Author: Fabian Crespo, Consultant, Technical Testing
Microsoft Active Directory (AD) (Azure Active Directory has been renamed to Microsoft Entra ID) is an attractive target for cyber attackers because it is central to an organization’s IT infrastructure, providing access to systems, applications, and resources. This is especially true in a highly distributed healthcare environment, making AD security a critical component of your cybersecurity program. In-house research by Hacker News found that over half of cyber attacks involve some kind of Active Directory compromise and recent research by Sophos X-Ops found it took a ransomware gang less than a day to breach Microsoft Active Directory and that most AD servers they investigated were either only defended by Microsoft Defender or had no defense.
In this article, we highlight three pressing vulnerabilities and risks that can expose AD Accounts:
- Default Credentials on Internal Web Applications/Services
- SMB Relay Attacks
- Weak Password Policies
This guidance comes from common risks found in providing services to healthcare organizations of all sizes. Learn the steps to take to enhance the security of your Active Directory environment.
Default Credentials on Web Applications/Services
a) The Attack & How It Works: Default credentials serve as a simple entry point for attackers. Many web applications come with preset usernames and passwords that are well-known and easily discoverable. An example would be a print server web application. Attackers are versed with these defaults so that they can exploit the default credentials. With these application credentials, they can move to other systems and even change configurations, and manipulate AD accounts using LDAP authentication.
b) Impact on Healthcare: Within healthcare systems, the exploitation of default credentials leads to unauthorized access and man-in-the-middle attacks aimed at accessing the flow of patient information or possibly compromising the confidentiality and integrity of data.
c) Preventive Measures:
- Change default usernames and passwords after application installation or deployment.
- Enforce robust password requirements, combining alphanumeric, symbols, and varied case characters, and do not reuse these passwords across web applications or services
- Regularly review web application configurations to confirm unique credentials are being used and have not been altered back to default settings.
SMB Relay Attacks
a) The Attack & How It Works: In an SMB Relay Attack, malicious actors intercept an active Server Message Block (SMB) session, capturing the mechanism for authentication and opening the door to use these credentials. They then relay these credentials to gain unauthorized access to target systems. In the past, the default configuration for client systems was to have SMB signing disabled, expanding the footprint of systems that a captured credential could access.
b) Impact on Healthcare: If successful, attackers can gain unrestricted access to critical systems, leading to potential data breaches, unauthorized alterations to patient records, and other malicious activities.
c) Preventive Measures:
- Enable SMB signing and make it required to force the validity of all SMB communications.
- Segment critical systems to isolate and prevent lateral movement of unauthorized relay attacks.
- Implement security solutions to monitor SMB port communications and prevent relay-type attacks.
Weak Password Policies
a) The Attack & How It Works: Weak passwords and policies make it easy for attackers to take advantage. Attackers have databases of guessable words or combinations. This is even riskier when administrators use weak passwords for account access because, once compromised, access is much broader and deeper with administration privileges. Malicious actors often test for these weak passwords through password guessing and spraying attack techniques.
b) Impact on Healthcare: Subpar password policies could result in unauthorized access to sensitive patient data, potential data breaches, and operational disruptions.
c) Preventive Measures:
- Implement multi-factor authentication (MFA) for all healthcare system accounts.
- Enforce robust password requirements, combining alphanumeric symbols, and varied case characters.
- Regularly educate staff about password best practices and the dangers of weak passwords.
By understanding and addressing these Active Directory exposure points, healthcare organizations can fortify their security controls, ensuring the confidentiality, integrity, and availability of patient data and care delivery systems.
In the ever-evolving realm of cybersecurity, proactive measures are the best defense. Ensure your organization stays updated, safeguarding both its reputation and its patients. Conduct regular security reviews and invest in comprehensive staff training to maintain a robust security posture against emerging threats.
Clearwater has experts who can help you manage vulnerabilities across your IT environment. Contact us if you need assistance.