Active Directory attacks have been central to some recent high-profile extortion- and ransomware-based incidents. Attackers have leveraged the availability of Mimikatz and other open-source tools to move laterally and elevate privileges once they’ve established a presence on a network.
As they move between network services, attackers are exfiltrating data in some cases, and some are executing ransomware on systems. The hope is that if an affected business doesn’t pay the ransom, the threat actor can always hold the stolen data over its head, threaten to leak it publicly, and collect payoffs that way.
A couple of recent incidents, however, demonstrate that ransomware and extortion isn’t always the apparent end goal.
Two Incidents, One Common Denominator: Mimikatz
NTT, Japan’s fifth-largest company, disclosed recently that one of its subsidiaries, NTT Communications, had been breached. More than 600 companies had their data exposed in the attack, and according to a statement from NTT, the attackers had access to their Active Directory environment.
NTT Communications is Japan’s largest telecommunications provider and it serves customers in critical industries such as financial services, manufacturing, technology, and major airlines among many others. Its administrators detected “remote operation of the company’s Active Directory,” according to the company’s statement, on May 7 and concluded four days later that information belonging to 621 of its customers had been exposed in the breach.
While that isn’t an extensive amount of dwell time, the NTT breach matters because it demonstrates that even one of the world’s biggest companies—64th on the Fortune Global 500 list—can succumb to determined attackers, who in this case understood the value of extracting Active Directory credentials and what they can unlock on an enterprise network.
According to NTT, the attackers were able to infiltrate its network via an information management server hosted in Singapore and a separate cloud server before reaching the enterprise network and accessing Active Directory, enabling the “remote operation” of the AD server. All affected servers were taken offline upon discovery of the attack, NTT said, and it has notified the 600-plus customers of the intrusion and exposed information.
As we’ve seen in many other attacks, threat actors can use Mimikatz to siphon credentials from privileged accounts. Those credentials can be used to catastrophic ends, such as Golden Ticket and Silver Ticket attacks, which enable attackers to control domain services; other attacks such as Kerberoasting or Pass-the-Ticket attacks can be used as precursors to these attacks, or as a means of stealing Kerberos credentials for lateral movement.
For its part, NTT did not disclose whether there were extortion demands. The exposed information if stolen has tremendous value to competitors. Dozens of dark web marketplaces solicit and sell this type of information to great profit, and can send businesses back to the drawing board with their intellectual property.
Mimikatz and Active Directory attacks surfaced in another set of attacks targeting suppliers of industrial manufacturers in Europe and Asia. Russian security company Kaspersky Lab said the attackers used steganography to hide two PowerShell scripts, one of which unpacks of a version of Mimikatz.
Steganography is a technique by which an executable or a message is hidden inside another file and must be decoded in order to execute or read it. In this case, the attackers used crafted phishing emails that included Office documents with embedded, malicious macros that reach out to URLs hosting an image file hiding the PowerShell scripts.
Supply chain attacks can be particularly devastating across a range of victims and industries, as demonstrated with the NotPetya attacks, which also included a version of Mimikatz used by the malware for lateral movement. As Kaspersky points out, these are likely targeted attacks and attackers going to these lengths to mask their activities understand the value of privileged system and service credentials. Targeting a supplier also potentially expands the devastating scope of these attacks.
Defending Against Active Directory Attacks
Active Directory attacks are becoming mainstream within incidents, equally part and parcel of commodity and sophisticated attacks. It’s incumbent upon defenders to understand this is part of the landscape, and address it.
Mitigations must begin with basic security blocking-and-tackling: patching vulnerabilities, especially those under public attack, and ensuring that operating systems and critical applications are current.
Access controls should also operate under a “least-privilege” model and restrict domain administrator access and limit the extension of administrative privileges to domain users whenever possible.
Organizations should also partner with a provider such as QOMPLX whose technology maintains a real-time stateful ledger of all appropriately issued and valid Kerberos tickets and observes Kerberos interactions across clients (principals), domain controllers (key distribution centers) and Kerberized services.
Finally, as Active Directory attacks expand in severity via Golden Ticket and Silver Ticket attacks, there must be external validation of the Kerberos protocol to assure that every ticket presented by a Kerberos service client was in fact issued by a legitimate key distribution center.
QOMPLX’s technology can verify, in near real-time, that a given Kerberos authentication event was correctly generated and that it is linked to legitimate user interactions and the issuing domain controller. This type of deterministic verification makes it difficult for attackers to abuse authentication protocols and processes.