At the HEART of the Colonial Pipeline Hack - Admin Access in Active Directory

Folks,

The Colonial Pipeline Hack may be one of the most high visible impact breaches the world has witnessed yet because it resulted in the shut down of one of America's largest gasoline pipelines for an entire week due to ransomware. 

The Colonial Pipeline attack has been extensively covered by the media (e.g. CNN.) It has also already been the subject of a substantial amount of discussion, including Congressional Hearings, so I am not cover the same high-level details here.

Instead, I am going to shed light on the most important and enabling step in the entire Colonial Pipeline Hack, which is the one that enabled its perpetrators to easily and automatically unleash ransomware enterprise-wide on all its systems.

 

Objective

The Colonial Pipeline Hack occurred between May 06 and May 12, 2021. Since then, there have been several blog posts written on it, notably those by FireEye and Arete, and they describe various aspects of this breach in great detail.

The objective of this post is to pinpoint the most salient (cardinal) part of the Colonial Pipeline Hack i.e. the technical part that actually enabled and empowered its purported perpetrators to easily deploy ransomware company-wide.  

Introduction

Today, from the U.S. Government to the Fortune 1000, including almost all cyber security and cloud computing companies, at the very foundation of IT, cyber security and privileged access at 85% of organizations worldwide lies Active Directory.

I'm Sanjay Tandon, formerly Program Manager for Active Directory Security on Microsoft Corporation's Windows Server Development Team, and today, CEO of Paramount Defenses. These are my observations on the Colonial Pipeline Hack -

Overview

The Colonial Pipeline Hack is the largest cyberattack yet on an oil infrastructure target in the history of the United States. 

In short, perpetrators gained entry in the networks of Colonial Pipeline through a virtual private network account (which allowed employees to remotely access the company's computer network) and they subsequently and ultimately deployed ransomware across the company's entire computer network, resulting in Colonial Pipeline having to shut down its pipeline for an entire week (, causing gas shortages nationwide,) and having to pay millions of dollars in ransom (via Bitcoin.) 

The Salient Step

The most important, enabling and salient (cardinal) step in the entire Colonial Pipeline hack was the following one -

The perpetrators first gained privileged access in Active Directory and then leveraged the ability to deploy group policies to domain-joined computers via Active Directory to automatically deploy their ransomware across Colonial Pipeline's network!

In fact, they seem to have used the exact technique I had warned about and described in sufficient technical detail last year  - How Attackers Could Unleash Ransomware on Thousands of Computers in an Organization using Active Directory

   

Evidence

Both FireEye and Arete seemed to have researched the Colonial Pipeline Hack and published detailed blog posts.

The evidence lies in this snippet from Arete's post Darkside Ransomware: Caviar Taste on your Big-Game Budget  -  

"We observed Darkside payload (e.g. azure_agent.exe.exe) staged on the domain controller in a network shareable folder (e.g. C:\Windows\IME\azure), followed by the establishment of a scheduled task (e.g. \Windows\SYSVOL\domain\Policies\{L0NGMGU1D}\User\Preferences\ScheduledTasks) set with Group Policy and instructing hosts to obtain and execute the payload. This resulted in a fully automated enterprise-wide deployment in less than 24 hours after data was exfiltrated."

There you have it! Its clear that the perpetrators first* gained privileged access in Colonial Pipeline's Active Directory and once they had done so, they used that gained privileged access to leverage Active Directory integrated group policy to automate the effortless deployment of ransomware domain-wide (, eerily similar to as described here over a year ago.)

*It should be clear to most that in order to perform the above, one requires privileged access in Active Directory.

Active Directory - The Heart of Privileged Access Worldwide

Today, from the entire United States Government to the global Fortune 1000, Active Directory is the very foundation of IT, bedrock of cyber security and heart of privileged access, at 85% of all government at business organizations worldwide.

Here's why -

1. The entirety of an organization's user accounts and their credentials reside in Active Directory


2. The entirety of an organization's computers are joined to and have a secure channel with Active Directory


3. The entirety of an organization's IT assets (files, folders etc.) are protected by Active Directory security groups


4. The entirety of an organization's end-point management and security policies are deployed from Active Directory


5. The credentials of the entirety of an organization's Active Directory accounts are synced with Azure AD in the Cloud

Further, to facilitate the management and protection of these organizational user and computer accounts, security groups and policies, OUs and containers, an ocean of privileged access is delegated and provisioned inside Active Directory.

Finally, the most powerful administrative (privileged) accounts and groups, i.e. all Domain Admin equivalent accounts and groups, that possess unrestricted organization-wide access, are all stored, managed and protected in Active Directory.

In other words, worldwide, not just the Keys to the Kingdom, the keys to every door in the kingdom lie in Active Directory.

(As such, in Windows based networks, Active Directory is the account/credential database used by Kerberos, the native authentication protocol in Windows, and every domain controller is a Kerberos Key Distribution Center (KDC). Based on this fact alone, Active Directory is also the foundation of cyber security in a Windows Server based IT infrastructure.)

Thus, factually speaking, an organization's Active Directory is the single most valuable IT and corporate asset, worthy of the highest protection, because it is the heart of privileged access and the foundation of an organization's cyber security.

No Mention of Active Directory in the Mainstream Media

To date, most major cyber security breaches in the last decade, including the Sony Hack, Target Breach, JP Morgan, Snowden, OPM Beach, UN Breach, SolarWinds Breach, and now the Colonial Pipeline Hack and others, all involved Active Directory and specifically involved the compromise and misuse of an Active Directory Privileged User Account.

In fact, as I have had also stated in our blog post on the SolarWinds Breach, the perpetrators in the SolarWinds Hack only targeted Active Directory environments, and here's proof based on additional research published by FireEye - 

 

"The backdoor also determines if the system is joined to an Active Directory (AD) domain, and if so, retrieves the domain name. Execution ceases if the system is not joined to an AD domain." 

This is how important, pervasive and mission-critical Active Directory is today at thousands of organizations worldwide.

Yet, there is virtually no mention of Active Directory in any coverage of cyber security breaches in the mainstream media!

Here are 10 prominent news items on the Colonial Pipeline Hack and even if you were to read each and every single one of them in their entirety, you won't find a single mention of the word Active Directory in them -

1. Bloomberg - Hackers Breached Colonial Pipeline Using Compromised Password


2. CNN - Cyberattack forces major US fuel pipeline to shut down


3. Wall Street Journal - U.S. Pipeline Cyberattack Forces Closure


4. New York Times - Cyberattack Forces a Shutdown of a Top U.S. Pipeline


5. Forbes - The Colonial Pipeline Attack Is A Major National Security Incident


6. FBI - FBI Statement on Compromise of Colonial Pipeline Networks


7. CrowdStrike - DarkSide Pipeline Attack Shakes Up the Ransomware-as-a-Service Landscape


8. FireEye - Shining a Light on DARKSIDE Ransomware Operations 


9. KrebsOnSecurity - A Closer Look at the DarkSide Ransomware Gang


10. ZDNET - Colonial Pipeline attack - Everything you need to know

 

Clearly, there is more that the world needs to know than they are currently being told by the media and others out there.

The reason this is SO very important is that unless organizations worldwide realize that it is their foundational Active Directory deployments, and specifically privileged access in Active Directory that is at the heart of virtually all breaches, the situation is NOT going to improve, because the ultimate enabler of all breaches will still be left inadequately protected.

Privileged Access in Active Directory

Speaking of privileged access in Active Directory, there exists an ocean of privileged access in every Active Directory.

Specifically, from the CEO's domain user account to the all-powerful Domain Admins security group, and from the domain computer account of every domain-joined computer to every domain security group that is used to protect millions of IT resources company-wide, literally everything in Active Directory is an object, protected by an ACL (access control list), within which reside hundreds of Active Directory security permissions, each one of which allows or denies one of over eighty different kinds of permissions to some user, service account, group, nested group, well-known security principal etc. etc., and it is together, i.e. collectively that millions of Active Directory security permissions in the ACLs of thousands of Active Directory objects, ultimately determine exactly who has what privileged access, where and how in Active Directory.

Avenues to Gaining Privileged Access in Active Directory

Obtaining privileged access in Active Directory is the new holy grail for perpetrators, and the #1 target today, because once such access is obtained, the perpetrator can obtain access to just about everything, on-premises, and in the Cloud.

It remains a less known fact that virtually all major recent cyber security breaches of the last decade, including JP Morgan, Sony Hack, Anthem Breach, the OPM Breach, Snowden, the United Nations Breach and now the SolarWinds Breach, involved the compromise and misuse of a single Active Directory privileged user account.

Traditional Techniques

Novice and intermediate perpetrators generally employ traditional techniques such as password guessing/brute-forcing, Kerberoasting and Pass-the-Hash (PtH) in their attempts to compromise Active Directory privileged user accounts. 

Fortunately for defenders, advances in protection measures have reduced the likelihood of success with such measures.

Advanced Techniques

Professional perpetrators seem to prefer employing advanced techniques that involve escalation of privilege based on the identification and exploitation of excessive access on privileged accounts, groups, and certain objects in Active Directory. 

Here are the Top-5 advanced techniques to gain privileged access in Active Directory -

1. Use Mimikatz DCSync to replicate secrets (i.e. password hashes) from an Active Directory domain 


2. Reset the password of any existing Active Directory Privileged User account e.g. the Administrator account


3. Change the membership of any existing Active Directory Privileged Group e.g. the Domain Admins group


4. Modify the ACL (access control list) protecting the special AdminSDHolder object in Active Directory


5. If Smartcards are in use, disable use of Smartcards on an AD Privileged User's account, then reset its password

The novelty of these five advanced privilege escalation techniques is that their use only requires the perpetrator to have sufficient Active Directory Effective Permissions to be able to enact these administrative tasks in a target Active Directory.

Specifically, the use of these advanced techniques does not require perpetrators to attempt a single move that could raise suspicion or be easily detected, such as moving laterally, compromising DCs, Kerberoasting, PTH etc. All a perpetrator needs to do is avail of the already gained Authenticated User level access to correctly analyze the ocean of security permissions that exists in Active Directory and identify privilege escalation paths leading to Domain Admin accounts.

Note: The risk posed by the use of these advanced techniques is adequately described in The Paramount Brief.  

These advanced techniques are already in use today, and often rely on the use of an inaccurate but freely available tool called Bloodhound. The only tools that can make such determinations accurately are Gold Finger and Gold Finger Mini.

I cannot emphasize this enough - "The compromise of a single Domain Controller or that of a single Active Directory Privileged User Account is tantamount to a complete Active Directory Forest-wide compromise."

 

Concluding Thoughts

The sole purpose of penning this blog post was to help organizations worldwide understand that in fact what enabled the perpetrators of the Colonial Pipeline Hack to be able to easily deploy ransomware system-wide (aka domain-wide) was their ability to compromise and then misuse a single Active Directory Privileged User account.

In the case of the Colonial Pipeline Hack, its perpetrator's intentions were to unleash ransomware for monetary gain. 

Likewise, a perpetrator could easily accomplish virtually any objective of choice, whether it be data exfiltration, automated asset destruction, tampering a highly sensitive asset (e.g. software source-code, blue-prints of a highly sensitive project, such as a Nuclear Reactor,) taking over the energy grid of a city/state, compromising a government agency (e.g. an embassy or a military deployment), stealing data (e.g. financial details, customer PII etc.) from a Fortune 100 company etc., if he/she could simply compromise ONE Active Directory Privileged User account. 

I cannot emphasize this enough, so I will say it once more, for the umpteenth time - the compromise of a single DC or a single Active Directory Privileged User account is tantamount to a complete, colossal, organization-wide breach, that can not only result in substantial damage, it can cost millions of dollars and weeks to recover from.

Securing DCs is easy for we know exactly how many we have; unfortunately, the same isn't true of privileged users in AD.

In that regard, it is my professional opinion as former Microsoft Program Manager for Active Directory Security that the accurate identification and subsequent reduction in the number of individuals that possess privileged access in Active Directory is the single most important step organizations can take to protect themselves from such colossal breaches.

I will also tell you that today, while there exist over a thousand cyber security companies in the world, including numerous prominent ones such as Palo Alto Networks (PANW), Palantir Technologies (PLTR), CyberArk (CYBR), FireEye (FEYE), CrowdStrike (CRWD), Check Point Software (CHKP), ZScaler (ZS), Splunk (SPLK), CloudFlare (NET), NortonLifeLock (NLOK), Sophos Group (SOPH), SolarWinds (SWI), Tenable (TENB), Varonis (VRNS), VMWare (VMW), Cisco (CSCO), IBM, Intel (INTC), Microsoft (MSFT) etc., today not one cyber security company in the world possesses the capability to help organizations accurately* identify and lockdown privileged access in their foundational Active Directory deployments.

Well, I shouldn't say not one, because there is one. The only company in the world that can do so is Paramount Defenses ; it can empower organizations to instantly and accurately identify privileged users/access, domain-wide, at a button's touch.

Note: This is not about pride or competition. We do not do what the other thousand cyber security companies do, and they do not and cannot do what we do. This is about collaboration and helping make the world a safer place. 

In summary, today's post was about helping the world understand that if you actually take a close (detailed) look at what happened in the Colonial Pipeline Hack, you'll find that the defining step that actually enabled the perpetrators to inflict substantial damage was their ability to compromise and misuse a single i.e. just one Active Directory privileged user account - without it, they could not have been able to unleash ransomware system-wide (i.e. domain-wide.)

By the way, if you liked this post, you may very likely also like my substantially detailed post on the SolarWinds Breach. 

Lastly, as I have adequately described by now, at the heart of both these breaches lay Active Directory. 

Best wishes,

Sanjay

How Attackers Could Unleash Ransomware on Thousands of Computers in an Organization using Active Directory

Folks,

Hello. Today's post is on ransomware - specifically how a perpetrator could instantly unleash ransomware on thousands of organizational computers, in minutes using Active Directory, instantly encrypting vast amounts of an organization's data.



Ransomware (; needs no introduction.)

Today ransomware undoubtedly poses a clear and present cyber security danger to thousands of organizations worldwide.

Examples of ransomware include CryptoLocker, CryptoWall, WannaCry, Petya, NotPetya, Bad Rabbit, Sodinokibi etc. etc.

According to the New York Times, in 2019 alone, over 200,000 organizations had submitted files that had been hacked in a ransomware attack, and the average payment to release files was over $80,000. This amount doubled in December of 2019, and several organizations have faced ransom demands in the millions of dollars.

Of course, one the most famous and high-profile cases of ransomware involves the multi-billion $ Danish shipping giant Maersk, which fell victim to the Petya ransomware in 2018, and ended up incurring a staggering loss of US $ 250 Million.

Since then so many critical organizations including hospitals, police departments, city governments, law firms, automotive companies etc. etc. have been falling victim to ransomware and so many more are struggling to protect themselves.

For instance, just yesterday, the city of Knoxville became the latest American city to suffer a ransomware attack. Days ago, Honda announced that it had to halt operations due to a ransomware attack. Earlier this year, amongst numerous others, the Miami Beach Police Department suffered a ransomware attack, as did Parkview Medical Center in Colorado. Recently an FBI official said that "We certainly view it as one of the most serious cybercriminal problems we face right now."

In essence, today most do organizations understand the risk posed by ransomware and the need to protect themselves. However, what they may not know is that someone could unleash ransomware on thousands of computers in minutes.




How Much Damage Could Be Inflicted?

In a cyber attack involving an organization becoming a victim of ransomware, generally the extent of damage inflicted is a function of the amount of data that was encrypted (and possibly exfiltrated) and the value of that data to the organization.

That said, almost always, the extent of damage inflicted in a situation wherein ransomware is able to encrypt (/exfiltrate) data on (/from) thousands of computers would be exponentially more than that in a situation involving a few computers.

This begs a question - how easy is it for someone to unleash ransomware on thousands of organizational computers?



Well, lets take a look, shall we, and
the answer lies in what follows...



How Ransomware is Usually Unleashed

In most cases, the avenue for unleashing ransomware in an organization involves simple attack vectors such as phishing an employee, compromising an unpatched machine etc. and it usually begins with a SINGLE machine being victimized.

Subsequently, the mal payload attempts to compromise additional machines on the network, and the degree to which it is successful in spreading within an organization is usually a function of the number of vulnerable machines it can find/infect.

In short, barring the case wherein an Active Directory privileged user's account is compromised, traditional avenues used to unleash malware in an organization cannot usually easily infect THOUSANDS of an organization's computers.



Now, Consider THIS

Consider that an organization is situated in a single centrally air-conditioned building, and that the building's central air-conditioning unit is in a room at the top of the building. In such a scenario, air from the building's central air-conditioning unit has a clear, direct and uninterrupted channel into every room in the building.

Now, consider a situation wherein there is a dangerous virus that threatens humans and that can be spread if airborne.

In such a situation, if someone, such as a perpetrator, could get into the room that houses the central air-conditioning unit, he/she could easily unleash/spray the virus into the central air-conditioning unit, and within minutes of doing so, the virus would effortlessly have found its way into every room in the building, and instantly threaten every person in every room.



Instantly Unleashing Ransomware Using Active Directory

From the United States Government to the Fortune 100, at 85% of all business and government organizations worldwide, at the very foundation of these organizations' cyber security and IT lie their foundational Active Directory deployments.

There exists a direct secure channel between Active Directory and every computer in an organization that is joined to its Active Directory, and via a management feature called Group Policy, organizational IT personnel can easily and instantly control the security of every domain-joined machine, and that includes pushing out logon scripts onto these machines.


If someone, such as a perpetrator, could link a single malicious GPO (Group Policy Object) to an organizational unit (OU) or the domain root in an organization's foundational Active Directory, he/she could almost instantly and effortlessly deploy ransomware to thousands of organizational machines, thereby inflicting colossal damage in a matter of minutes.

In short, in the simple air-conditioned building scenario shared above, a room in the building represents a computer in the organization, and the central air-conditioning unit in the building represents the organization's foundational Active Directory.

All that someone needs to do is link the ransomware to a new/existing group policy and then link that group policy to an OU or domain, and he/she would basically have instantaneously and effortlessly unleashed ransomware onto thousands of organizational computers, because AD has a clear, direct and uninterrupted channel to every domain-joined computer.

In short, in just a few mouse clicks, anyone who had sufficient access in Active Directory to basically be able to link a GPO to an OU/domain, could effortlessly unleash ransomware across the entire organization, by (mis-)using Active Directory.

(This incidentally begs the question - "Do we know exactly who can link GPOs to OUs in our Active Directory today?!")



Sounds Theoretical ( ; Any Proof?)

Most IT and cyber security professionals would likely agree that in theory it sounds doable (because it isn't rocket science.)

At the same time, most of them, including most CISOs, will question whether there's any evidence at all of this simple yet highly potent attack vector in reality/practice. In other words, is this merely theory, or can someone show it in action today?

After all, there's no dearth of theoretical attack vectors in cyber security, so unless this is possible today, why worry :-) ?!




Time to Worry (; Here's Proof.)

I don't know whether or not there exists ransomware that has been shown to leverage Active Directory yet (IMO primarily because the bad guys aren't that smart/capable yet,) and I most definitely do not have the time to research it, BUT/AND...

...to PROVE that this is ABSOLUTELY possible today, last week, I sat down to code, and within a few hours, I had personally written production-level RANSOMWARE that can be easily deployed using Active Directory (via GPOs).

In fact, I wrote TWO of them, and I'll share the FIRST one with the world TOMORROW morning, right here on this blog.


NOW, before you jump to conclusions, let me clearly state that the sole purpose of doing so was to show the world that if I can personally create them in just a few hours, imagine what a professional/state-sponsored adversary/APT could create.

Make no mistake about it - each one of them is simple yet professional-grade*. The first one is very simple and solely for illustrative purposes ; once deployed, it will encrypt one specific file. The second one, which too is deployment-ready, once deployed, will encrypt (and with the right password, decrypt) entire directories on thousands of domain-joined computers.

* I'm not a script kiddie. I don't do .NET, PowerShell, VBScript etc. I write professional-grade code in C & Assembly.

As always, you do not need to take my word for it. Tomorrow, I'll share the link right here on this blog, and everyone will be able to freely download and instantly deploy it in any test/production Active Directory, and see it in action for themselves.




Summary

Ransomware clearly poses a serious cyber risk to thousands of organizations worldwide ; thus far it has been spread using traditional attack vectors, but/and since thousands of organizations operate on Active Directory, it is only a matter of time before perpetrators realize that they can leverage AD to easily unleash it on thousands of computers within organizations.

As an example, consider Mimikatz and Mimikatz DCSync. For years, it has been no secret that theoretically speaking, one could extract credentials from memory, and of course, replicate secrets from Active Directory, and that if materialized, these could be highly potent attack vectors, and sure enough, one day Benjamin Delpy made this trivial for everyone.

Thus, I felt the need to make organizations aware of this highly potent yet unmitigated attack vector as well, well before perpetrators weaponize it, and to demonstrate its feasibility, I've written two harmless pieces of illustrative ransomware.


In short, if you can click a few mouse buttons, you can now see for yourself how someone could leverage Active Directory to unleash ransomware on thousands of computers. It is no longer merely theoretical ; it is completely possible, today.

I'm also not about to wait for perpetrators to start misusing Active Directory to unleash ransomware and wreak havoc at organizations worldwide. In days to come, I'm going to teach and empower organizations to prevent this from happening.


Prevention is always better than cure/recovery, and as we have seen, timely preventive action can be extremely valuable.

Alright then (; until tomorrow.)

Thanks,
Sanjay


PS2: Pardon the delay in getting to Day 3 of Active Directory Security for Cyber Security Experts ; it'll be out on June 18.