Aorato says Microsoft should fix AD to allow logging of particular suspicious activity involving NTLM protocol

A startup Israeli security vendor says it has found an encryption vulnerability in Microsoft’s Active Directory it says could allow an attacker to change user passwords.

“The potential for this particular vulnerability to cause harm and theft is high,” Aorato Inc. said in a release today.

“Millions of businesses are blindly trusting Active Directory as a foundation to their overall IT infrastructure,” Tal Be’ery, the company’s vice-president of research, said in the statement. “The unfortunate truth is that this trust is naively misplaced, leaving the vast majority of Fortune 500 enterprises and employees susceptible to a breach of personal and company data. Until enterprises acknowledge the inherent risks associated with relying on Active Directory and build a strategy to mitigate risks, we will continue to see attackers walking off with valuable information undetected.”

Aorato went live in January with a product called DAFTM, which detects suspicious behavior of those who connect to Active Directory. However, in a detailed description of the problem it says for the vulnerability it discovered there is no solution. It recommends organizations look for authentication protocol anomalies,

With no inherent solution to mitigate this flaw, Aorato recommends enterprises watch for authentication protocol anomalies and correlate the abnormal use of encryption methods with the context in which the victim’s identity is used.

The problem, the company says, is with NTLM, an older authentication protocol still used in Windows; Kerberos is used in more recent versions, but for compatibility NTLM is enabled by default. Briefly, Aorato says NTLM’s encryption is weaker than Kerberos.

An attacker can use a free penetration test tool such as WCE or Mimkatz to steal the NTLM hash from an employee’s device, Aorato says. Because this authentication component is known to be a security hazard through a pass-the-hash attack, Aorato says, many enterprises try to limit the use of NTLM. But  it says there is still the possibility of an attacker getting a valid Kerberos ticket if they can get a user’s NTML hash. However, though some organizations look for suspicious activity, this particular one isn’t logged, Aorato says, so no alerts are issued.

The company says it has notified Microsoft of the problem. It says Microsoft has made this vulnerability publicly known, but Aorato says the fact that the behavior isn’t logged should be addressed by Microsoft.

Related Download
Cisco Secure Mobility Knowledge Hub Sponsor: Cisco
Cisco Secure Mobility Knowledge Hub
This Knowledge Hub provides an end-to-end look at what it takes to discover, plan, and implement a successful Secure Mobility strategy.
Learn More
Share on LinkedIn Share with Google+ Comment on this article
More Articles