A proof-of-concept tool has been published that leverages two Windows Active Directory bugs fixed last month that, when chained, can allow easy Windows domain takeover.
In a Monday alert, Microsoft urged organizations to immediately patch the pair of bugs, tracked as CVE-2021-42287 and CVE-2021-42278, both of which were fixed in its November 2021 Patch Tuesday release.
Both vulnerabilities are described as a “Windows Active Directory domain service privilege-escalation” bugs and are of high severity, with a CVSS criticality score of 7.5 out of 10.
“As always, we strongly advise deploying the latest patches on the domain controllers as soon as possible,” Microsoft advised.
Bugs Give Attackers ‘Straight Path’ to Admin Privileges
The vulnerabilities allow attackers to easily jack up privileges to that of domain admin in unpatched Windows Active Directory domain services after impersonating a regular domain user, according to Microsoft’s advisory.
Domain administrators in Windows are users that can modify the configuration of Active Directory servers and can modify any content stored there. Domain admins can create new users, delete users and change their permissions; and can control authorization and authentication to Windows services.
“When combining these two vulnerabilities, an attacker can create a straightforward path to a domain admin user in an Active Directory environment that hasn’t applied these new updates,” according to the security alert. “This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain.”
On Dec. 11, a proof-of-concept (PoC) tool to exploit the bugs was publicly released on Twitter and GitHub, just a few weeks after Patch Tuesday November 2021. Multiple security researchers confirmed that it works and that the exploit is easy.
Exploiting CVE-2021-42278 and CVE-2021-42287. From Standard AD User to a Domain Admin! (default configuration)https://t.co/feX2OBe5BJ pic.twitter.com/3tbYtOgEMW
— H*s*m (@safe_buffer) December 11, 2021
How to Tell if Systems Have Been Compromised
Microsoft defines the exploit as SAM Name impersonation. Same Account Name (SAM) refers to the sAMAccountName attribute: a logon name used to support clients and servers from previous versions of Windows, such as Windows NT 4.0, Windows 95, Windows 98 and LAN Manager.
Microsoft’s research team published detailed guidance on detecting signs of exploitation and identifying compromised servers with a Defender for Identity advanced hunting query that sniffs out abnormal device name changes: changes that “should happen rarely to begin with,” it said. Defender for Identity is a cloud-based security tool that uses on-premises Active Directory signals to identify, detect and investigate advanced threats, compromised identities and malicious insider actions.
The query compares those name changes with a list of domain controllers in your environment, researchers said. “To investigate if these vulnerabilities might have been exploited in your environment before the hotfixes were deployed, we highly recommend you follow the step-by-step guide,” Microsoft recommended, providing these instructions:
- The sAMAccountName change is based on event 4662. Please make sure to enable it on the domain controller to catch such activities. Learn more of how to do it here.
- Open Microsoft 365 Defender and navigate to Advanced Hunting.
- Copy the following query (which is also available in the Microsoft 365 Defender GitHub Advanced Hunting query):
IdentityDirectoryEvents | where Timestamp > ago(1d) | where ActionType == “SAM Account Name changed” | extend FROMSAM = parse_json(AdditionalFields)[‘FROM SAM Account Name’] | extend TOSAM = parse_json(AdditionalFields)[‘TO SAM Account Name’] | where (FROMSAM has “$” and TOSAM !has “$”) or TOSAM in (“DC1”, “DC2”, “DC3”, “DC4”) // DC Names in the org | project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields - Replace the marked area with the naming convention of your domain controllers
- Run the query and analyze the results which contains the affected devices. You can use Windows Event 4741 to find the creator of these machines, if they were newly created
- We recommend investigating these compromised computers and determine that they haven’t been weaponized.
- Make sure to update the devices with the following KBs: KB5008102, KB5008380, KB5008602.
“Our research team continues its effort in creating more ways to detect these vulnerabilities, either with queries or out-of-the-box detections,” Microsoft said.
Don’t Let the Log4j Noise Drown This One Out
The Log4j Apache logging library misery is sucking all the oxygen out of the room right now, but security experts said that organizations have to find time for dealing with these bugs. Securing Active Directory is crucial, given its pivotal role in account authorization and authentication and the horrific compromise that can result if vulnerabilities like these are exploited.
“Active Directory is typically the keys to the kingdom,” Tyler Shields, CMO at JupiterOne and a former Forrester Research analyst, told Threatpost via email on Tuesday. “Targeting the system that holds account authorization and authentication information can result in massive compromise of an enterprise. It’s one of the most commonly deployed account management systems on the planet and must be kept secure and up to date.”
John Bambenek, principal threat hunter at Netenrich, said that if an attacker gets domain admin privileges, they can “quite literally do almost anything they want to any machine in an organization with impunity.”
Ransomware operators, for example, would find these vulnerabilities interesting if they want to “ransom an entire organization at once,” Bambenek said. Using the PoC to install ransomware on every Windows machine in an organization “would be trivial,” he added.
AD is not only ubiquitous – it’s also constantly under siege by adversaries, noted Tim Wade, technical director, CTO team at AI-based cybersecurity firm Vectra. It’s “the preferred method of progress through an enterprise once an initial foothold has been achieved,” he told Threatpost via email.
A case in point: AD played a part in the SolarWinds attacks, when adversaries hit Active Directory Servers with the FoggyWeb backdoor. AD is, unfortunately, a nightmare to secure, as has been outlined by SpecterOps researchers who’ve tried to get the security community to think about the AD problem in terms of “misconfiguration debt”: as in, incremental misconfigurations that build up over time, such that attackers are virtually guaranteed to find an attack path to their objective on any network.
Don’t let these bugs add to that misconfiguration debt, experts said.
“These two bugs … [are] absolutely worth attention, given the direct line of sight between their presence and full domain compromise” Wade stressed. ” When it rains in information security, it seems to pour – but this isn’t something that network defenders should lose any time patching out of their environment.”
122121 12:54 UPDATE: Added input from Tyler Shields, John Bambenek and Tim Wade.
122121 14:23 UPDATE: Corrected misspelling of John Bambenek’s name.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
