Microsoft Office and Active Directory: security vulnerabilities
Microsoft and Sophos have discovered hackers on the Office office suite and Active Directory. The latter took advantage of incomplete coverage of a patch to attack.
Office Fact Details
As a reminder, Microsoft already fixed this flaw in September, to deter cybercriminals from executing malicious code embedded in a Word document, by downloading a CAB archive. To attack the PoC, or proof of concept, hackers have developed a method to bypass the patch of a vulnerability in the Office. This allowed them to gain permission to execute code remotely. The hackers exploited the Formbook malware in the Word document, in a RAR archive. They tricked the system that fixes the CVE-2021-40444 flaw. Thanks to a PoC, they were able to use another archive.
For a recognized firm, this technique is professional hacking, because cyber criminals distributed the malware in spam for 36 hours before vanishing. The latter is intended to be used later, hence the importance of educating employees not to open compressed files as attachments in their e-mails.
The attack on Microsoft’s Active Directory
During the update of the security bulletins, Microsoft noted 2 vulnerabilities on Active Directory: CVE-2021-42287 and CVE-2021-42278. Andrew Bartlett of Catalyst IT discovered these flaws. They were fixed during Patch Tuesday, November 2021. For hackers, Active Directory is an open door to a company’s entire IT system. So if it delays patching its domain controllers, the two flaws are easily exploitable. The cybercriminal can then create a malicious LDAP request to have complete control over the authentication server. This act of hacking has already worked under Windows Server 2000. A simple user could use it to access Active Directory. Under Windows Server 2003, the attacker can use it under a valid user name to execute the request.
During an alert, Microsoft discovered a PoC on Twitter and GitHub combining the two flaws to attack Windows. By the way, this technique was published on December 11th. A cybercriminal can directly attack a domain user at the administrator level, exploiting these two vulnerabilities, in an Active Directory environment that has not been updated. This explains the need for regular updates. Since the release, hackers are leveraging their attacks and exploited these vulnerabilities even if they don’t reverse engineer the patches. Indeed, this technique is easy to use, as confirmed by cybersecurity researchers.
To spot signs of Active Directory compromise, Microsoft provides some guidance through Microsoft 365 Defender. The most important thing is to update the domain controllers. To avoid attacks by hackers, it is necessary to control the vulnerabilities of Active Directory and ensure the security of the IT ecosystem. You also need to protect domain accounts and implement security access controls.