Latest news with #DirectoryServicesProtector
Techday NZ
4 days ago
- Business
- Techday NZ
Semperis launches tool to secure AD service accounts
Semperis has introduced a new edition of its Directory Services Protector (DSP), known as Service Account Protection Essential, aimed at improving the security management of Active Directory and Entra ID service accounts. Service accounts, which are non-human identities used by applications to interact with directory services, frequently pose security challenges due to unmanaged proliferation and a tendency to accrue excessive privileges over time. These characteristics make them susceptible to exploitation by cyber attackers. Service Account Protection Essential is designed to provide organisations with an inventory of these accounts and facilitate ongoing monitoring for vulnerabilities based on intelligence from the Semperis research team. The tool can also discover previously unknown or misplaced service accounts, as well as detect stale and misconfigured ones. In addition, it identifies risky configurations, highlights critical exposures, and issues real-time alerts in response to malicious or anomalous activity. Security concerns "Service accounts are pernicious and nearly ungovernable by nature, so organisations struggle to adequately address them in security planning. Think about how many applications are onboarded and retired over the course of an Active Directory's lifespan. Each one of these applications may have several service accounts that connect them to AD. Those service account permissions are a black box, with passwords that are static or stale, but no one dares delete them. They're an obvious target for attackers because of their ungovernable state," said Ran Harel, Semperis AVP of Security Products. The focus on service accounts comes in the wake of high-profile supply chain attacks. Alex Weinert, Semperis Chief Product Officer, drew attention to previous incidents involving compromised service accounts to illustrate their ongoing risk to organisations. "Service accounts are very attractive to attackers. These accounts tend to proliferate in legacy AD applications and acquire excessive privileges over time, making them an obvious target for malicious actors, especially when service accounts are included in privileged cloud roles or groups tied to Microsoft 365. Service Account Protection Essential gives organisations unprecedented visibility into their service account security posture by helping them identify service accounts, create an inventory, and continuously monitor them to reduce the overall attack surface of the hybrid AD environment," said Weinert, former Microsoft VP of Identity Security. Features and dashboard improvements The updated DSP platform offers new capabilities designed to streamline work for security teams managing Active Directory and Entra ID object lists. Security practitioners can now categorise AD and Entra ID objects - including both privileged and service accounts - directly within the tool. This categorisation supports administrative tasks, enables swift policy changes, and helps automate responses to malicious modifications by reverting unauthorised changes as soon as they are detected. The DSP dashboard itself has been enhanced to provide a detailed summary of recent changes within Active Directory, comprehensive records of attack detection events, overall system health indicators, and a risk scoring mechanism. This information is intended to facilitate quick responses to identity threats and help organisations convey the status of their identity security posture internally. With the launch of Service Account Protection Essential, Semperis expands its capabilities for protecting hybrid and multi-cloud identity environments, which now include Active Directory, Entra ID, and other platforms. The new edition is positioned as a way for businesses to address pressing risks associated with unmanaged service accounts and reduce their exposure to identity-based attacks. Follow us on: Share on:
Techday NZ
09-06-2025
- Business
- Techday NZ
Semperis adds detection for dMSA attacks in Windows Server
Semperis has announced new detection capabilities in its Directory Services Protector platform in collaboration with Akamai to address the "BadSuccessor" privilege escalation technique in Windows Server 2025. BadSuccessor targets a new Windows Server 2025 feature called delegated Managed Service Accounts (dMSAs), which was designed to improve service account security. Researchers at Akamai have shown that attackers can exploit dMSAs to impersonate highly privileged users, such as Domain Admins, within Active Directory. At present, there is no patch available to address this vulnerability. Service accounts, including dMSAs, often operate with extensive or unmonitored privileges, creating potential security risks for enterprises. The exploitation method uncovered by Akamai highlights ongoing challenges in securing service accounts and preventing unexpected attack vectors within large organisations. In response, Semperis has updated its Directory Services Protector platform to include one new Indicator of Exposure and three Indicators of Compromise aimed at detecting abnormal dMSA activity. These enhancements will enable security teams to identify excessive delegation rights, malicious connections between dMSAs and privileged user accounts, and attacks directed at sensitive accounts such as KRBTGT. "Semperis moved quickly to translate the vulnerability into real-world detection capabilities for defenders, demonstrating how collaboration between researchers and vendors can lead to rapid, meaningful impact. The abuse of service accounts is a growing concern, and this high-profile vulnerability is a wake-up call," said Yuval Gordon, Security Researcher at Akamai. "Service accounts remain one of the least governed yet most powerful assets in enterprise environments. This collaboration with Akamai allowed us to close detection gaps fast and give defenders visibility into a deeply complex area of Active Directory that attackers continue to exploit," said Tomer Nahum, Security Researcher at Semperis. The vulnerability is present in any organisation that operates at least one domain controller running Windows Server 2025. According to Semperis, a single misconfigured domain controller can place the entire environment at risk. Until vendors release an official patch, organisations are encouraged to audit dMSA permissions and use detection tools to monitor for misuse. Semperis is reinforcing cybersecurity for enterprises by protecting critical identity services that underpin hybrid and multi-cloud environments. Purpose-built for securing complex identity infrastructures — including Active Directory, Entra ID, and Okta — Semperis' AI-powered platform safeguards more than 100 million identities from cyberattacks, data breaches, and operational missteps. Headquartered in Hoboken, New Jersey, the privately held international company supports major global brands and government agencies, with customers spanning over 40 countries. Beyond its core technology offerings, Semperis is recognized for its commitment to the cybersecurity community. The company sponsors a range of industry resources, including the award-winning Hybrid Identity Protection (HIP) Conference, the HIP Podcast, and free identity security tools such as Purple Knight and Forest Druid. With its dual mission to protect digital infrastructure and empower the security community, Semperis continues to play a pivotal role in advancing global cyber resilience. Follow us on: Share on:
