CyberArk Labs: Exploiting Domain-Level Service Credentials
November 16 2016 - 9:01AM
Business Wire
Attackers with Local Administrator Rights Can
Harvest Encrypted Service Credentials to Achieve Lateral Movement
and Full Domain Compromise
CyberArk (NASDAQ: CYBR) today unveiled new research from
CyberArk Labs detailing what it considers to be a significant risk
across all Windows endpoints, including those on Windows 10 with
Credential Guard enabled. The exploit could allow cyber attackers
to harvest encrypted service credentials from the registry and
inject them into a new malicious service to achieve lateral
movement and full domain compromise.
Microsoft Credential Guard was introduced to mitigate the risk
of lateral movement using compromised credentials, yet Credential
Guard does not protect domain-level user and service credentials
equally. Despite being encrypted, domain-level service credentials
remain in the registry, at risk of compromise by attackers who have
obtained local administrator privileges on an infected
endpoint.
Similar in concept to Pass-the-Hash attacks, if fully exploited,
cyber attackers could compromise and reuse an encrypted service
credential – without ever needing to decrypt it – to move laterally
through the organization and ultimately be able to gain access to a
domain controller.
From Stolen Credential to Domain CompromiseIn a proof of
concept, CyberArk Labs researchers were able to demonstrate that
attackers with local administrator access on a single user’s
machine could compromise domain-level service credentials and reuse
them in encrypted form to achieve lateral movement and full domain
compromise, even when Credential Guard is enabled. CyberArk’s
testing showed that an attacker with local administrator access
would not have to use malware to execute this type of attack, and
by exploiting this risk, an attacker could gain full ownership of
the entire domain in just minutes.
“This research is important to help organizations understand
that not all credentials are protected equally, and further,
encrypted credentials are not necessarily secure,” said Kobi Ben
Naim, senior director of cyber research, CyberArk Labs. “By better
understanding the risks associated with credential theft,
organizations can prioritize mitigation strategies, starting on the
endpoint.”
To learn more, including the specific attack methodology and
mitigation strategies for domain-level service credential exploits,
read the full CyberArk Labs report, “Stealing Service Credentials
to Achieve Full Domain Compromise.”
Research from CyberArk Labs focuses on targeted attacks against
organizational networks – the methods, tools and techniques
employed by cyber attackers, as well as methods and techniques to
detect and mitigate such attacks.
About CyberArkCyberArk is the only security company
focused on eliminating the most advanced cyber threats; those that
use insider privileges to attack the heart of the enterprise.
Dedicated to stopping attacks before they stop business, CyberArk
proactively secures against cyber threats before attacks can
escalate and do irreparable damage. The company is trusted by the
world’s leading companies – including 45 percent of the Fortune 100
– to protect their highest value information assets, infrastructure
and applications. A global company, CyberArk is headquartered in
Petach Tikvah, Israel, with U.S. headquarters located in Newton,
Mass. The company also has offices throughout EMEA and Asia Pacific
and Japan. To learn more about CyberArk, visit www.cyberark.com,
read the company blog, http://www.cyberark.com/blog/, follow
on Twitter @CyberArk or Facebook
at https://www.facebook.com/CyberArk.
Copyright © 2016 CyberArk Software. All Rights Reserved.
Microsoft® and Windows® are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or
other countries. All other brand names, product names, or
trademarks belong to their respective holders.
View source
version on businesswire.com: http://www.businesswire.com/news/home/20161116005318/en/
Media Relations Contacts:fama PRBrian Merrill,
+1-617-986-5005cyberark@famapr.comorCyberArkLiz Campbell,
+1-617-558-2191press@cyberark.comorInvestor Relations
Contact:CyberArkErica Smith, +1-617-630-6426ir@cyberark.com
CyberArk Software (NASDAQ:CYBR)
Historical Stock Chart
From Mar 2024 to Apr 2024
CyberArk Software (NASDAQ:CYBR)
Historical Stock Chart
From Apr 2023 to Apr 2024