noPac Exploit: Latest Microsoft AD Flaw May Lead to Total Domain Compromise in Seconds

January 11, 2022

| | Identity Protection

What Happened?

Microsoft recently published two critical CVEs related to Active Directory (CVE-2021-42278 and CVE-2021-42287), which when combined by a malicious actor could lead to privilege escalation with a direct path to a compromised domain.

 

In mid-December 2021, a public exploit that combined these two Microsoft Active Directory design flaws (referred also as “noPac”) was released. The exploit allowed the escalation of privileges of a regular domain user to domain administrator, which enables a malicious actor to launch multiple attacks such as domain takeover or a ransomware attack. This is a serious concern because this exploit was confirmed by multiple researchers as a low-effort exploit with critical impact. Researchers at Secureworks have demonstrated how to exploit these Active Directory flaws to gain domain privileges in just 16 seconds. Yes, you read it right — a compromised domain in a quarter of a minute!

 

Impact and Microsoft Response

These vulnerabilities cannot be taken lightly because there is now a public exploit that allows domain takeover with low effort, using just the default configuration. Gaining domain privileges allows threat actors to gain control over a domain and use it as a starting point to deploy malware, including ransomware. This is one of the most severe exploits discovered in the past 12 months, but it has been less publicly discussed partly due to all of the attention given to the Log4j vulnerability. Microsoft described the recent CVE as “less likely” for compromise, though exploits have already been published. Due to the criticality of the discovered bugs, Microsoft has published manual guidelines for users, with instructions on what they need to do to lower the possibility of being compromised by this public exploit. Among recommendations, users are required to:
  • Make sure all of the domain controllers (DCs) are patched. If even one of them remains unpatched, it will mean the whole domain is still vulnerable — and practically patching a domain controller is not trivial given the critical operational nature it serves for IT infrastructure.
  • Perform a manual search for suspicious events and then use those events as a starting point for further manual investigation. Not only is the search manual, but it also requires manually specifying all of the domain controllers by name. Again, any manual mistake here might lead to missed hunting leads.

What Does This Mean for Falcon Customers?

CrowdStrike Falcon® Identity Protection customers can automatically detect attempted exploitation of these vulnerabilities — even if they haven’t had an opportunity to apply these patches to the Active Directory DCs. This is thanks to a recently released enhancement that allows automatic detection of CVE-2021-42278 and CVE-2021-42287 exploitation (aka “noPac”), triggering alerts for any exploitation attempts. We understand the already-existing overhead for security teams, and the importance of prioritizing manual efforts and your attention, and therefore we’ve ensured that this detection doesn’t require any additional manual configuration by our customers. In addition to the detection above, Falcon Identity Protection is able to block noPac with a simple policy to enforce multi factor authentication (MFA) on users, regardless of the detection. Customers with an active Falcon Identity Protection policy for their users are secure. This won’t be the first time that Falcon Identity Protection customers are protected from discovered flaws in Microsoft Active Directory, enabling them to react to vulnerabilities according to their schedule. In January 2021, the MSRPC Printer Spooler Relay (CVE-2021-1678) vulnerability was

 

discovered and required users to patch the environment. And in that case, it wasn’t enough just to patch — additional configuration was required. Falcon Identity Protection also had that exploit covered by detecting NTLM anomalies and NTLM relay attacks. There isn’t yet a detection provided by Microsoft to this day.
We have seen NTLM-related exploits earlier when Drop the MIC 2 (CVE 2019-1166) and Exploiting LMv2 Clients (CVE-2019-1338) were discovered by CrowdStrike researchers. In those cases, Microsoft users were required to urgently patch their environment without any visibility into if the exploit was in use, whereas Falcon Identity Protection customers had active detection and prevention capabilities. The Bronze Bit attack (CVE-2020-17049) is another example of a vulnerability that was discovered more than a year ago, and Microsoft’s solution was to ask users to immediately patch the domain controllers. While Falcon Identity Protection customers have a detection in place, Microsoft still hasn’t released its planned detection. There are other vulnerabilities, such as Zerologon (CVE-2020-1472), that are discovered in Microsoft Active Directory every year and ongoing challenges with Microsoft AD supply chain compromises. We probably won’t stop seeing new vulnerabilities, the question that you should ask is how well your organization is protected before you are able to patch your environment and make sure nothing else is broken while doing it. As seen in the example above, Falcon Identity Protection customers are being protected not just by dedicated detections but also by the ability to enforce Zero Trust policy to prevent credential theft and exploitation in the domain.

Conclusion

This vulnerability once again clearly demonstrates the direct relation between identity and ransomware. Patching and changing configuration might take time, especially with multiple vulnerabilities happening at the same time (e.g., Log4j). CrowdStrike believes that our customers should be secured and protected continuously, to allow you to be able to prioritize your work according to your plan.

Additional Resources

Breaches Stop Here