Tuesday, April 5, 2022

At the HEART of LAPSUS$'s success - "Active Directory Privilege Escalation"


Last month, Microsoft Security shared details of the tactics, techniques and procedures (TTPs) employed by LAPSUS$ (DEV-0537) in its attempts to compromise organizations, including confirmed breaches at Okta, Microsoft and others.

If you read Microsoft's observations, you'll find that the defining i.e. cardinal step in their attack methodology, i.e. the one that ultimately enabled them to succeed in their objectives was none other than "Active Directory Privilege Escalation."

Quoting Microsoft -

"The group compromised the servers running these applications to get the credentials of a privileged account or run in the context of the said account and dump credentials from there. The group used DCSync attacks and Mimikatz to perform privilege escalation routines. Once domain admin(istrator) access or its equivalent has been obtained, the group used the built-in ntdsutil utility to extract the AD database."

That right there is irrefutable evidence that LAPSUS$ indeed undoubtedly engaged in Active Directory Privilege Escalation, and as I stated above, once Domain Admin or equivalent access had been gained, they used that "privileged access in AD" to execute DCSync to compromise everyone's credentials, at which point, they could easily play proverbial God!

The World has had Sufficient Warning

I cannot begin to tell you how many times I have warned the world about the just how dangerous, damaging and effective "Active Directory Privilege Escalation" is as an attack vector, but  it seems to have fallen on deaf ears, so let me try and enumerate the number of times I have warned about this attack vector and DCSync in particular -

2013 - The World's #1 Cyber Security Risk - Active Directory Privilege Escalation

2013 - A Real-World Example of Active Directory Privilege Escalation 

2014 - Exploiting Active Directory Privilege Escalation to compromise Active Directory 

2015 - Presentation on Active Directory Security at Black Hat 2015 missing #1 Attack Vector 

2015 - Active Directory Privilege Escalation likely at heart of the OPM Data Breach   

2016 - A Letter to Benjamin Delpy regarding Mimikatz and Active Directory Security 

2016 - The Paramount Brief - Active Directory Privilege Escalation poses a Serious Risk

2016 - How to Lockdown Active Directory to thwart use of Mimikatz DCSync

2016 - Active Directory Beyond the MCSE for the Black Hat Conference 2016

2016 - Attack Methods for Gaining Domain Admin Rights in Active Directory

2017 - An Example of How DCSync could result in a Colossal Cyber Security Breach

2018 - Mimikatz DCSync Mitigation and Can anyone help mitigate Mimikatz DCSync?

2019 - Active Directory Privilege Escalation - An Executive Summary

2020 - How to Easily Mitigate the Risk Posed by Mimikatz DCSync

2021 - What's Common between the SolarWinds Breach and Colonial Pipeline Hack?

2022 - How to Identify Who can Engage in Active Directory Privilege Escalation 


In addition, in December 2015, we had officially informed the executive leadership (i.e. the CEOs, CISOs and Chairmen) of the world's top 200 business organizations (including Samsung), as well as every agency in the United States Government about the dangers of "Active Directory Privilege Escalation."

In fact, as late as May 0f 2021, I had yet again pointed out that even in the SolarWinds Breach, the defining step that provided perpetrators unrestricted access was in fact Active Directory Privilege Escalation and DCSync.

As such, all you have to do is read the one paragraph shared above from Microsoft's observations, and then see for yourself how many times the words Privilege Escalation, MimikatzDCSync, AD (Active Directory) and Domain Admin have been mentioned in the links I have shared above, and you'll know who has been warning the world for years now.

Further quoting Microsoft -

"They (LAPSUS$) have been consistently observed to use AD Explorer, a publicly available tool, to enumerate all users and groups in the said network. This allows them to understand which accounts might have higher privileges."

There you have it again. It is abundantly clear from Microsoft's observations that once LAPSUS$ gains initial access at an organization, their next and immediate objective is to identify accounts that possess privileged access in Active Directory.

The reason is simple - the compromise of a single account that possesses privileged access in Active Directory is sufficient to instantly gain complete command and control over an organization's network because even one account that possesses privileged access in Active Directory possesses the "Keys to the Kingdom."


To the wise, a Hint is enough

Today, over twenty thousand organizations worldwide operate on Microsoft Active Directory, and organizations that have not yet been breached should strive to learn from the attack methodologies used in virtually every major recent breach.

Every major recent breach, including the SolarWinds Breach, the Colonial Pipeline Hack, the Okta breach and all breaches carried out by LAPSUS$ and others have ONE thing in common...

... in each of these breaches, the perpetrators targeted Active Directory, and specifically, accounts that possess privileged access in Active Directory, and once compromised, they used those privileged account to easily accomplish their objective.

This cannot be overstated - just ONE Active Directory Privileged User account. Not one hundred, not ten, but just ONE.

Consequently, if there is one learning lesson for all organizations from these high-profile breaches, it is that organizations must strive to accurately identify, minimize and sufficiently protect every single Active Directory privileged user account.

Saying NO more

Over the last ten years, we have said enough, and we have been SPOT-ON for a decade now i.e. 100% of all major recent breaches have involved perpetrators compromising and then misusing a single Active Directory privileged user account, access to which is gained via Active Directory Privilege Escalation, and once such access has been obtained, the perpetrators have subsequently been able to easily accomplish their objectives.

We have said enough and on this paramount subject, we have shared more technical information than any other entity in the world, via the resources pointed to above, as well as via valuable and actionable insights on our website.

Organizations that care about their cyber security must immediately consider enacting the #1, most important and effective risk mitigation measure they can today - accurately identify and minimize privileged access in Active Directory.

This is Paramount

It is imperative and paramount to understand that to be able to escalate privilege in Active Directory and/or to be able to successfully execute DCSync, perpetrators require ACCESS. After all, without sufficient effective access, perpetrators CANNOT escalate privilege, execute DCSync, and for that matter, they cannot enact any privileged action.

Consequently, if organizations are to win this battle, they need to DENY perpetrators the ACCESS required to escalate privilege and/or enact privileged operations, and to deny perpetrators access, all that is required is to accurately identify and then lockdown who currently possesses privileged access in Active Directory.

The #1 reason perpetrators are able to succeed is that they are able to find and compromise accounts that possess privileged access in Active Directory, many of which may be insufficiently protected because they may not be on the organization's radar i.e. the organization may not even realize that these accounts possess privileged access.  

Thus, the accurate identification, subsequent reduction and adequate protection of all accounts that possess privileged access in Active Directory is the #1 measure that organizations can take to minimize the possibility of being colossally compromised by perpetrators seeking to exploit unidentified privileged access in Active Directory.

Finally, the accurate identification of privileged access in Active Directory requires just ONE fundamental and essential cyber security capability - this, which is embodied in this and in this. Organizations that possess this ONE capability can easily and instantly accurately identify and lockdown privileged access in Active Directory. Organizations that do not possess this ONE capability will continue to be at substantial risk, and likely minutes away from being compromised.


I'll leave you with this thought - organizations that do not know exactly who has what privileged access in Active Directory remain at high risk of being substantially compromised and likely being the next organization to be massively breached. 

All you have to do is ask your CISO if your organization has answers to these paramount questions today.

Thank you very much. We wish all organizations well.


No comments:

Post a Comment

Paramount Defenses Logo

© 2006 - 2024 Paramount Defenses.
All Rights Reserved.

Your Privacy

We use cookies to give you the best online experience. Please let us know if you accept these cookies.