All news with #active directory tag

🔍 This analysis examines CVE-2025-54918, a critical NTLM/LDAP authentication bypass that enables privilege escalation from a standard domain user to SYSTEM on Domain Controllers. The vulnerability chains coercion (PrinterBug-style) with NTLM relay and packet manipulation to evade channel binding and LDAP signing. The post outlines the attack flow, detection indicators such as empty usernames and LOCAL_CALL flags, and mitigations using CrowdStrike Falcon capabilities.

⚠️ Microsoft confirmed that the September 2025 security updates are causing Active Directory synchronization problems on Windows Server 2025, affecting applications that use the DirSync control such as Microsoft Entra Connect Sync. The issue can result in incomplete synchronization of large AD security groups exceeding 10,000 members. Microsoft recommends a registry workaround (DWORD 2362988687 = 0) while engineers work on a fix, and warns about risks of editing the registry.

🔒 eSentire disclosed a Rust-based backdoor named ChaosBot that leverages Discord channels for command-and-control, allowing operators to perform reconnaissance and execute arbitrary commands on compromised systems. The intrusion, first observed in late September 2025 at a financial services customer, began after attackers used compromised Cisco VPN credentials and an over-privileged Active Directory service account via WMI. Distribution included phishing LNK files that launch PowerShell and display a decoy PDF, while the payload sideloads a malicious DLL through Microsoft Edge to deploy an FRP reverse proxy. ChaosBot supports commands to run shells, capture screenshots, and transfer files, and newer variants employ ETW patching and VM detection to evade analysis.

🔒 On 29 August 2025 Huntress analysts identified a previously unseen ransomware variant they named Obscura after its embedded ransom note. The binary was placed in the domain NETLOGON scripts folder, enabling propagation via AD replication, and the actor created scheduled tasks to run it across hosts. Obscura requires administrative privileges, attempts to delete volume shadow copies and terminates roughly 120 security and backup processes. It uses Curve25519/X25519 key exchange and XChaCha20 for file encryption and writes a decoded ransom note to C:\README-OBSCURA.txt.

🔁 AWS License Manager now supports shared AWS Managed Active Directory across multiple AWS accounts, enabling centralized management of Microsoft product subscriptions. Customers can subscribe once in a single admin account and extend those subscriptions to directory consumer accounts across their AWS Organization. This reduces duplicate directories and IT overhead and is available in all commercial regions where License Manager user subscription is supported.

🚨 Microsoft Threat Intelligence says financially motivated group Storm-0501 has refined a brutal hybrid ransomware chain that leverages hijacked privileged accounts to pivot from on‑prem Active Directory into Azure, exploiting visibility gaps to exfiltrate, encrypt, and mass‑delete cloud resources and backups. The actor used Evil‑WinRM for lateral movement and DCSync to harvest credentials, abused a non‑MFA synced global admin to reset passwords, and created a malicious federated domain for broad persistence. After exfiltration they deleted backups where possible, encrypted remaining cloud data, and initiated extortion via a compromised Microsoft Teams account. CISOs are urged to enforce least privilege, audit on‑prem assets, close cloud visibility gaps, and rehearse ransomware playbooks.

🛑 A former software developer was sentenced to four years in prison after intentionally sabotaging his employer's servers with custom malware that included a kill switch. Davis Lu, 55, abused his access in 2019 to introduce infinite-loop Java code, delete coworker profiles, and deploy a kill switch named 'IsDLEnabledinAD' that locked out users when his Active Directory account was disabled. The DOJ said the incident, reportedly at Eaton Corporation, disrupted thousands of users and caused hundreds of thousands of dollars in losses.

⚠️ CISA issued Emergency Directive 25-02 directing federal civilian agencies to immediately update and secure hybrid Microsoft Exchange environments to address a post-authentication privilege escalation vulnerability. The flaw, tracked as CVE-2025-53786, could allow an actor with administrative access on an Exchange server to escalate privileges and affect identities and administrative access in connected cloud services. CISA says it is not aware of active exploitation but mandates agencies implement vendor mitigation guidance and will monitor and support compliance. All organizations using hybrid Exchange configurations are urged to adopt the recommended mitigations.

🔒 Unit 42 details BadSuccessor, a critical post-Windows Server 2025 attack vector that abuses delegated Managed Service Accounts (dMSAs) to escalate privileges in Active Directory. The write-up explains how attackers who can create or modify dMSAs may set msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState to impersonate superseded accounts and obtain elevated rights. It provides practical detection guidance using Windows Security auditing and offers hunting queries and mitigation recommendations. Palo Alto Networks solutions such as Cortex XDR and XSIAM are highlighted as able to detect this activity when auditing is enabled.