has a heart after all. But another is that they are making a strategic decision: Attacking healthcare organizations is bad for business because it tends to spur governments and other defenders to take action against the ransomware “industry.”
Cybercrime is increasingly a tool of statecraft.
For-profit cybercriminal syndicates are not the only threat that AD security teams need to worry about. While nation-states have been blamed for a wide range of cyberattacks over the years, including Stuxnet and NotPetya, attacks seem to be ramping up in frequency, intensity and sophistication.
Moreover, the number of actors involved is expanding. The US Cybersecurity and Infrastructure Security Agency (CISA) now maintains webpages with intelligence regarding state-sponsored cyber threats from China, Russia, North Korea and Iran. But there is evidence linking attacks to other countries as well, including India, Vietnam, Belarus, United Arab Emirates and Saudi Arabia.
Now, let’s see what AD security lessons we can learn from specific recent attacks on Active Directory.
Cyberattacks on LastPass
Password manager provider LastPass disclosed two breaches in which adversaries gained access to the product’s source code and other proprietary technical information, and then accessed some customer information in a third-party cloud storage service used by LastPass.
According to LastPass, the adversaries gained their initial foothold by targeting the home computer of one of its developers and exploiting vulnerable media software to perform remote code execution. By deploying keylogger malware, the threat actors were able to capture the employee’s master password as it was being entered — after the employee authenticated with MFA — and thereby gain access to the developer’s LastPass corporate vault.
Quick AD security tip: Use privileged access workstations (PAWs).
While requiring multifactor authentication for privileged access is an essential part of any AD security, it’s not sufficient. Adversaries target highly privileged accounts relentlessly because of the elevated access they provide. Therefore, another key best practices is to use privileged access workstations — hardened machines that are the only place where users can log on using privileged credentials. Since a PAW is not permitted to run vulnerable applications like home media software, adversaries have a much steeper climb to breach them.
Using PAWs also means disallowing the use of privileged credentials on other machines — admins must use their regular user account to check email or visit websites. This practice eliminates the risk of the password hashes for privileged accounts being stored in the memory of the Local Security Authority Subsystem (LSASS) process of a regular user’s machine for an adversary to harvest and abuse — a frequent tactic used to breach AD security.
Supply chain attacks
We’re also seeing a steady trend of attackers going after links in the supply chain that they can use to hop between organizations until they get to the victim (or victims!) that they want to exploit. Corporate supply chains are a top target. One of the most famous is the SolarWinds breach, in which suspected nation-state hackers deployed malicious code into the company’s IT monitoring and management software, enabling them to compromise the data, networks and systems of thousands of SolarWinds customers, and potentially their customers and partners as well. Another example is the exploitation of a vulnerability in Log4j, a library used by practically every organization that uses Java. And in one of the biggest hacks so far in 2023, threat actors exploited a zero-day vulnerability in MOVEit Transfer to steal data from more than 1,000 organizations using the file transfer service, impacting more than 60 million individuals affected.
But attacks have also affected personal supply chains, including food and energy. A ransomware attack on Dole Foods led to shortages of fresh produce on grocery store shelves, while a coordinated cyberattack on Brazilian meat supplier JBS disabled its beef and pork slaughterhouses, impacting facilities in the US, Canada and Australia. And a highly publicized attack on Colonial Pipeline led to fuel shortages at filling stations, sparking panic buying and steep price increases.
Quick AD security tip: Implement strong supply chain management.
As these breaches continue to make the headlines, your customers will increasingly be asking about your supply chain. They will want to know whether you are using the product or technology that was compromised. You need to be able to answer those questions. Moreover, you want to reduce the risk that your answer will be “Yes.”
That requires expanding your understanding of AD security to include your entire supply chain. It’s vital to inventory the third-party products and services you use. In addition, dig into the security practices of the entities in your supply chain and use that information to make informed decisions about which organizations you choose to do business with.
Barracuda
June 2023 saw the compromise of Barracuda Email Security Gateway (ESG) appliances, in which signing keys that could modify BIOS were affected. Barracuda said that it could not guarantee that it could make those machines clean and safe again, so the company recommends that impacted customers replace all compromised appliances; Barracuda is providing the new appliances at no cost.
Quick AD security tip: Ensure that you have flexible recovery options.
While this overhaul was surely inconvenient, it was at least fairly straightforward: It’s easy to tell exactly which boxes in your data center are Barracuda ESG appliances. But suppose an attacker was able to perform a similar attack on a particular brand of motherboards. Would you even be able to say exactly which of your machines have motherboards by particular vendor? Most of us don’t have that level of visibility.
To be prepared for such attacks, it’s vital that your AD security strategy includes a robust disaster recovery plan that provides you with flexible recovery options. In particular, if your physical infrastructure is compromised and you can’t trust your hardware, you need to be able to restore to the cloud.
SwiftSlicer
In January 2023, Ukraine’s national news agency was hit by SwiftSlicer, data wiper malware designed to destroy files and even bring down entire Windows domains. The attack was attributed to Sandworm, a Russia-backed group.
Quick AD security tip: Protect Group Policy.
SandWorm distributed the malware to computers on the network using by abusing Active Directory Group Policy. In earlier attacks, the group used the same strategy to plan other wiper malware, such as HermeticWiper and CaddyWiper.
An important way to enhance AD security is to protect Group Policy from improper changes. Some change management solutions enable you to proactively block changes to Group Policy objects (GPOs), as well as changes to other sensitive objects like highly privileged security groups.
Volt Typhoon
Now let’s dive into recent attacks and see what they mean for AD security. In May 2023, Microsoft highlighted malicious activity by Volt Typhoon, a state-sponsored actor based in China, noting that it was aimed developing “capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.” The campaign affected organizations across a wide range of sectors, including communications, manufacturing, utility, transportation, construction, government, information technology and education.
Key takeaway: Adversaries try to avoid detection.
We tend to think of a cyberattack in terms of its final outcome, such as the ransom demand that appears on the screen or services failing. But the truth is, many cyberattacks unfold over the course of days, weeks or even months, as adversaries work to gain the access they need to accomplish their mission. During this time, they take pains to avoid triggering any alarms.
Volt Typhoon is a great example. According to Microsoft’s analysis, Volt Typhoon relied extensively on living-off-the-land (LOTL) techniques — that is, using tools already present in the environment rather than installing their own code or scripts. For instance, they abused the Local Security Authority Subsystem Service (LSASS) to dump credentials and used the command-line tool Ntdsutil.exe to create installation media from domain controllers (DCs).
AD security tip: Audit for suspicious activity.
Accordingly, a huge pillar of any AD security has to be effective Active Directory auditing to look for signs of attacks in progress and indicators of compromise (IOCs). For example, unusual domain replication activity can be a sign that someone is using DCSync or other techniques to steal password hashes, which can be a sign of an impending Golden Ticket attack.
One tactic used in the Volt Typhoon was extracting a copy of the Active Directory database (NTDS.dit). This file contains information about the AD domain and the objects in it — including the hashes of AD account passwords. An adversary who steals a copy of the dit file can extract the hashes and leisurely crack them offline to compromise the accounts. Or they can use the hashes as-is with techniques like Pass the Hash (PtH). By spotting suspicious activity like this in its early stages and responding promptly, you may be able to prevent an adversary from being able to complete their attack.
Storm-0558
In July 2023, Microsoft revealed that Chinese hacking group Storm-0558 had accessed the email systems of US government agencies. The attack may have compromised hundreds of thousands of messages — including the emails of the US ambassador to China, the assistant secretary of state for East Asia, the Commerce Department secretary and other senior officials. US officials have described the attack as espionage; indeed, the timing suggests the hackers were looking for information ahead of a planned trip by the US Secretary of State to Beijing.
The adversaries used a Microsoft signing key they had acquired to forge Azure AD access tokens for the accounts. The compromised key could potentially have also been used to create access tokens for other Microsoft services, including OneDrive, SharePoint, Teams and third-party apps created by customers.
Key takeaway: Microsoft will be releasing a lot more signals — which will make AD security auditing even harder.
CISA said it discovered the Storm-0558 campaign when a customer uncovered anomalous MailItemsAccessed events in its audit log — events that were available only to customers with Microsoft’s top-tier (and most expensive) licenses. Luckily, the organization had sprung for an E5 license.
Naturally, Microsoft took a great deal of heat from this news. The company has announced that it will be providing customers with access to wider cloud security logs at no additional cost.
AD security tip: Avoid alert fatigue by focusing your auditing on what matters.
AD security teams already have a lot of data to process to look for threats, and now there will be even more signals. To avoid being overwhelmed, it’s critical to know what to pay attention to.
The key is to understand that the goal of cyberattacks is to reach your critical systems and data, often by compromising the most powerful accounts in your environment. These are called your Tier 0 assets or control plane. They include your domain controllers (DCs) and other powerful servers, as well as all accounts that have direct or indirect administrative control over the forest, domains or DCs. The accounts that probably leap to mind are those belonging to your IT pros. But another common example is service accounts that are granted elevated rights.
In addition, notice that I said “direct or indirect control.” It’s vital to also uncover accounts that could gain elevated privileges, such as membership in Domain Admins. The chain of actions involved in this process is called an attack path, and often involves abusing things like concealed permissions, nested group membership and inherent security gaps in AD architecture. Organizations often have literally hundreds or even thousands of these attack paths, many of which may involve only a handful of steps. And adversaries can use an open-source tool called BloodHound to map them out in detail.
By getting an accurate picture of your Tier 0 assets, you can focus your auditing on what matters. Moreover, you can take steps to reduce the number of those assets you have. For example, with attack path management, you can thwart attackers intent on gaining elevated privileges. Also consider pushing back on vendors who claim that the service accounts for their applications need membership in powerful security groups like Domain Admins. Remember, the fewer Tier 0 assets you have to monitor, the easier it is to keep a close eye on them and spot true threats.
nOAuth
In April 2023, Microsoft was notified about nOAuth, an issue with the Open Authorization (OAuth) process that exposed customers to risk of account takeover and data loss. To exploit the flaw, an adversary creates an Azure AD admin account and modifies its email address to that of a target. Then they can take advantage of single sign-on (SSO) on a vulnerable app or website — if the app merges user accounts without validation, the adversary now has full control over the victim’s account.
Key takeaway: Attackers are going to get in your network. In fact, they’re already inside.
AD security experts recommend taking an assume-breach mindset. In order for the nOAuth attack to work, the organization must have used the email claim as a unique identifier in the access token. Although this configuration violates best practices and Microsoft documentation, researchers were able to quickly identify multiple organizations vulnerable to the attack.
If your organization didn’t make this configuration mistake, don’t be too quick to you pat yourself on the back. What other best practices are you violating? What vulnerabilities have you failed to identify and mitigate? At the very least, vendors you use will be exploited by zero-day vulnerabilities, which by definition are previously undiscovered.
The fact is, no organization can guarantee that no external attackers will ever gain a foothold in their network. Moreover, there is always the risk of insider threats, which can arise from malicious intent or from negligence or lack of training. For instance, in June 2023, an Air National guardsman was indicted for publishing classified national defense information on social media. He had been vetted and granted a top secret clearance, but that trust turned out to be misplaced. Whether his motivations were malicious or not, the documents were leaked.
AD security tip: Enforce least privilege.
The principle of least privilege is a core AD security best practice for good reason. By granting each account only the access it requires for the tasks it needs to perform, you minimize the damage that anyone wielding that account can do, whether it’s the legitimate account owner or an adversary who has taken control of the account.
Note that least privilege is not limited to what data an account can access. It’s about all the things that an account can do. For example, you need to strictly limit the ability to run PowerShell to the (few!) individuals who need it to do their job. It’s also essential to restrict the ability of ordinary users to consent to Azure AD apps; you can do that easily using the automated admin approval workflow that Microsoft provides.
Mango Sandstorm (aka Mercury or Muddywater)
In April 2023, Microsoft Threat Intelligence detected a series of destructive attacks performed by Mango Sandstorm, a threat actor linked to Iran’s Ministry of Intelligence and Security. The attack was likely performed in partnership with another group, DEV-1084 (now known as Storm-1084). While the threat actors attempted to disguise their activity as a standard ransomware campaign, their ultimate goals were actually destruction and disruption: They destroyed server farms, storage accounts, virtual machines and virtual networks. And while previous Mango Sandstorm attacks targeted on-premises environments, this one included the destruction of cloud resources.
Key takeaway: Ransomware holds the headlines, but destructive attacks remain a clear and present danger.
Total ransomware payments so far in 2023 appear to be running below what they’ve been for the last couple of years. That might seem like good news — but a deeper analysis reveals that it actually isn’t. Ransom payments are down not because cybercriminals are easing up on their extortion demands but because they’re shifting their focus: They’re launching more attacks bent on either stealing data or destroying data rather than holding it for ransom.
Key AD security strategy: Focus on cyber resilience.
This is the most important AD security lesson of all: Focus on cyber resilience. The goal of cyber resilience is twofold: Keep the IT environment up and running as much as possible — and get it back up and running quickly when a disruption does occur.
Reduce your AD attack surface.
This requires a defense-in-depth approach that includes multiple components, many of which I’ve talked about above. They include:
- Cybersecurity risk management to reduce your attack surface
- Identity governance and administration to enforce least privilege, including robust privileged access management
- Hybrid AD security and management that includes effective Active Directory auditing, change management and attack path management
- A comprehensive backup and disaster recovery strategy that includes preparing for destructive attacks
Conclusion
Just 15 years ago, the number of entities that could mount highly sophisticated attacks could probably be counted on one hand — the national security agencies of powerful nations like the US, Russia, Israel and China. Now these attacks are being launched not just by nation-states, but by sophisticated ransomware syndicates and other “businesses.”
Moreover, options like ransomware as a service and advances in technology like artificial intelligence (AI) are enabling nearly anyone to join the ranks of cybercrime. Indeed, every time you hear Microsoft talk about “citizen developers,” I want you to mentally substitute the phrase “citizen hackers.”
These trends make AD security more important than ever. By analyzing the cyberattacks that are impacting organizations today, we can discover the most important strategies for building a truly effective AD security strategy.
