CISA Warns of Active Directory Attacks

Active directory attacks

When the US Cybersecurity and Infrastructure Security Agency (CISA) issues a warning, it’s time to take notice. Now, the PetitPotam attack raises cause for such alarm.

Now, CISA warns that Federal Civilian Executive Branch agencies have until July 22, 2022 to apply Microsoft’s June 2022 patches. CISA cites active exploitation of PetitPotam NTLM relay attacks as motivation for their guidance.

Technically, this order applies only to government agencies. However, these active exploits should make every municipality, school system, healthcare provider, non-profit, and corporation move quickly.

Let’s take a look at why CISA warns of these problems, and what you can do to stay protected.

CISA Warns of Vulnerability Status Off-and-On

At first, CISA warned agencies to avoid applying Microsoft’s original May 2022 updates.


They did it because the updates caused service authentication problems for domain controllers installed on Windows Servers. At that time, they removed vulnerability CVE-2022-26925 from their list of actively exploited vulnerabilities.

Microsoft’s original attempt to patch vulnerabilities CVE-2022-26931 and CVE-2022-26923 caused credentials mismatch for policies such as Network Policy Server (NPS), Remote Authentication Dial-In User Service (RADIUS), Routing and Remote Access Service (RRAS), and both Extensible Authentication Protocol (EAP) and Protected EAP (PEAP).

What does that mean for you?

Well, the mismatch caused these security policies to fail, leaving domain controller services exposed.

As mitigation, companies were required to manually map certificates in Active Directory, until the June 2022 Microsoft patches.

But, CISA warns that recent ransomware attacks forced them to re-add CVE-2022-26925 to its active vulnerability list and issue the guidance.

Let’s take a look at what the vulnerability does, exactly.

Supply chain attacks via malware
Are you vulnerable to supply chain attacks? Click the image to read more.

The CVE-2022-26925 Vulnerability Explained

To exploit vulnerability CVE-2022-26925, attackers must first gain access to your networks.

In their original advisory, Microsoft downplayed the vulnerability because:

  • The attack required a victim to connect to a server under the attacker’s control
  • Internet Explorer did not automatically send credentials using HTTP to internet zone servers
  • Inbound traffic would have to be enabled within the client system.


It wasn’t something that appeared likely to occur very often.

Unfortunately, between newer phishing attacks and unpatched Microsoft Exchange servers, establishing a toe-hold within a network is more common. And once inside, attackers easily route their attacks through inbound traffic.

Attackers execute a PetitPotam attack, which forces a domain controller to authenticate against a malicious NT LAN Manager (NTLM) relay. The relay can then forward requests via HTTP to the domain’s Active Directory Certificate Services and obtain a Kerberos ticket-granting-ticket (TGT).

This attack subverts the public key infrastructure (PKI) that authenticates users, encrypts files systems, enables digital signatures, and more.

Successful exploits of the vulnerability can allow attackers full access and control over the entire Active Directory domain.

Microsoft has issued official mitigations for the attacks, such as enabling Extended Protection for Authentication (EPA), SMB signing, and disabling HTTP on Active Directory Certificate Services (AD CS) servers.

Patching is the Beginning

Although applying the June 2022 Microsoft Patches will block vulnerability CVE 2022-27925, experts note not all attack vectors are blocked by mitigation or patching.

This is because the attack exploits a function of the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) API, or the Microsoft Print System Remote Protocol (MS-RPRN), which both remain unpatched.

The print spooler flaw is even listed as ‘won’t fix’ by Microsoft, and enabled by default in all Windows environments.

But, that doesn’t mean you should give up. You should still patch your AD servers, as well as apply mitigations, to harden servers against most attacks. Of course, patching can also cause other problems.

For instance, CISA warns that the June 2022 update disrupts federal Personal Identity Verification/Common Access Card authentication. As a result, it required additional steps to avoid business disruptions. As always, when applying patches, you might find disruptions of your own.

So, make sure you keep an eye out for any surprises.

What is PII and why does its security make such a big difference
Recent: PII Security and Why It’s Important for Your Organization (click image to learn more)

Enable Active Defense

Not all organizations use Active Directory in combination with services that make them vulnerable. However, you should still harden your Active Directory against services you don’t need and known attacks.

Even with patching and mitigations, an attacker within the network can still cause significant problems.

Make sure you maintain a full spectrum of defensive solutions, such as endpoint detection and response & cybersecurity monitoring to catch active attacks and minimize loss.

Blue Bastion, along with Ideal Integrations, can assist with the steps necessary to protect you against this and other vulnerabilities.

Our experts investigate and optimize your current infrastructure setup, harden systems and services, and minimize business disruptions during the process.

And, you can engage our services for short term projects or ongoing outsourcing. For example, we offer managed endpoint and network security monitoring as a service, to free up your internal IT teams to work on more critical projects.

Simply contact us at 412-349-6680 or fill out the form below for a no-obligation meeting to explore your needs and possible solutions that fits your situation.

Secure Your Business With Blue Bastion - Contact Us Today!