From Public Key to Exploitation: How We Exploited the Authentication in MS-RDP

Posted by Eyal Karni on Mar 13, 2018 10:05:15 AM

 In March Patch Tuesday, Microsoft released a patch for CVE-2018-0886, a critical vulnerability that was discovered by Preempt. This vulnerability can be classified as a logical remote code execution (RCE) vulnerability. It resembles a classic relay attack, but with a nice twist: It is related to RSA cryptography (and prime numbers) which makes it quite unique and interesting.

Read More

Topics: Multi-factor Authentication, kerberos, Hacking, Black Hat, Security Advisory, Microsoft, RDP

Security Advisory: Critical Vulnerability in CredSSP Allows Remote Code Execution on Servers Through MS-RDP (Video)

Posted by Yaron Zinar on Mar 13, 2018 10:03:36 AM

In March Patch Tuesday, Microsoft released a patch for CVE-2018-0886, a vulnerability discovered by Preempt researchers. The vulnerability consists of a logical flaw in Credential Security Support Provider protocol (CredSSP) which is used by RDP (Remote Desktop Protocol) and Windows Remote Management (WinRM) that takes care of securely forwarding credentials to target servers. The vulnerability can be exploited by attackers by employing a man-in-the-middle attack to achieve the ability to run code remotely on previously not infected machines in the attacked network. The vulnerability, in many real-world scenarios where victim network has vulnerable network equipment, could result in an attacker gaining the ability to move laterally in the victim’s network and even infect domain controller with malicious software. No attacks have been detected in the wild by Preempt.

Read More

Topics: kerberos, Hacking, Threat Detection, Security Advisory, Microsoft, CredSSP

6 Tips for Securing Privileged Accounts in the Enterprise

Posted by Heather Howland on Mar 2, 2018 6:00:00 AM

Protecting privileged accounts and actively responding to any potential compromises has become a critical initiative for many CISOs. Stolen credentials are at the heart of most all modern attacks and breaches. Attackers can easily obtain credentials via phishing attacks, brute force, keyloggers, pass-the-hash techniques, or using a database of previously stolen credentials. And once an account is compromised, the attacker can see and do anything that is allowed for that user or account.

Read More

Topics: CISO, Privileged Users, Privileged Accounts

How to Get Control of Your Risk and Paralyze Malware in the Process

Posted by Wade Williamson on Feb 22, 2018 6:51:06 AM

Attackers and their malware are increasingly relying on a handful of common tools such as Mimikatz, PsExec, and WMI to spread through a network and do damage. Some of these tools are very common and hard to blacklist in a network, and likewise make use of protocols such as NTLM and RPC, which are also historically difficult to control inside of most enterprises. Preempt has delivered industry-first functionality that allows organizations to directly analyze these protocols, detect and challenge abnormal behavior. This allows organizations to control some of the most persistent areas of risk in the network while simultaneously robbing attackers of their favorite tools. You can see it in action in the following video. 

Read More

Simplifying PCI DSS 3.2 Compliance with Preempt

Posted by Heather Howland on Feb 9, 2018 1:21:56 PM

If your organization handles credit cards, you are no doubt familiar with  Payment Card Industry Data Security Standard (PCI DSS) compliance. PCI DSS is a set of requirements and procedures that have been established in order to strengthen security of cardholder transactions and data in order to reduce fraud. PCI DSS controls have been implemented for many years but as hackers have advanced their efforts, new requirements continue to emerge with updates to existing controls and reporting.

Read More

Topics: User Behavior, Adaptive Response, Identity Verification, Passwords, Compliance, PCI

How to Use Identity, Behavior and Risk to Prevent Compromised Credentials

Posted by Eran Cohen on Jan 25, 2018 10:00:00 AM

Identity, Behavior and Risk. Identity, Behavior and Risk. Almost like a mantra. Think about it for few seconds. Identity, Behavior and Risk are the 3 main pieces of evidence that security personnel would like to deeply understand so they can protect their organization and users from credential compromise

Read More

Getting the Most out of a Security Product POC

Posted by Eran Cohen on Jan 21, 2018 3:00:00 PM

Vendors, especially in the over crowded security space, often must help buyers justify their investment. But what happens when there isn’t a real problem during the test period? This can make it difficult to properly assess. Some security vendors will simulate problems, others may sponsor penetration tests, or they may provide a list of tests and tools, and so on. In the highly competitive End Point market (aka AntiVirus) they will use any tool they may have in the box.

Read More

Topics: CISO, POC

Corporate Culture Shift: Using Adaptive Security to Influence Employee Security Behavior

Posted by Heather Howland on Jan 12, 2018 7:19:33 AM

I’ve heard it many times from customers: “IT Security needs to be transparent to users in order to be successful.” Unfortunately, we are now in a digital age where things have dramatically changed and research has shown over and over that credential compromise is the top way that hackers breach an organization.

Read More

Topics: User Behavior, CISO, Risk, Identity Verification, Identity, Adaptive Threat Prevention

Fixing Account Lockouts With Adaptive Policies

Posted by Wade Williamson on Jan 4, 2018 7:21:22 AM

Dealing with account lockouts is one of the unhappy facts of life for many IT teams. And while  resolving lockouts isn’t particularly difficult, it is the sheer volume of incidents that often weighs down IT teams. In fact a recent survey found that ⅓ of IT and Support tickets are tied to password resets and account lockouts.

Read More

Topics: Adaptive Response, Passwords, Compliance

Advisory: Flaw in Azure AD Connect Software Can Allow Stealthy Admins to Gain Full Domain Control

Posted by Roman Blachman on Dec 12, 2017 9:42:26 AM

Authors: Roman Blachman, Yaron Zinar.
We recently reviewed a customer’s network and found that 85%(!) of all users in the network had some unnecessary administrative privilege. The excessive privilege stemmed from an indirect inclusion in a
protected admin group. Most Active Directory audit systems easily alert on excessive privileges, but will often miss users who have elevated domain privileges directly through domain discretionary access control list (DACL) configuration. We refer to these users as stealthy admins.

Read More

Topics: Credential Compromise, Stealthy Admin, Azure AD Connect, Security Advisory, Microsoft