Microsoft has issued a warning regarding ransomware hackers targeting Active Directory domain controllers to elevate privileges within compromised networks. According to Microsoft, nearly 80% of human-operated cyberattacks involve a breached domain controller, with more than 30% of these attacks involving the distribution of crypto-locking software through a domain controller.
When hackers compromise domain controllers, they can extract password hashes for every user account, allowing them to identify high-privilege accounts such as those of IT administrators. By manipulating these accounts, attackers can escalate privileges and deploy ransomware on a large scale to maximize the impact of their attacks.
In a recent case observed by Microsoft, a hacking group known as Storm-0300 attempted to carry out a ransomware attack after gaining initial access through the target’s virtual private network. The hackers gained admin credentials and attempted to connect to the domain controller using remote desktop protocol, conducting reconnaissance, security evasion, and privilege escalation.
Despite the increasing threat posed by attacks targeting domain controllers, securing these servers remains a challenge due to their central role in network security. Domain controllers are essential for authenticating users and managing resources, making it difficult for network defenders to strike the right balance between security and operational functionality.
Microsoft recommends building capabilities that allow domain controllers to differentiate between malicious and benign behavior as a potential step to avoid server compromise. While the company provides robust defenses, the effectiveness of these measures depends on customers regularly patching and enabling multifactor authentication, according to Jason Soroko, a senior fellow at security firm Sectigo.
Sectigo emphasizes that even the most advanced defense mechanisms can falter if misconfigured or if legacy systems create vulnerabilities. Therefore, maintaining vigilant customer-side security practices is crucial for fortifying systems against modern cyber threats.
In conclusion, the threat posed by ransomware hackers targeting Active Directory domain controllers highlights the importance of implementing strong security measures and best practices to protect against cyber attacks. By staying proactive and ensuring that systems are regularly updated and secured, organizations can reduce the risk of falling victim to these malicious activities.