#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cloud Security

Active Directory | Breaking Cybersecurity News | The Hacker News

Timing is Everything: The Role of Just-in-Time Privileged Access in Security Evolution

Timing is Everything: The Role of Just-in-Time Privileged Access in Security Evolution
Apr 15, 2024 Active Directory / Attack Surface
To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to  privileged identity management  aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with continuous high-level privileges. By adopting this strategy, organizations can enhance security, minimize the window of opportunity for potential attackers and ensure that users access privileged resources only when necessary.  What is JIT and why is it important?   JIT privileged access provisioning  involves granting privileged access to users on a temporary basis, aligning with the concept of least privilege. This principle provides users with only the minimum level of access required to perform their tasks, and only for the amount of time required to do so. One of the key advantages of JIT provisioning

U.S. Cyber Safety Board Slams Microsoft Over Breach by China-Based Hackers

U.S. Cyber Safety Board Slams Microsoft Over Breach by China-Based Hackers
Apr 03, 2024 Data Breach / Incident Response
The U.S. Cyber Safety Review Board ( CSRB ) has criticized Microsoft for a series of security lapses that led to the breach of nearly two dozen companies across Europe and the U.S. by a China-based nation-state group called Storm-0558 last year. The findings, released by the Department of Homeland Security (DHS) on Tuesday, found that the intrusion was preventable, and that it became successful due to a "cascade of Microsoft's avoidable errors." "It identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company's centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations," the DHS  said  in a statement. The CSRB also lambasted the tech titan for failing to detect the compromise on its own, instead relying on a customer to reac

Timing is Everything: The Role of Just-in-Time Privileged Access in Security Evolution

Timing is Everything: The Role of Just-in-Time Privileged Access in Security Evolution
Apr 15, 2024Active Directory / Attack Surface
To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to  privileged identity management  aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with continuous high-level privileges. By adopting this strategy, organizations can enhance security, minimize the window of opportunity for potential attackers and ensure that users access privileged resources only when necessary.  What is JIT and why is it important?   JIT privileged access provisioning  involves granting privileged access to users on a temporary basis, aligning with the concept of least privilege. This principle provides users with only the minimum level of access required to perform their tasks, and only for the amount of time required to do so. One of the key advantages of JIT provisioning

New Silver SAML Attack Evades Golden SAML Defenses in Identity Systems

New Silver SAML Attack Evades Golden SAML Defenses in Identity Systems
Feb 29, 2024 Threat Intelligence / Cyber Threat
Cybersecurity researchers have disclosed a new attack technique called  Silver SAML  that can be successful even in cases where mitigations have been applied against Golden SAML attacks. Silver SAML "enables the exploitation of SAML to launch attacks from an identity provider like Entra ID against applications configured to use it for authentication, such as Salesforce," Semperis researchers Tomer Nahum and Eric Woodruff  said  in a report shared with The Hacker News. Golden SAML (short for  Security Assertion Markup Language ) was  first documented  by CyberArk in 2017. The attack vector, in a nutshell, entails the abuse of the interoperable authentication standard to impersonate almost any identity in an organization. It's also similar to the  Golden Ticket attack  in that it grants attackers the ability to gain unauthorized access to any service in a federation with any privileges and to stay persistent in this environment in a stealthy manner. "Golden SAML introduces to a fed

WATCH: The SaaS Security Challenge in 90 Seconds

cyber security
websiteAdaptive ShieldSaaS Security / Cyber Threat
Discover how you can overcome the SaaS security challenge by securing your entire SaaS stack with SSPM.

Microsoft Expands Free Logging Capabilities for all U.S. Federal Agencies

Microsoft Expands Free Logging Capabilities for all U.S. Federal Agencies
Feb 24, 2024 Active Directory / Data Protection
Microsoft has expanded free logging capabilities to all U.S. federal agencies using Microsoft Purview Audit irrespective of the license tier, more than six months after a China-linked cyber espionage campaign targeting two dozen organizations came to light. "Microsoft will automatically enable the logs in customer accounts and increase the default log retention period from 90 days to 180 days," the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  said . "Also, this data will provide new telemetry to help more federal agencies meet logging requirements mandated by [Office of Management and Budget]  Memorandum M-21-31 ." Microsoft, in July 2023,  disclosed  that a China-based nation-state activity group known as Storm-0558 gained unauthorized access to approximately 25 entities in the U.S. and Europe as well as a small number of related individual consumer accounts. "Storm-0558 operates with a high degree of technical tradecraft and operational

VMware Alert: Uninstall EAP Now - Critical Flaw Puts Active Directory at Risk

VMware Alert: Uninstall EAP Now - Critical Flaw Puts Active Directory at Risk
Feb 21, 2024 Active Directory / Vulnerability
VMware is urging users to uninstall the deprecated Enhanced Authentication Plugin (EAP) following the discovery of a critical security flaw. Tracked as  CVE-2024-22245  (CVSS score: 9.6), the vulnerability has been described as an arbitrary authentication relay bug. "A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs)," the company  said  in an advisory. EAP,  deprecated as of March 2021 , is a software package that's designed to allow direct login to vSphere's management interfaces and tools through a web browser. It's not included by default and is not part of vCenter Server, ESXi, or Cloud Foundation. Also discovered in the same tool is a session hijack flaw (CVE-2024-22250, CVSS score: 7.8) that could permit a malicious actor with unprivileged local access to a Windows operating system to seize a privileged EAP

Malicious 'SNS Sender' Script Abuses AWS for Bulk Smishing Attacks

Malicious 'SNS Sender' Script Abuses AWS for Bulk Smishing Attacks
Feb 16, 2024 Cyber Threat / Cloud Security
A malicious Python script known as  SNS Sender  is being advertised as a way for threat actors to send bulk smishing messages by abusing Amazon Web Services (AWS) Simple Notification Service ( SNS ). The SMS phishing messages are designed to propagate malicious links that are designed to capture victims' personally identifiable information (PII) and payment card details, SentinelOne  said  in a new report, attributing it to a threat actor named ARDUINO_DAS. "The smishing scams often take the guise of a message from the United States Postal Service (USPS) regarding a missed package delivery," security researcher Alex Delamotte said. SNS Sender is also the first tool observed in the wild that leverages AWS SNS to conduct SMS spamming attacks. SentinelOne said that it identified links between ARDUINO_DAS and more than 150 phishing kits offered for sale. The malware requires a list of phishing links stored in a file named links.txt in its working directory, in addition t

U.S. State Government Network Breached via Former Employee's Account

U.S. State Government Network Breached via Former Employee's Account
Feb 16, 2024 Cybersecurity / Data Breach
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed state government organization's network environment was compromised via an administrator account belonging to a former employee. "This allowed the threat actor to successfully authenticate to an internal virtual private network (VPN) access point," the agency  said  in a joint advisory published Thursday alongside the Multi-State Information Sharing and Analysis Center (MS-ISAC). "The threat actor connected to the [virtual machine] through the victim's VPN with the intent to blend in with legitimate traffic to evade detection." It's suspected that the threat actor obtained the credentials following a separate data breach owing to the fact that the credentials appeared in publicly available channels containing leaked account information. The admin account, which had access to a virtualized SharePoint server, also enabled the attackers to access another set

Double-Extortion Play Ransomware Strikes 300 Organizations Worldwide

Double-Extortion Play Ransomware Strikes 300 Organizations Worldwide
Dec 19, 2023 Ransomware / Threat Intelligence
The threat actors behind the Play ransomware are estimated to have impacted approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the U.S. "Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia," authorities  said . Also called Balloonfly and PlayCrypt, Play emerged in 2022, exploiting security flaws in Microsoft Exchange servers (CVE-2022-41040 and CVE-2022-41082) and Fortinet appliances (CVE-2018-13379 and CVE-2020-12812) to breach enterprises and deploy file-encrypting malware. It's worth pointing out that ransomware attacks are increasingly exploiting vulnerabilities rather than using phishing emails as initial infection vectors, jumping from nearly zero in the second half of 2022 to almost a third in the first half of 20

Microsoft's Final 2023 Patch Tuesday: 34 Flaws Fixed, Including 4 Critical

Microsoft's Final 2023 Patch Tuesday: 34 Flaws Fixed, Including 4 Critical
Dec 13, 2023 Patch Tuesday / Windows Security
Microsoft released its final set of Patch Tuesday updates for 2023, closing out 34 flaws in its software, making it one of the lightest releases in recent years. Of the 34 shortcomings, four are rated Critical and 30 are rated Important in severity. The fixes are in addition to  18 flaws  Microsoft addressed in its Chromium-based Edge browser since the release of  Patch Tuesday updates for November 2023 . According to data from the  Zero Day Initiative , the software giant has patched more than 900 flaws this year, making it one of the busiest years for Microsoft patches. For comparison, Redmond resolved 917 CVEs in 2022. While none of the vulnerabilities are listed as publicly known or under active attack at the time of release, some of the notable ones are listed below - CVE-2023-35628  (CVSS score: 8.1) - Windows MSHTML Platform Remote Code Execution Vulnerability CVE-2023-35630  (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability CVE-2

Microsoft Defender Thwarts Large-Scale Akira Ransomware Attack

Microsoft Defender Thwarts Large-Scale Akira Ransomware Attack
Oct 12, 2023 Threat Intelligence /
Microsoft on Wednesday said that a user containment feature in Microsoft Defender for Endpoint helped thwart a "large-scale remote encryption attempt" made by  Akira ransomware actors  targeting an unknown industrial organization in early June 2023. The tech giant's threat intelligence team is tracking the operator as Storm-1567. The attack leveraged devices that were not onboarded to Microsoft Defender for Endpoint as a defense evasion tactic, while also conducting a series of reconnaissance and lateral movement activities prior to encrypting the devices using a compromised user account. But the new  automatic attack disruption capability  meant that the breached accounts are prevented from "accessing endpoints and other resources in the network, limiting attackers' ability to move laterally regardless of the account's Active Directory state or privilege level." In other words, the idea is to cut off all inbound and outbound communication and proh

Experts Uncover How Cybercriminals Could Exploit Microsoft Entra ID for Elevated Privilege

Experts Uncover How Cybercriminals Could Exploit Microsoft Entra ID for Elevated Privilege
Aug 28, 2023 Vulnerability / Active Directory
Cybersecurity researchers have discovered a case of privilege escalation associated with a Microsoft Entra ID (formerly Azure Active Directory) application by taking advantage of an abandoned reply URL. "An attacker could leverage this abandoned URL to redirect authorization codes to themselves, exchanging the ill-gotten authorization codes for access tokens," Secureworks Counter Threat Unit (CTU)  said  in a technical report published last week. "The threat actor could then call Power Platform API via a middle-tier service and obtain elevated privileges." Following responsible disclosure on April 5, 2023, the issue was addressed by Microsoft via an update released a day later. Secureworks has also made available an  open-source tool  that other organizations can use to scan for abandoned reply URLs. Reply URL , also called redirect URI, refers to the location where the authorization server sends the user once the app has been successfully authorized and grant

Understanding Active Directory Attack Paths to Improve Security

Understanding Active Directory Attack Paths to Improve Security
Aug 08, 2023 Active Directory / Exposure Management
Introduced in 1999, Microsoft Active Directory is the default identity and access management service in Windows networks, responsible for assigning and enforcing security policies for all network endpoints. With it, users can access various resources across networks. As things tend to do, times, they are a'changin' – and a few years back, Microsoft introduced Azure Active Directory, the cloud-based version of AD to extend the AD paradigm, providing organizations with an Identity-as-a-Service (IDaaS) solution across both the cloud and on-prem apps. (Note that as of July 11th 2023, this service was renamed to  Microsoft Entra ID , but for the sake of simplicity, we'll refer to it as Azure AD in this post) Both Active Directory and Azure AD are critical to the functioning of on-prem, cloud-based, and hybrid ecosystems, playing a key role in uptime and business continuity. And with 90% of organizations using the service for employee authentication, access control and ID manag

Azure AD Token Forging Technique in Microsoft Attack Extends Beyond Outlook, Wiz Reports

Azure AD Token Forging Technique in Microsoft Attack Extends Beyond Outlook, Wiz Reports
Jul 21, 2023 Email Security / Cyber Attack
The recent attack against  Microsoft's email infrastructure  by a Chinese nation-state actor referred to as Storm-0558 is said to have a broader scope than previously thought. According to cloud security company Wiz, the inactive Microsoft account (MSA) consumer signing key used to forge Azure Active Directory (Azure AD or AAD) tokens to gain illicit access to Outlook Web Access (OWA) and Outlook.com could also have allowed the adversary to forge access tokens for various types of Azure AD applications. This  includes  every application that supports personal account authentication, such as OneDrive, SharePoint, and Teams; customers applications that support the "Login with Microsoft functionality," and multi-tenant applications in certain conditions. "Everything in the world of Microsoft leverages Azure Active Directory auth tokens for access," Ami Luttwak, chief technology officer and co-founder of Wiz, said in a statement. "An attacker with an AAD si

Critical 'nOAuth' Flaw in Microsoft Azure AD Enabled Complete Account Takeover

Critical 'nOAuth' Flaw in Microsoft Azure AD Enabled Complete Account Takeover
Jun 21, 2023 Authentication / Vulnerability
A security shortcoming in Microsoft Azure Active Directory (AD) Open Authorization ( OAuth ) process could have been exploited to achieve full account takeover, researchers said. California-based identity and access management service Descope, which discovered and reported the issue in April 2023, dubbed it  nOAuth . "nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications," Omer Cohen, chief security officer at Descope,  said . The misconfiguration has to do with how a malicious actor can modify email attributes under "Contact Information" in the Azure AD account and exploit the "Log in with Microsoft" feature to hijack a victim account. To pull off the attack, all an adversary has to do is to create and access an Azure AD admin account and modify their email address to that of a victim and take advantage of the single sign-on scheme on a vulnerable app or website. "If the app merges u

Dr. Active Directory vs. Mr. Exposed Attack Surface: Who'll Win This Fight?

Dr. Active Directory vs. Mr. Exposed Attack Surface: Who'll Win This Fight?
May 19, 2023 Threat Protection / Attack Surface
Active Directory (AD) is among the oldest pieces of software still used in the production environment and can be found in most organizations today. This is despite the fact that its historical security gaps have never been amended. For example, because of its inability to apply any security measures beyond checking for a password and username match, AD (as well the resources it manages) is dangerously exposed to the use of compromised credentials. Furthermore, this exposure is not confined to the on-prem environment. The common practice of syncing passwords between AD and the cloud identity provider means any AD breach is a potential risk to the SaaS environment as well. In this article, we'll explore AD's inherent security weaknesses and examine their scope and potential impact. We'll then learn how Silverfort's Unified Identity Protection platform can address these weaknesses at their root and provide organizations using AD with the resiliency they need to thwart identity threa
Cybersecurity Resources