- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
New Study Reveals Forged Certificate Attack Risks
New research has highlighted the severe risks posed by forged certificate attacks, which can lead to unauthorized access to important company resources.
These attacks, known as the Shadow Credentials technique, involve attackers exploiting certain parts of a system called Active Directory (AD) that manages user access to various services.
Kaspersky cybersecurity expert Alexander Rodchenko conducted the study, which was published today, and found essential clues to detect these attacks through the company’s managed detection and response (MDR) service. He also developed a tool to uncover suspicious activities within the system and crafted rules to help security systems identify potential attacks.
“Having analyzed the practical experience of our MDR service, I identified several signs of such attacks inside the network and developed a Proof-of-Concept utility capable of finding artifacts in AD, as well as a number of detection logic rules that can be added to SIEM,” the security expert wrote.
Read more about AD security: 5 Ways to Strengthen Your Active Directory Password Policy
From a technical standpoint, the attackers take advantage of public key cryptography for initial authentication (PKINIT) to access specific system parts without needing the user’s password.
In this context, the attackers use a trusted certificate, which is typically issued by a Certificate Authority (CA) that the system trusts, to deceive the system and obtain a Ticket Granting Ticket (TGT) without needing the user’s password.
The study emphasized the importance of analyzing a specific event that occurs during the attacks, which contains crucial information about the certificates used by the attackers. To simplify this process, Rodchenko suggested using a tool called the ELK stack (Elasticsearch, Logstash, and Kibana), which can help filter out legitimate requests.
“By default, Logstash actually knows how to convert the bit fields of Event 4768 into an array of values specific to a ticket in the list. This also makes the search much faster and smoother,” Rodchenko wrote.
Additionally, the researcher identified a key sign of suspicious activity: the absence of a particular flag in the system. By using specific scripts, Rodchenko was able to identify attacks based on this sign, revealing the activity of attacker tools Whisker and Rubeus.
With the utility developed by Rodchenko, cybersecurity experts can compare legitimate and suspicious attributes in the system, making it easier to detect and respond to these attacks effectively.
The advisory comes months after Asec published a report on a Lazarus Group campaign targeting South Korean finance firms using a zero-day vulnerability in certificate software.
