STEALTHbits mitigates new Microsoft Exchange Server Vuln that gives any user Domain Admin privilegesFebruary 9, 2019 No Comments
Featured article by Peter Kelley, the Kelley Group Two
STEALTHbits Technologies has announced mitigation capabilities for the recently-discovered* Microsoft Exchange privilege escalation attack that lets any user become a Domain Admin, and is making its solutions available as a free trial for 30 days upon registration and request.
Darin Pendergraft, VP of Product Marketing with STEALTHbits Technologies, said: “Attackers have figured out a way to trick Microsoft Exchange into sending its login information. If an attacker sends a specific type of command, the Exchange server responds with its login. The attacker records and then forwards that login to the Active Directory system. Active Directory then thinks the attacker is the Exchange server, which has a lot of powerful privileges on the system.
“Now logged in as the Exchange server, the attacker can request password information from Active Directory in order to take over other accounts and to steal or encrypt data.
The attack was first reported by researcher Dirk-jan Mollema in late January. It combines known vulns to achieve privilege escalation and attack Active Directory through three steps:
1. An attacker sends a request to Exchange that causes Exchange to respond with an NTLM authentication request over HTTP;
2. Exchange responds, and because NTLM is susceptible to man-in-the-middle relay attacks all the attacker has to do is forward the authentication request to Active Directory, which
3. thinks the attacker’s machine is Exchange and treats it with the privileges that Exchange normally has. The attacker is able to create new admin accounts or modify privilege, and hacker toolkits like Mimikatz to perform a DCSync attack and obtain password hashes for any account in the domain. From there, the attacker can pretty much do anything they want to do.
“This is where STEALTHbits’ mitigation can help by detecting and blocking unusual login activity, watching for the creation of new admin accounts, and preventing the attacker from requesting password information from Active Directory,” Pendergraft said.
To register for the STEALTHbits free trial, go to: STEALTHbits mitigates a new vulnerability that uses Exchange Authentication to gain AD Admin privileges
About the Author
Peter Kelley is a technology writer and mid-century modern design fan with The Kelley Group Two.News, SECURITY, SOCIAL BUSINESS