The active directory botnet


Botnets and command & control servers (a.k.a. C&C or C2 servers) are taking over the internet and are rapidly becoming a potential new major threat. Recent industry research from Verizon highlights the issue of how control may be unwittingly handed to an attacker. The “Verizon 2017 Data Breach Investigations Report” reveals “phishing remains a favourite technique of attackers” and “payloads are commonly delivered via email (73%) and drive-by downloads (13%)”. The report continues: “if the attachment is opened, it will drop command and control malware to establish and maintain control of the device”.

A life of their own

There are many considerations of how botnets and C&C servers can become independently threatening. For instance, what happens when these botnets and C&C servers start existing and operating inside the walls of our organisations? Another consideration is the damage these botnets and C&C servers could achieve if they bypass our network controls. Likewise, if these botnets and C&C servers began communicating internally bypassing our security zones and firewalls. It makes you wonder what would happen if modern controls such as micro-segmentation were all of a sudden useless.

These nightmare scenarios are well on their way to becoming a reality.

The Active Directory Botnet attack concept arises due to a fundamental flaw in the way nearly every organisation implements its Active Directory (AD) solution, which leaves a gaping hole within security and the ability to contain security breaches.

Let’s say that your organisation has become the victim of a spear phishing attack and a range of your internal systems across multiple WAN sites around the world have been breached. Not only this, but some of your internet exposed systems in your DMZ and Azure cloud environment have also been breached. This sounds bad, but luckily your security team have segmented all of these systems into security zones with firewalls and network filtering to contain the breaches.

Microsoft Active Directory is used by most organisations as their central authentication and identity management solution. Due to the architecture of nearly every Active Directory implementation on the planet, almost all servers, workstations, laptops, mobile devices, and wireless devices throughout your organisation, can connect to an Active Directory Domain Controller for authentication purposes…Click HERE to read full article.


Leave A Reply

five × 4 =