By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    LofyLife: malicious packages in npm repository
    8 months ago
    Cloak and Dagger: A hole in Android
    7 months ago
    Mobile malware masked as porn apps
    8 months ago
    Latest News
    Safeguards against firmware signed with stolen MSI keys
    1 day ago
    WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
    1 day ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)
    6 days ago
    Wordfence Firewall Blocks Bizarre Large-Scale XSS Campaign
    1 week ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    Surface Pro 4 teardown: Get a closer look at the components
    8 months ago
    How to reset Windows Update components on Windows 10
    8 months ago
    Windows 11 build 22610 with new changes in Dev and Beta Channels
    8 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    4 months ago
    Now you can speed up any video in your browser
    4 months ago
    How to restore access to a file after EFS or view it on another computer?
    4 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    5 months ago
  • How To
    How ToShow More
    What is two-factor authentication | Kaspersky official blog
    2 days ago
    Acer refreshes Windows 11 PCs for work and play: Swift Edge 16 and Predator Triton 16
    4 days ago
    NVIDIA GeForce RTX 4080 New Mercury Editions of Razer Blade 16 and Blade 18 now available
    4 days ago
    How Oxy uses hooks for maximum extensibility
    How Oxy uses hooks for maximum extensibility
    5 days ago
    The personal threat landscape: securing yourself smartly
    5 days ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    How do you know if your accounts have been hacked?
    8 months ago
    How to protect yourself from piercing by IP address?
    8 months ago
    How to find out the IP address of your enemy in a couple of clicks
    8 months ago
    Latest News
    How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
    2 days ago
    How to enable Taskbar End Task option to close apps on Windows 11
    2 days ago
    How to check USB4 devices specs from Settings on Windows 11
    2 days ago
    How to enable new header UI for File Explorer on Windows 11
    1 week ago
  • Glossary
  • My Bookmarks
Reading: Attacks on enterprise security: Microsoft services as a weapon
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
AppsThreats

Attacks on enterprise security: Microsoft services as a weapon

Tom Grant
Last updated: 13 October
Tom Grant 8 months ago
Share
5 Min Read

Hackers have gone big with the exploitation of legitimate software. Several reports at the Black Hat 2017 conference demonstrated that Microsoft enterprise solutions could be quite useful in an attacker’s hands.

Companies that use hybrid clouds need to adopt different security considerations than those that use traditional cloud systems. However, in practice they are not updating fast enough, and that results in numerous security blind spots that attackers can exploit, as was demonstrated in July at the hacker conference Black Hat 2017. Studies showed how a typical office infrastructure can actually help attackers remain invisible to the majority of security solutions.

Once financially motivated hackers have infiltrated a corporate network, their greatest difficulty is achieving covert data exchange among infected machines. Essentially, their goal is to have infected machines receive commands and transmit stolen information without alerting intrusion detection systems (IDS) and data loss prevention (DLP) systems. Helping such attackers, Microsoft services sometimes do not work under security zone restrictions, so the data transmitted by these services is not scanned deeply enough.

A study by Ty Miller and Paul Kalinin of Threat Intelligence shows how bots can communicate through Active Directory (AD) services on a corporate network. Because all clients — including mobile ones — on a network, and the majority of servers, must access AD for authentication, an AD server is the “central communication point,” which is very convenient for managing a botnet. Moreover, the researchers say that integration of Azure AD with an enterprise AD server grants direct access to a botnet from the outside.

How can AD assist in managing a botnet and extracting data? The concept is very simple. By default, each client on the network can update its information — for example, the user’s telephone number and e-mail address — on the AD server. The write-enabled fields include high-capacity ones that can store up to a megabyte of data. Other AD users can read all of this information, thus creating a communication channel.

The write-enabled fields include high-capacity ones that can store up to a megabyte of data.

Researchers recommend monitoring AD fields for periodic, unusual changes and disabling users’ ability to write to most fields.

Researchers recommend monitoring AD fields for periodic, unusual changes and disabling users' ability to write to most fields.

A study by Craig Dods of Juniper Networks sheds light on another technique for covert data extraction, using Office 365 services. The most popular among the techniques employs OneDrive for Business, which almost 80% of Microsoft Online Services clients use. Hackers like it because corporate IT guys usually trust Microsoft servers, allowing high-speed connections to them and skipping decryption for uploads. As a result, a hacker’s task comes down to connecting a OneDrive disk on a targeted computer by using other, non-enterprise-user credentials. In that case, copying data to OneDrive is not considered an attempt to leave the perimeter, so security systems assume that the connected disk is an enterprise one. The disk can be connected in invisible mode, lowering the chances of detection. The attacker needs two more Microsoft tools for that, namely Internet Explorer and PowerShell. As a result, a bot can freely copy data to “its own” disk, and the attacker can simply download if from OneDrive.

According to Dods, to stay protected against such an attack, users need to restrict access to allow only enterprise Office 365 subdomains that belong to the company. Running a deep inspection of encrypted traffic and analyzing the behavior of PowerShell scripts in a sandbox is also recommended.

Do take into account that both of these threats are still only hypothetical. To use the technologies, cybercriminals have to start by infiltrating a victim’s infrastructure — somehow. Once they do that, however, their activity will be undetectable not only to the majority of up-to-date security solutions but to the unprepared observer as well. That is why it makes sense to analyze IT infrastructure for vulnerabilities periodically. We, for example, have a whole set of expert services for analyzing what goes on in your infrastructure from the perspective of information security — and, if necessary, checking the system for intrusion.


Source: kaspersky.com

Translate this article

TAGGED: Authentication, Microsoft, Microsoft Office, Sandbox Escape, Security, Software, Threat, Threats, Vulnerabilities
Tom Grant October 13, 2022 October 7, 2022
Share this Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Safeguards against firmware signed with stolen MSI keys
Threats 1 day ago
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
Wordpress Threats 1 day ago
How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
News 2 days ago
How to enable Taskbar End Task option to close apps on Windows 11
News 2 days ago
How to check USB4 devices specs from Settings on Windows 11
News 2 days ago

Recent Posts

  • Safeguards against firmware signed with stolen MSI keys
  • WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
  • How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
  • How to enable Taskbar End Task option to close apps on Windows 11
  • How to check USB4 devices specs from Settings on Windows 11

You Might Also Like

Threats

Safeguards against firmware signed with stolen MSI keys

1 day ago
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
Wordpress Threats

WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin

1 day ago
News

How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11

2 days ago
News

How to check USB4 devices specs from Settings on Windows 11

2 days ago
Show More

Related stories

How to Use Cloudflare to Secure Your WordPress Site
How To Starting Chrome from the command line
How to fix error 0x80070057 in Chrome?
Windows 10 How To Disable Slide to Shutdown
Windows search not working (FIX)
How to watch movies and TV series for free on Kinopoisk?
Previous Next

10 New Stories

What is two-factor authentication | Kaspersky official blog
Acer refreshes Windows 11 PCs for work and play: Swift Edge 16 and Predator Triton 16
NVIDIA GeForce RTX 4080 New Mercury Editions of Razer Blade 16 and Blade 18 now available
How Oxy uses hooks for maximum extensibility
The personal threat landscape: securing yourself smartly
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)
Previous Next
Hot News
Safeguards against firmware signed with stolen MSI keys
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
How to enable Taskbar End Task option to close apps on Windows 11
How to check USB4 devices specs from Settings on Windows 11
10alert.com10alert.com
Follow US

© 10 Alert Network. All Rights Reserved.

  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?