Homepage Threat Intelligence newsroom

Threat Intelligence Reveals New Active Directory Botnet Attack Technique Capable of Bypassing all Network Controls for Windows Environments

Announcement posted by Threat Intelligence 02 Aug 2017

Brand new attack technique turns Active Directory Domain Controllers into Command and Control Servers and powerful Botnets capable of bypassing all network controls
2 August 2017– In its recent Black Hat USA 2017 Technical Briefing, leading Australian information security organisation, Threat Intelligence released a new attack technique – The Active Directory Botnet. The Active Directory Botnet attack technique reveals a fundamental flaw with how nearly every organisation implements their Microsoft Windows Active Directory solution, compromising their overall security and ability to contain security breaches.

The Active Directory Botnet attack technique enables Active Directory Domain Controllers to transform into Command and Control (C&C) servers that have the potential to command a powerful internal botnet. Standard Active Directory attributes and features force the Domain Controllers to act as a central communication point for all internally compromised systems.

For Ty Miller, managing director for Threat Intelligence the new attack technique will be effective for many years to come. “The primary way to prevent this attack is in clear violation of the way Active Directory is typically used. However due to the overwhelming insecure architecture implementations of Active Directory, and the difficulty of changing Active Directory architectures, a strong response for all Windows-based organisations will be required.”

A series of live demonstrations on Active Directory Botnet attack were provided by Ty Miller and associate, Paul Kalinin, senior security consultant at Threat Intelligence.

How it works
Standard Active Directory accounts support over 50 user attributes that can be combined to create a communication channel between any compromised domain machine located throughout an organisation. The Active Directory Botnet Client injects unique data entries into their corresponding Active Directory account attributes within the target Domain Controller, and begins polling to identify other compromised systems within the domain. At this point, any Active Directory Botnet Client within the domain can identify compromised machines and begin issuing commands to be executed on either individual systems or across all infected endpoints.
 
If your organisation leverages the Azure Cloud AD, then the Active Directory Botnet can utilise the synchronisation from your on-premise Active Directory to the cloud to create an egress channel. This can be used to extract data from your organisation through your production Active Directory protocols.
Miller says: “This is all possible with only standard user accounts and without the need to compromise any passwords.”

Who it impacts
Due to the architecture of nearly every Active Directory implementation on the planet, almost all servers, workstations, laptops, mobile devices, and wireless devices throughout our organisations can connect to a Domain Controller for authentication purposes. This provides the ability for our internal Active Directory Botnet to communicate through a network of strategically placed Active Directory C&C servers.
Ty Miller has been presenting Technical Briefings and The Shellcode Lab training course for infosec professionals at Black Hat USA 2017 for seven years.

/Ends
All trademarks are the properties of their respective owners.

Note for Editors: Photograph available on request

About Threat Intelligence Pty Ltd
Threat Intelligence Pty Ltd is a specialist consultancy defining the next era of security, intelligence and security testing approaches. It was established in response to the new challenges of an ever-evolving global threat environment.  Services include penetration testing, security training, agile security, forensic investigations and security architecture services. Its founder, Ty Miller, is one of Australia’s leading information security specialists and is a prolific commentator and author on intelligence-based security.www.threatintelligence.com

Follow Threat Intelligence:
https://www.linkedin.com/company/threat-intelligence-pty-ltd
https://twitter.com/tyronmiller
https://www.facebook.com/ThreatIntelligence/
 
For media interviews and further information:
Cathryn van der Walt
12 Worlds
t: +61 (0)402 327 633 | Cathryn@12worlds.com