Many thought retaining on-premises control of accounts in the legacy Active Directory would provide better visibility into attempts to compromise identities. The incident highlights the inherent weakness of taking a hybrid approach to Azure Active Directory, which many organizations have adopted in recent years as they straddle the data center and the cloud, says Aaron Turner, chief technology officer of SaaS Protect at Vectra, a San Jose, California-based AI cybersecurity company. "AD FS is an on-premises server, and as with all on-premises servers, deployments can get out of date and/or go unpatched, and they can be impacted by local environment compromises and lateral movement," according to the Microsoft advisory. To safeguard against such attacks, the software giant recommends isolating the infrastructure, ensuring proper monitoring, limiting access to dedicated admin accounts, and consider moving to a cloud-based solution such as Azure Active Directory for federated authentication. MagicWeb is a malicious DLL that allows manipulation of the claims passed in tokens generated by Active Director server, giving attackers the ability to "sign in as any user' and bypass multi-factor authentication, Microsoft says. Microsoft in an alert this week said Nobelium, the Russian state-sponsored group linked to the Solar Winds supply chain hack in 2020, deployed MagicWeb by gaining access to "highly privileged credentials" at an unnamed organization and then moved laterally to gain administrative privileges to an Active Directory Federated Services system. See Also: C-Suite Round-up: Connecting the Dots Between OT and Identity Recently discovered Russian-linked MagicWeb malware that exploits on-premises Microsoft Active Directory Federated Services underscores the benefits of cloud-based infrastructure and zero trust, security researchers say.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |