A security flaw has been uncovered in Microsoft’s widely used Active Directory that could allow an attacker to change passwords and log in as authenticated users, providing access to a wide range of services.
Israeli security start up Aorato detailed the attack method in a blog post authored by Tal Be'ery, the firm’s vice president of research.
Be'ery explained that, the older and weaker NT Lanmanager authentication protocol is enabled by default in Active Directory and is vulnerable to the so-called Pass the Hash flaw, in which attackers steal the alphanumeric encoding of user passwords stored on servers.
With the NTLM hashes of user passwords in hand, attackers can log in as authenticated users - without having to know the actual passwords.
With the hash in possession, a hacker who “forces the client to authenticate to Active Directory using a weaker encryption protocol,” could potentially go on to change victims' passwords, the security analyst said.
Once an attacker has changed the password, the new one can be used to login users to Microsoft services like Outlook Web Access or Remote Desktop Protocol, he explained.
Be'ery said that he notified Microsoft of the issue in early June, and the tech giant provided an official response on the matter in July.
Microsoft attributes the security issue to a known design “limitation” in Active Directory caused by authentication protocols the service uses (NTLM).
But Be'ery contended that the issue is a “by design flaw". Newly discovered exploits, in which attackers have changed user passwords and left no sign of the attack in log-based SIEM (security information and event management) or data analytics tools, emphasised the seriousness of the issue, he said.
“We found out that the logs are not [catching] that issue of downgrading the encryption,” Be'ery said. “The crucial clues of the attack goes [unnoticed]. If the basis of your security system is on logs then you have no chance of catching that attack."
Microsoft has advised enterprises to implement smart card authentication and disable a weaker encryption algorithm, RC4-HMAC, which uses the NTLM hash.
Be'ery suggested in his blog post, however, that neither options are practical solutions. Smart cards "are expensive and difficult to deploy throughout an enterprise,” he said, and removing older encryption algorithms across the enterprise could prevent users from accessing older systems.
Instead, Be'ery encouraged companies to monitor authentication protocol anomalies such as the use of non-default encryption algorithms.
He also suggested asmins monitor changes in typical user behavior - such as the kinds of services used or the times they are accessed by employees.
Windows computers should also be patched with a Microsoft update that mitigates theft of NTLM hashes, he added.