Ransomware continues to endure as a highly lucrative criminal enterprise.
Ransomware hacking groups extorted at least $144.35 million from U.S. organizations between January 2013 and July 2019. That’s the precise figure recently disclosed by the FBI — the true damage is almost certainly a lot steeper, given only a portion of cyber crimes ever get reported to law enforcement.
To get a foot in the door, ransomware purveyors direct weaponized email at a targeted employee. Once inside a network, they move laterally to locate and encrypt mission-critical systems; a ransom demand for a decryption key follows. In many cases, the lateral movement phase is being facilitated by the hijacking of an ubiquitous network administrator’s tool: Windows Active Directory, or AD.
I had a chance, once again, to discuss the yin vs. yang relating to Active Directory’s pivotal placement in the heart of corporate networks with Mickey Bresman, co-founder and CEO of Semperis, an identity-driven cyber resilience company based in the new World Trade Center in Lower Manhattan. We met at RSA 2020. For a drill down on our discussion, give the accompanying podcast a listen. Here are key excerpts.
Ransomware uptick
AD enables IT staffers to manage access to servers and applications across the breadth of any Windows-based network; it’s used in 90 percent of U.S. organizations, which translates into tens of thousands of companies and agencies. In the spring of 2017, the WannaCry and NotPetya ransomware worms blasted around the globe, freezing up the Active Directory systems of thousands of companies.
In the wake of NotPetya, in particular, large enterprises hustled to lock down their internal network defenses. NotPetya wrought $10 billion in damages, according to Tom Bossert a senior Department of Homeland Security official at the time.
So threat actors began focusing on softer targets. They began to refine ways to manipulate AD to aid and abet ransomware campaigns ever since. In 2018 and 2019, ransomware-triggered business disruptions came not in global-spanning worms, ala WannaCry and NotPetya, but in unrelenting one-off attacks.
“There was a big uptick in Q3 and Q4 2019, not just in the U.S., but all across the world,” Bresman told me. “Ransomware is still going really fast and hard, and actually becoming even a bigger problem.”
The organizations now in the line of fire include manufacturing firms, telemarketers, law firms, hospitals, cities and towns, local government agencies and local schools districts – the very underpinnings of the U.S. economy
Manipulating identities
Threat actors seek out AD for the same reason corporations rely on it: AD is the hub of authentication, supplying Single Sign-On (SSO) access across the entire company network. An employee – or threat actor — can log in one time to Active Directory and, if granted high enough privileges, gain full access to all organizational resources.
Attackers by now have perfected numerous ways to manipulate AD and get their hands on SSO credentials that have privileged access status. One popular strain of exploits revolves around hacking known vulnerabilities in the authentication protocol known as Kerboros, which integrates with AD. Hacking Kerberos – which is often referred to as a “golden ticket” attack — can make it much easier to move laterally without being detected.
What’s more, fresh vulnerabilities that relate to AD are being discovered all the time. This is true of all software, of course. But AD flaws typically involve very high stakes. Microsoft on March 10, for instance, released a patch for a critical flaw discovered in something called LDAP, another communications protocol that ties into AD. This flaw, unless and until patched, leaves a path open for a malicious party to escalate privileges and run man-in-the-middle attacks from inside a company network.
The vast majority of ransomware attacks today pivot off of manipulating the identities managed and controlled, at some level, by AD, Bresman says.
Attack exposure
Semperis actually launched in 2014 to provide disaster recovery services specifically for AD systems. It began by offering to help companies quickly and efficiently restore an AD system that suddenly got corrupted and shut down. Six years ago, the most likely cause of that was a rogue employee.
Then came the waves of ransomware attacks, leveraging AD to spread, with extortion the goal. Meanwhile, the challenge of recovering a corrupted or abused AD system became much more complex. Companies increasingly mixed and matched cloud-delivered resources with on-premises IT infrastructure, and as reliance on hybrid networks has spiked so did the complexity of trying to lock down AD.
“All of a sudden organizations are finding themselves in a situation where they had multiple different realms to protect, some of those assets being in their own datacenter, but many of those actually now sitting outside of the data center,” Bresman says. “All organizations are becoming more and more digital. This is nothing new . . . but now, also, the bad guys are paying attention to this exact thing. The more digital an organization becomes, the more exposed they become to potential attacks.”
AD resiliency
Having launched as a specialized recovery service, Semperis has shifted its business model to helping companies build AD resiliency. Recently, the company expanded into offering to scan a customer’s AD systems to find and patch any AD-related vulnerabilities – before a threat actor gets around to doing just that.
“The best thing is to be ready, before an attack comes,” Bresman says. “We get into your environment and get you ready, by making sure you close everything that can be closed.”
Of course it’s rarely practical to lock down everything. For instance, a scan might turn up a configuration setting that ought to be changed to boost security. But doing so would cut off certain functionalities of a legacy business application – and ignite howls of protests.
However, just gaining visibility of a known serious flaw is a big step in the right direction. “We can give it special attention, starting with a mitigation plan,” Bresman says. “We can watch for anything unusual that might happen in that environment; and if something happens that was not planned, we can get a notification out immediately.”
With the ransomware scourge persisting — and with the attack surface of corporate networks expanding — it makes sense to monitor and test AD, from a security perspective, around the clock. Widespread adoption of this practice would make a big difference. I’ll keep watch.