A little over a week ago, on December 12, a proof-of-concept tool leveraging these vulnerabilities was publicly disclosed.
Microsoft is urging users to patch these vulnerabilities
As you all remember, during the November security update cycle, Microsoft released a patch for two new vulnerabilities, CVE-2021-42287 and CVE-2021-42278. Both of these vulnerabilities are described as a Windows Active Directory domain service privilege escalation vulnerability. These exploits actually allow malicious third parties to easily gain Domain Admin privileges in Active Directory after they compromise a regular user account. Redmond officials released three patches for immediate deployment on domain controllers, as follows:
KB5008102—Active Directory Security Accounts Manager hardening changes (CVE-2021-42278) KB5008380—Authentication updates (CVE-2021-42287) KB5008602(OS Build 17763.2305) Out-of-band
But even though the above-mentioned patches have actually been available for some time now, the problem is that a proof-of-concept tool that exploits these vulnerabilities was only publicly disclosed on December 12. The Microsoft research team reacted fast and published a query that can be used to identify suspicious behavior leveraging these vulnerabilities. This query can help detect abnormal device name changes (which should happen rarely to begin with) and compare them to a list of domain controllers in your environment. Make sure you carefully check out all the details if you suspect that you too are being a victim of the aforementioned situations. And, most importantly, update to the secure versions that Microsoft provided, in order to make sure you stay one step ahead of any potential threats. Do you suspect that threat actors have been exploiting your system? Share your opinion with us in the comments section below.
Name *
Email *
Commenting as . Not you?
Save information for future comments
Comment
Δ
