Active Directory has always played a role in ransomware attacks; a wave of new research shows how and why, writes Jim Cook, ANZ regional director, Attivo Networks.
The Colonial Pipeline ransomware attack was a watershed moment in cyber security, drawing government intervention, billions of dollars of commitments, and a few months of respite from the gangs.
But after several months of going underground, ransomware gangs are starting to re-emerge: some with new branding in a bid to leave the past behind, others with new infrastructure and techniques to show for their temporary absence from public view.
LockBit is one of the gangs to re-emerge without a new name but with a fresh set of techniques. The gang is known to target ANZ organisations, which account for about one-eighth of its total victims.
Interestingly, LockBit has undergone a technical refresh that now exploits features of Active Directory to deploy its malware payload and avoid detection. IBM X-Force researchers called it a “novel" technique for deployment.
“The payload can automatically deploy itself to Microsoft Active Directory clients via Group Policy Objects (GPO). When executed on an Active Directory Domain Controller, LockBit 2.0 creates several GPOs to carry out the infection process. Concerningly, even with Windows Defender, businesses are not safe since the attackers can alter its configuration to avoid detection. It refreshes network shares, stops certain services, and kills processes. The LockBit executable is then copied into the client desktop directories and executed.”
LockBit is far from alone
As we’ve previously noted, ransomware gangs increasingly “use tools like PowerShell, Bloodhound, etc., to perform domain reconnaissance and identify paths to high privilege targets” in Active Directory. The TrickBot loader, for example, uses ADfind tools to query for various Active Directory users, computers and groups to target and escalate an attack.
DarkSide – the group behind the Colonial Pipeline attack – uses another tool, ADRecon, “to gather information about victims’ Active Directory prior to ransomware encryption”. (While DarkSide itself is considered defunct, the ‘closely acquainted’ Black Matter gang has sprung up in its place, in keeping with the renewal of the ransomware gangs generally).
Other security researchers say they have uncovered “numerous ransomware engagements that leveraged open-source reconnaissance tools such as ADFind, ADRecon and Bloodhound” – all tools used to gather information about an Active Directory environment.
They identified specific Active Directory exploitation by the Ryuk gang to escalate an attack, “leveraging the Group Policy replication mechanism in Windows Active Directory to distribute Ryuk and using PsExec to move laterally and execute remote commands … The adversaries obtained domain administrator credentials and, besides encrypting systems on the network, also wiped backup indexes.”
It’s interesting to see so much analysis focused on the role of Active Directory in ransomware attacks and providing some specifics around what’s occurring in the wild.
I wouldn’t say any of this should be particularly surprising to us – we’ve been aware of the importance of securing Active Directory for several years. We’ve also been close observers of the evolution of ransomware attacks to specifically use Active Directory features or tooling to carry out attacks.
However, the broader identification of similar techniques and approaches to exploit Active Directory will help defenders contextualise the problem and help justify to boards and other decision-makers why this is a space that needs focus and investment.
Threat actors know that Active Directory contains the information and privileges needed to advance their attack. If access is successful, they can manipulate the Active Directory to change group membership, permissions, security policies and access control lists (ACLs). Once inside, they have free reign to move laterally through the network by changing user rights and impersonating employees.
The gangs also know that Active Directory is intrinsically insecure, and traditional security controls do not provide visibility to inherent risks or real-time detection of an attack.
Traditional AD protection has focused primarily on controlling vulnerabilities by patching, adhering to the principle of least privileges and tiered administration policies. While these measures are essential, they are no longer sufficient by themselves.
Businesses need systems that provide continuous visibility, concealment and misdirection for AD exposures and attacks to get ahead. They also need scalable visibility for human and non-human identities and their entitlements in the cloud.
AD protection tools and strategies include real-time detection, identifying and remediating exposed credentials on the endpoint, detecting unauthorised AD queries, and hiding and denying access to sensitive or privileged AD objects.
These approaches can restrict unauthorised visibility to data and prevent attackers from gaining accurate information on permissions and privileges when querying AD. These controls quickly alert on attack activities like brute force attempts, password spray attacks and other tactics targeting AD objects.
By mitigating AD vulnerabilities, security teams can stop ransomware attackers before they get the chance to access and leverage AD. Today’s advanced cyber-security tools make it easier for organisations, large and small, to enhance their defences and protect their credential identities and privileges effectively.
Jim Cook is the ANZ regional director at Attivo Networks.