In recent years, ransomware operators have set their sights on Active Directory (AD) as a primary target. When malware is distributed through AD, the impact of ransomware can be significantly magnified. Attackers view AD as a crucial point in their attacks, resulting in severe and disastrous outcomes.

This trend became apparent with LockBit 2.0 in July 2021, and continued with BlackMatter and Conti later that year. Now, we are witnessing the emergence of even more sophisticated ransomware like ALPHV BlackCat. Threat actors have come to realise how effortlessly they can gain complete access to a potential victim’s network by attacking AD and then moving laterally within the organisation. Unfortunately, only a small number of organisations thoroughly assess AD for governance and security issues.

AD is the identity platform most used by businesses not just in Asia-Pacific, but also across the globe. Among Fortune 1000 enterprises, 9 out of 10 of them use it to authenticate employee access to enterprise networks and manage internal privileges and permissions.

The widespread adoption of enterprise cloud technology owes much to the implementation of AD. An AD environment typically encompasses numerous user permissions and settings within an organisation, resulting in a vast and intricate network that is susceptible to misconfigurations. Regrettably, many organisations struggle to maintain adequate AD security as their domains grow in complexity, leading to a buildup of unnoticed vulnerabilities that may only come to light during a major incident. Given these vulnerabilities, it comes as no surprise that hackers target AD as a prime location for cyberattacks.

The challenges of securing AD

The AD attack surface is constantly evolving in every organisation which poses challenges for security teams to detect and prevent ransomware deployment. There is a lack of visibility and context, with most security teams struggling to identify and solve AD misconfigurations and vulnerabilities.

Simply trying harder doesn’t cut it either. Due to the vastness and intricacy of AD deployments, manual monitoring proves impractical, leading to an inability to identify attacks in real time. Furthermore, the lack of visibility regarding hidden misconfigurations and interconnected relationships hampers incident response and efforts to hunt down threats.

The anatomy of AD attacks

In order to comprehend how AD attacks occur, it is essential to recognise that a breach has most likely already happened elsewhere before the assault on AD. Attackers exploit numerous software vulnerabilities and misconfigurations in devices, applications, networks, and operating systems, increasing the possibility of a ransomware strike.

After entering a system via an entry point, an attacker tends to acquire local administrative privilege on the affected device, enabling them to execute malicious code, gather credentials, spread harmful software among vulnerable systems, and attack passwords. Frequently, the malevolent software infects connected networks and AD structures.

If a perpetrator acquires cached credentials of a privileged user, who has greater access to network systems and information than the average worker, the infiltration of the AD could result in the perpetrator gaining instant access to domain privileges. In such a scenario, the attacker can easily create backdoors by impersonating the account, retrieving desired data, and ultimately launching a successful ransomware attack on the entire organisational network.

Regardless of the entry point, AD is almost always involved as the next step in a ransomware attack. Invariably, cybercriminals exploit AD to progress horizontally and obtain superior permissions before launching their ransomware. Often, these attacks actively seek out devices within AD to ensure their involvement.

Minimising AD attacks

The interconnectivity provided by AD is crucial for facilitating access to various services for users throughout an organisation, which underscores the pressing need for business and IT leaders to prioritise securing this vulnerability in order to eliminate any risk of ransomware attacks.

IT leaders often overlook AD despite its importance. To prevent security breaches, they need to eliminate critical misconfigurations that could lead to ransomware attacks. This involves locating and resolving five AD misconfigurations that could enable attackers to move laterally and gain access to sensitive company data.

• Overprivileged users: A common mistake that leads to a compromised AD is granting excessive privileges to administrators who assign privileged group access to numerous users for convenience, opting for the easy way out. The more users with Domain Admin privileges, the higher the chances of an attacker finding an unsuspecting victim and exploiting their privileges within the organisation. Therefore, AD administrators must limit users’ privileges to what is required for specific tasks.
  
• Lack of change monitoring: Consistent monitoring and assessment are essential for AD to ensure that security teams stay updated with environment and group policy modifications. Manual scrutiny of event logs involves sifting through a vast number of false positives. Collecting and consolidating Windows event logs are time-consuming tasks, making AD an attractive target for individuals with malicious intentions, as manual monitoring is nearly impossible.
  
• Weak user account security hygiene: Inadequate visibility for security teams is an increasing issue concerning domain admin access accounts. This problem often arises due to inactive accounts of former employees that are easily forgotten. This lack of oversight has resulted in numerous misconfigurations within AD, including weak and non-expiring passwords, absence of password lockouts, and weak encryption – all areas targeted by cybercriminals when attempting to gain access to AD accounts. As a result, security teams are unable to detect breaches for extended periods, allowing significant damage to occur before being detected.
  
• Vulnerabilities in AD: While vulnerabilities directly impacting AD are not common, attackers tend to chain vulnerabilities together to gain access to legitimate accounts and carry out attacks on sensitive systems within a network.
  
• Inadequacy of existing tools to secure AD: Currently available tools do not sufficiently support continuous monitoring of AD. Opting for fully integrated, automated tools that can map the entire AD network, track changes in Group Policy Objects, observe unencrypted passwords, and generate notifications for anomalies can significantly enhance visibility into the system. Automated tools have the capability to detect vulnerabilities, address them, identify real-time threats, and proactively monitor attack routes before they are exploited.

Nearly every ransomware headline is the result of an insecure AD

The security sector has been largely inadequate in dealing with the dangers related to AD. As ransomware assaults continue to persist, organisations must prioritise AD security by incorporating it into their complete cybersecurity plan. Attackers prefer AD as it allows them to escalate privileges and efficiently spread ransomware by exploiting known vulnerabilities and misconfigurations. Hence, AD security is a crucial aspect for businesses to consider.

To promptly detect potential threats and breaches, it is important to continuously monitor AD and identify any configuration issues. Organisations should take proactive measures to identify and address security issues associated with AD, in order to prevent the spread of ransomware by attackers.