Many of you are aware of the attack that Exchange Servers around the world received last year and since then it has been a constant drive to keep Exchange servers patched and to also upgrade to supported versions that still receive updates. The November 2021 Security Patch for Exchange 2016/2019 closes more security holes and it is advisable to get your systems patched as soon as possible as the adversaries are constantly looking for victims.
In this article however we are going to be talking about patching Active Directory. Active Directory has been under attack for a while now and adversaries are finding new ways to exploit servers and then elevate permissions to cause damage. You may be asking why I am talking about Active Directory here and not Exchange. Well Exchange and Active Directory work hand in hand. If you Active Directory environment is broken or down, so will your Exchange servers be down. Yes, you heard right, you cannot leave your Active Directory environment unpatched. The same TLC you apply to Exchange, has to be applied to Active Directory.
I did a video on Youtube a while back on how easy it was to break an Active Directory environment using the exploit zerologon . Once you can gain access to it and using tools like Mimikatz to get the hashes, you can use other tools like hash-cat and others that can crack the hashes to get the account passwords. This can be done pretty quickly and give an attacker the upper hand.
Just recently, thehackernews.com website published an article that outlines a new exploit that could potentially cripple your environment if an adversary gained access to it. The severity rating is 7.5 which is high. The November patch Tuesday updates address these two vulnerabilities. Many IT admins do not like patching as it takes time and also can break a server which we have seen but I have personally applied these in different environments without issue. The article regarding the two vulnerabilities can be found below:
If you are behind with applying windows updates to your domain controllers, your patch cycle is going to take you a bit longer to complete. Attackers are still using the zerologon exploit to cripple environments and deploying other forms of Ransomware to environments. This brings me back to my point about patching. An older exploit can lead to other attacks, whether it is Active Directory or Exchange. Once an attacker is in your environment and they have elevated privileges, they can do anything, including holding your company to ransom or going as far as using extortion to get your execs to pay up millions of dollars.
The attacks are becoming more frequent and from what I have seen, you do not know they in your environment until it is too late. Patching Exchange and Active Directory is just one component. If you expose LDAP (Lightweight Directory Access Protocol) to the internet, you are using a un-secure method. You will need to prepare your environment for Secure LDAP (LDAPS) which is out of scope for this article and update your publishing rules on your firewall to ensure that port 636 is the only one available and lock it down to IP for more security. As you can see, there are more steps involved in securing an environment than simply patching windows.
If you are running software that is outdated, Firewalls that are running old firmware, using default usernames and passwords on switches or physical devices in your environment that can access the internet, you are opening yourself up to a major attack. Anything that touches the internet has to be locked down. Let’s say you have cameras are exposed to the internet but you didn’t change the default credentials, attackers can gain access through this as almost every device default credentials are on the internet and then they can then move around your network and exploit it.
I encourage you to take a look at everything in your environment and start replacing equipment that no longer receives firmware or patches. Go and change all the default credentials on appliances. Look at implementing a stronger firewall or speak to your ISP if you are leasing it to ensure that the firmware is up-to-date and the VPN clients that go with it. Document your environment so that you know what is going to the internet. Lock down devices that need internet access to only the ports they require. Look at implementing 2FA on accounts and also TACACS on your Cisco switches if you have Cisco equipment. Implement surf control so that end users cannot download pirated copies of games, movies, etc. that are riddled with malware, Ransomware and viruses which can also create a backdoor out to an attacker.
The above information provided is just a few suggestions, there are many more out there but as you can see, if you do not have a system in place that keeps track of what is going on in your environment, you may have been attacked already. If you do get breached but your systems are patched, chances are the attack may not be as impactful as one where systems are not patched.