Microsoft announced today that it is working to add Bronze Bit attack detection support to Microsoft Defender for Identity to make it easier for security operations teams to detect attacks that attempt to exploit the Windows Kerberos security bypass bug tracked as CVE-2020-17049. Identity to make it easier to detect attacks that attempt to exploit the Windows Kerberos security bypass bug tracked as CVE-2020-17049.
Microsoft Defender for Identity (formerly known as Azure Advanced Threat Protection or Azure ATP) is a cloud-based security solution that leverages on-premises Active Directory signaling. It is a cloud-based security solution that leverages on-premises Active Directory signaling.
This solution allows SecOps teams to detect and investigate dangerous advanced threats, identities, and malicious insider activities that target registered organizations.
This vulnerability (which Microsoft patched on Patch Tuesday, November 2020) can be exploited in a way that its discoverer, security consultant Jake Karnes, has dubbed the “Kerberos Bronze Bit attack”.
Microsoft responded to the Bronze Bit vulnerability with a two-stage phased deployment: an initial deployment phase on December 8 and an automated enforcement phase on February 9.
One month after Microsoft issued the CVE-2020-17049 patch, Karnes released proof-of-concept (PoC) exploit code and full details of how to use it.
This exploit can bypass Kerberos delegation protection, allowing an attacker to escalate privileges, impersonate a targeted user, or move laterally within the compromised environment.
He shares a low-level overview with additional information on the Kerberos protocol, including practical exploit scenarios and details on implementing and using Kerberos Bronze Bit attacks against vulnerable servers.
With these additional information and the release of the PoC exploit, it is now much easier to break into Windows servers that do not support CVE-2020-17049.
PrintNightmare and Zerologon attacks can now be detected
After including Zerologon exploit detection in November 2020, Microsoft also added support for PrintNightmare exploit detection to Microsoft Defender for Identity in July.
Both are critical security vulnerabilities. PrintNightmare (CVE-2021-34527) allows an attacker to take over an affected server by elevating privileges to a domain administrator, and Zerologon (CVE-2020-1472) Zerologon (CVE-2020-1472) can be used to spoof the account of a domain controller, leading to complete control of the entire domain.
Ransomware ‘Magniber’ exploits PrintNightmare vulnerability: Infiltration in South Korea
Multiple attackers, including ransomware groups such as Vice Society, Conti, and Magniber, are exploiting PrintNightmare to compromise unpatched Windows servers.
In addition, both state-sponsored and financially motivated threat groups exploited unpatched systems against the ZeroLogon vulnerability in late October and September, and have since been joined by the following threat < meta charset=”utf-8″>group has been added to the list.
- Iranian-backed hacking group MuddyWater (also known as SeedWorm and MERCURY)
- TA505 (also known as Chimborazo)
- Hackers known as APT10 in China
for providing a distribution channel for the Clop ransomware.
Also in July, we updated Defender for Identity so that our Security Operations (SecOps) team could stop the attack by locking down the Active Directory accounts of infected users.
Defender for Identity is bundled with Microsoft 365 E5, but you can also get a trial of Security E5 to try out these features if you don’t have a subscription yet.
Comments