Security firm Aorato has recently discovered a critical design vulnerability in Microsoft’s Active Directory service, allowing an attacker to authenticate themselves to restricted services and change a user’s password.
Aorato reported the vulnerability to be “highly sensitive” with nearly 95 percent of Fortune 1000 companies deploying the software.
“This attack can be performed despite current identity-theft protection measures,” said Research Vice President Tal Be’ery in a blog post. “Using the new password, an attacker can fully impersonate the victim to access various enterprise services which require the explicit use of the victim’s password, such as Remote Desktop Protocol (RDP) Logon and Outlook Web Access (OWA).”
Even more alarming is the fact that logged events oversee the vital indication of an identity theft attack, added Be’ery. As a result, the attacker can surpass event logs without being recognized.
Following the discovery, Aorato disclosed the information to Microsoft, whom in turn, noted the “general limitation” was “well known” in the protocol but could not address the issue. Since there is no inherent solution, Aorato provided various mitigation techniques and measures.
The research firm specializes in the NTLM authentication protocol, known to be vulnerable to a “pass-the-hash” attack – a popular attack in which attackers obtain login credentials and use mathematical representations (hashes) to access other services or computers.
Read More Here…