Ransomware groups push Active Directory mining to unacceptable rates

GUEST NOTE: The move from Active Directory exploit code directly into malware is a growing trend and concern for security professionals.

Attackers target Active Directory (AD) because it represents a master key capable of unlocking the rest of a corporate network, with an estimated 90% base of businesses worldwide using it. Indeed, its prevalence means that it is not just large organizations that are at risk.

Recent EMA research found that 50% of organizations had experienced an AD attack in the past two years, and more than 40% said attackers had successfully breached their AD implementation.

This discovery highlights that adversaries are not just trying to attack AD – they are successfully breaching it at an unacceptable rate.





One of the reasons for the high success rate is the complexity of AD environments. EMA research found that 44% of AD safety assessments found between 11 and 50 exposures, and one in five found between 51 and 100.

Configuration changes often cause these exposures, and attackers look for them when trying to escalate their attacks.

Ransomware groups have been particularly aggressive in seeking out and exploiting these exposures.

The three evolutions of AD targeting in ransomware

There have been several clear evolutions in attackers targeting AD with ever increasing sophistication.

Shipping giant Maersk’s infamous encounter with NotPetya ransomware can be considered a first encounter. NotPetya used (among other things) the Windows network browser service to list all visible servers in the AD domain and add them to its target list.

Maersk experimented”100% destruction of anything Microsoft-based which was attached to the network. “AD was badly damaged, but Maersk was lucky in some ways, locating an intact copy of AD in an office that had no power during the attack. From there, they were able to rebuild AD for the rest of the organization.

Since then, several ransomware groups have emerged that target or use AD to escalate their attacks more specifically.

As noted previouslyransomware gangs “increasingly use tools such as PowerShell, Bloodhound, etc., to perform domain reconnaissance and identify paths to high-privilege targets” in AD.

For example, a ransomware operator, codenamed DeepBlueMagic, uses “guessed or compromised AD ‘admin’ credentials protected only by single-factor authentication” to attack a corporate VPN. The attacker then used command line queries to find more AD objects to scale up the attack.

The third and most recent evolution of threats targeting AD relates to the encoding of the malware strains themselves.

In particular, LockBit 2.0, RYUK, MountLocker, and XingLocker contain code that targets specific configurations, misconfigurations, or vulnerabilities in AD.

Last May, MountLocker used the Windows AD service interfaces API to identify additional targets within a corporate network. This activity was notable because the malware “thinks” like a Windows network administrator, looking for objects (resources) connected to the network and trying to copy the malware to that resource.

RYUK and XingLocker would have need AD present, or attacks fail. In the case of XingLocker, the malware interrogates a compromised device to see if it is part of AD and ceases operations if it is not.

As the EMA noted in its reportresearchers also found that LockBit 2.0″ ransomware can now automate Windows domain encryption using AD group policies. Once executed on the domain controller, the ransomware automatically distributes itself across the domain, disabling existing Microsoft protections along the way”.

Strengthen business defenses

Recognizing AD’s sustained role in ransomware attacks, Microsoft recommends hardening enterprise environments to “prepare for the worst-case scenario.”

“Every ransomware case is different, and there is no one-size-fits-all approach. But there are things you can do now…While these changes may impact how your organization operates today, consider the risk of not implementing them, “this advise.

Responsible organizations should implement identity security solutions that provide visibility into exposed credentials that create potential attack paths and enable access to AD. Visibility into AD and Azure AD exposures and vulnerabilities is also critical.

AD protection tools and policies include real-time detection, identification and remediation of exposed credentials on the endpoint, detection of unauthorized AD requests, and masking and denial of access to objects Sensitive or privileged AD. These approaches can restrict unauthorized data visibility and prevent attackers from obtaining accurate permissions and privilege information when querying AD.

Identity threat detection and response (ITDR) solutions are a critical part of AD defense today, as they can help detect and defend against attackers targeting AD infrastructure within the network.

By mitigating AD vulnerabilities and misconfigurations, security teams can effectively reduce the success rate of ransomware attackers.

Comments are closed.