Cyber Creatures

    Organizations worldwide use Active Directory (AD) as their primary identity service , which makes it a top target for ransomware attacks . This article explains how adversaries exploit Active Directory during ransomware attacks and provides strategies and tools for defending against this modern menace. The two phases of a ransomware attack A common misconception about ransomware attacks is that they are quick: Someone opens an infected email attachment or inserts an infected USB device , and within minutes data across the network is encrypted and a ransom demand is displayed on every screen . The reality is quite different. Ransomware attacks today tend to be quite sophisticated and methodical . To encrypt as much sensitive information as possible and therefore maximize the chances of receiving a high payout , attackers proceed in two phases: Find an entry point — The first step is to gain a foothold in the victim organization ’s network . One common strategy is to comp...

  Security researchers have uncovered critical vulnerabilities in Microsoft’s Active Directory Certificate Services (AD CS) that could allow attackers to establish long-term persistence in compromised networks . The findings, detailed in a comprehensive whitepaper by Will Schroeder and Lee Christensen, reveal how AD CS misconfigurations can be exploited for credential theft , privilege escalation , and domain persistence . AD CS, Microsoft’s implementation of Public Key Infrastructure (PKI) in Active Directory environments , is widely deployed but often overlooked from a security perspective . Microsoft defines Active Directory Certificate Services (AD CS) as “ the server role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization . “AD CS Enterprise CAs issue certificates with settings defined by certificate templates . These templates are collections of e...

  Security researchers have publicly revealed a newly discovered critical vulnerability that affects all Windows Workstation and Server versions, from Windows 7 and Server 2008 R2 to the latest Windows 11 (v24H2) and Server 2022. The flaw allows attackers to obtain a user’s NTLM credentials simply by tricking them into viewing a malicious file in Windows Explorer. This action could be triggered by opening a shared folder or USB disk containing such a file, or by accessing the Downloads folder where the malicious file might have been automatically downloaded from an attacker’s webpage. After responsibly reporting the issue to Microsoft, the researchers have released micropatches to protect users until they provide an official fix. These micropatches are available free of charge during this interim period. Details of the Vulnerability We are withholding the exact technical details of the vulnerability to minimize the risk of exploitation. However, the researchers emphasize that the v...