A combination of 2 bugs gives attackers the opportunity to give an ordinary user account administrator rights with a simple script. Microsoft insists on installing the latest security updates that fix the vulnerabilities.
Microsoft Active Directory
The bugs reside in Windows Active Directory (AD), a system IT administrators at organizations use to manage employee accounts at scale. The AD states which accounts there are and what rights these accounts have. This determines, for example, whether a user is allowed to install programs and whether they have access to protected sections of the network.
A company often has several servers that each have a copy of this directory, a so-called Domain Controller (DC). These DC servers communicate with each other and update each other when a change is made in a DC.
Bugs reinforce each other
The attack uses a technique called account name spoofing in conjunction with a vulnerability in the Kerberos Privilege Attribute Certificate (PAC). This allows attackers to bypass authentication security and impersonate a Domain Controller. Then they have a ticket (change) made with a much higher authority than the account from which the ticket is sent.
Quite simply, an ordinary employee can submit a request as if it were coming from the management. After this, the attacker has full access and they can spread malware and view protected information, with all known consequences.
This attack method was reported in November by Andrew Bartlett of Catalyst IT and has been patched by Microsoft. To protect the AD of your organization, it is therefore important that you install the security updates from November 2021 or later.
Catch up on more articles here
Follow us on Twitter here