Microsoft is working to add Bronze Bit attack detection support to Microsoft Defender for Identity to make it easier for security operations teams to detect attempted abuse of a Windows Kerberos security bypass bug tracked as CVE-2020-17049.
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection or Azure ATP) is a cloud-based security solution that leverages on-premises Active Directory signals.
It enables SecOps teams to detect and investigate compromised advanced threats, identities and malicious insider activity targeting enrolled organizations.
Landing in two months
“An alert will be raised when there is evidence of suspicious attempts at Kerberos delegation using the BronzeBit method, where a user attempted to use a ticket to delegate access to a particular resource,” Microsoft explains on the Microsoft 365 roadmap.
The flaw (corrected by Microsoft during the November 2020 Patch Tuesday) can be exploited in what Jake Karnes, the security consultant who discovered it, called the Kerberos Bronze Bit attacks.
Microsoft addressed the Bronze Bit vulnerability in a two-phase deployment, with the initial deployment phase on December 8 and an automatic application phase on February 9.
A month after Microsoft released fixes CVE-2020-17049, Karnes released a proof of concept (PoC) exploit code and full details on how it could be used.
The exploit can bypass Kerberos delegation protection, allowing attackers to escalate privileges, impersonate targeted users, and roam sideways in compromised environments.
He shared a low-level overview with additional information on the Kerberos protocol, including practical exploitation scenarios and details on the implementation and use of Kerberos Bronze Bit attacks against vulnerable servers.
Releasing all of these extra details and the PoC exploit would likely make it much easier to breach Unpatched Windows Servers against CVE-2020-17049 and that’s probably what prompted Redmond to add detection support. Bronze Bit at Microsoft Defender for Identity.
PrintNightmare and Zerologon attack detection also available
In July, Microsoft also added support for PrintNightmare exploit detection to Microsoft Defender for Identity after including Zerologon exploit detection in November 2020.
Both are critical security vulnerabilities, with PrintNightmare (CVE-2021-34527) allowing attackers to take control of affected servers by elevating privileges to the domain administrator while Zerologon (CVE-2020-1472) can be exploited to elevate privileges in order to spoof a domain controller account which leads to complete control of the entire domain.
Multiple threat actors, including ransomware gangs like Vice Society, Conti, and Magniber, already use PrintNightmare exploits to compromise unpatched Windows servers.
State-backed and financially motivated threat actors have also been operating unpatched systems against the ZeroLogon vulnerability since late October and September, and others have joined since then, including:
Also in July, Microsoft rolled out another update to Defender for Identity that allows Security Operations Teams (SecOps) to block attack attempts by locking down the Active Directory accounts of compromised users.
Defender for Identity comes with Microsoft 365 E5 but, if you don’t have a subscription yet, you can also get a trial of Security E5 to give these features a spin.
- New Zloader attacks disable Windows Defender to evade detection
- Microsoft offers some key tips to thwart ransomware attacks in Windows 11
- Your SSD may soon be able to detect ransomware attacks
- Microsoft fixes the remaining vulnerabilities of Windows PrintNightmare
- Microsoft Defender ATP Adds Live Response for Linux and macOS