- CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a Russian cybercrime forum frequented by Ransomware groups, regarding eight vulnerabilities targeting Samba packages affecting Active Directory domains.
- Samba is an open-source Server Message Block (SMB) protocol implementation. It enables Linux to function as a server and a client with the Windows operating system.
- The actor has provided information on the vulnerabilities, now recognized as CVEs, along with their potential impacts.
- Threat actors can exploit this vulnerability to conduct various attacks, including, but not limited to, information compromise, privilege escalation and identifying the infrastructure of systems.
Analysis and Attribution
Information from the Post
- On 10 November 2021, a threat actor published a post, on a cybercrime forum, claiming that Active Directories can be exploited using 8 vulnerabilities in the Samba package.
- These vulnerabilities are now fixed, however, attackers could be scanning for unpatched instances to target.
- CVE-2020-25717: An Active Directory domain user with the capacity to create new accounts on their system, managed using ms-DS-MachineAccountQuota, could get root access to other domain systems due to a vulnerability in the logic of mapping domain users to local system users.
- CVE-2021-3738: Access to an already freed memory area (Use after free) can potentially lead to privilege escalation when manipulating connection setup in the implementation of the Samba AD DC RPC server (dsdb).
- CVE-2016-2124: Even if the user or application is configured with mandatory Kerberos authentication, client connections established via the SMB1 protocol could be transferred to the transmission of authentication parameters in clear text or via NTLM (for example, to determine credentials for MITM attacks).
- CVE-2020-25722 Proper storage: On a Samba-based Active Directory domain controller, access checks were not performed, thus allowing any user to escape credentials and entirely corrupt the domain.
- CVE-2020-25718 Kerberos tickets: The Samba-based Active Directory domain controller did not properly isolate administrator tickets issued by the RODC (Read-only domain controller) , which might be utilised to obtain administrator tickets from the RODC without having the authority to do so.
- CVE-2020-25719: The Samba-based Active Directory domain controller did not always take into account the SID and PAC fields in Kerberos tickets in the bundle (when setting "gensec: require pac = true," only the name was checked, and PAC was ignored), thus allowing a user with the right to create accounts on the local system to impersonate another user in the domain, including a privileged one.
- CVE-2020-25721: For Kerberos-authenticated users, unique identifiers for Active Directory (objectSid) were not always issued, which could lead to user intersections.
- CVE-2021-23192:During the MITM attack, it was possible to spoof fragments in large DCE/ RPC requests that were split into several parts.
- The actor is very popular on the forum.
- The post shared by the actor has been verified from the official release from Samba (1).
- The reliability of the actor can be rated Reliable (A).
- The credibility of the advertisement can be rated Probably True (2).
- Giving overall source credibility of A2