Active Directory has long been a favorite target for hackers. As every penetration tester knows, the best way to compromise a network is to gain access to the Active Directory (AD) server and escalate your account privileges. In the past few months though we have seen a shift towards more sophisticated Active Directory cyber attacks which take advantage of the nature of AD and other Authentication, Authorization and Accounting (AAA) servers.
AAA servers like AD and Radius servers are the central point for all access requests. Anytime a user wishes to access an application, server, etc. their credentials are sent to a AAA server to determine whether they are legitimate (authentication) and are allowed access (authorization). Depending on their configuration, the AAA server will also log access (accounting) although this is more commonly performed in commercial mobile networks.
Since the AAA server communicates with multiple applications and devices, across multiple security domains, it has become a prime target for botnet and denial of service (DoS) attacks. Hackers and cybersecurity researchers have begun to take notice. Let’s look at three examples.
First, IBM X-Force Research recently identified a banking trojan virus, Qakbot, that locked out thousands of AD users. Qakbot is financial malware and is typically used to drain online bank accounts. This was the first time researchers have seen it used as a DoS attack by preventing users from accessing applications and devices.
Second, researcher Guido Vranken used fuzzing, where malformed data is injected into a software application, to expose several vulnerabilities in FreeRadius, the most popular open source RADIUS server. As Security Week pointed out, “The list of vulnerabilities includes memory leak, out-of-bounds read, memory exhaustion, buffer overflow and other issues that can be exploited to remotely execute arbitrary code or cause a DoS condition.” Luckily the open source community was quick to address the vulnerabilities.
Third, at this year’s Black Hat conference, Threat Intelligence engineers gave a talk about a method to turn the AD Domain Controller into a botnet’s command and control server. As they pointed out, the AAA architecture, where disparate computers take access instructions from a central controller, closely mimics that of a botnet. If malware were installed it could take advantage of existing AD commands and user attributes to transfer information between infected clients and out of the network. If there was only one AD domain controller for the entire network, this would allow data transfer between security domains.
For the moment many of these attacks can be prevented by patching, monitoring and constructing proper network architectures. However, as the hacker community continues to turn its attention to AAA it is only a matter of time before widespread zero day Active Directory cyber attacks are unleashed.
Eric Sharret is Vice President of Business Development at TELEGRID. TELEGRID has unique expertise in secure embedded systems, secure authentication, PKI, and Multi-Factor Authentication (MFA).
Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc. The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.