Latest news with #Malyanker
Techday NZ
6 days ago
- Business
- Techday NZ
Windows Server 2025 flaw lets attackers persist in Active Directory
Semperis researchers have identified a design flaw in Windows Server 2025 that could leave managed service accounts vulnerable to undetected attacks. Vulnerability details The flaw, which researchers are calling 'Golden dMSA', affects delegated Managed Service Accounts (dMSAs) within Windows Server 2025. According to Semperis, the vulnerability could allow attackers to achieve persistent, undetected access to these accounts, potentially exposing resources across Active Directory for indefinite periods and enabling cross-domain lateral movement. Researcher Adi Malyanker from Semperis has developed a tool named GoldenDMSA, which incorporates the logic of the attack and enables security professionals to simulate and understand the risks posed by the vulnerability. The tool aims to help defenders evaluate how the technique might be exploited in their own environments. Technical findings The Golden dMSA attack centres on a cryptographic vulnerability in Microsoft's newly introduced security features within Windows Server 2025. The architectural setup of dMSAs is exploited because the ManagedPasswordId structure contains time-based components that are predictable. These components offer only 1,024 possible combinations, making it computationally trivial for attackers to brute-force service account passwords. "Golden dMSA exposes a critical design flaw that could let attackers generate service account passwords and persist undetected in Active Directory environments," said Malyanker. "I built a tool that helps defenders and researchers better understand the mechanism of the attack. Organisations should proactively assess their systems to stay ahead of this emerging threat." This flaw means that threat actors could potentially move laterally across domains and maintain access over time, evading detection by traditional monitoring methods. Industry context The new research on Golden dMSA follows previous identity-related discoveries by Semperis. The company's researchers have also highlighted a vulnerability called nOauth in Microsoft's Entra ID, which is known to enable full account takeover in certain vulnerable SaaS applications with limited attacker interaction. Within the last year, Semperis further developed detection capabilities in its Directory Services Protector platform to defend against BadSuccessor, described as a severe privilege escalation technique that targets a newly introduced feature in Windows Server 2025. The team previously identified Silver SAML, which is a variant of the SolarWinds-era Golden SAML technique. Silver SAML is notable for its ability to bypass standard security defences in applications integrated with Entra ID. Recommendations and implications Semperis is advising organisations using Windows Server 2025 to consider proactively assessing their managed service accounts and other identity infrastructure. By understanding the mechanism of the newly disclosed attack and employing simulation tools such as GoldenDMSA, security and IT teams can evaluate their exposure and consider mitigation strategies. The discovery of Golden dMSA highlights ongoing challenges in identity and account management security, particularly as new features are introduced into widely used enterprise systems like Active Directory. The predictability of password generation mechanisms, as exposed by Malyanker's research, underscores the importance of cryptographic design choices in authentication frameworks. Semperis continues its focus on identity security research and has called on others in the cybersecurity community to stay vigilant as new issues emerge with changes in enterprise software architecture and security models. Follow us on: Share on:
Techday NZ
6 days ago
- Techday NZ
Golden dMSA flaw in Windows Server 2025 exposes Active Directory
Security researchers have identified a critical flaw in delegated Managed Service Accounts (dMSA) within Windows Server 2025 that could allow attackers to maintain persistent and widespread access across Active Directory environments. Flaw found in dMSA The vulnerability, uncovered by Semperis security researcher Adi Malyanker, has been termed the Golden dMSA attack. It takes advantage of a design issue in dMSAs, a security feature first introduced in Windows Server 2025, which can be misused by bad actors to gain ongoing access and elevate privileges across domains after compromising a forest-level account. Malyanker developed a tool named GoldenDMSA to demonstrate and analyse the technique, enabling security practitioners to examine in detail how the attack could be executed in operational networks. The research shows that the attack leverages a predictable element within the ManagedPasswordId structure of dMSAs. This identifier includes time-based components that, according to Semperis, present only 1,024 possible combinations. This low number of possibilities makes brute-force attacks on service account passwords computationally straightforward, potentially enabling a threat actor not only to persist in an Active Directory environment but also to move laterally across domains. "Golden dMSA exposes a critical design flaw that could let attackers generate service account passwords and persist undetected in Active Directory environments. I built a tool that helps defenders and researchers better understand the mechanism of the attack. Organisations should proactively assess their systems to stay ahead of this emerging threat," said Malyanker. Risk assessment and implications Semperis has rated the risk associated with the Golden dMSA technique as moderate. However, the researchers warn that in cases where an attacker achieves initial forest-level compromise, the method could make it possible to completely take over dMSA or Group Managed Service Account (gMSA) environments. Successful exploitation would allow attackers to maintain control without detection for extended periods, posing a severe threat to corporate and governmental IT infrastructure. The potential for widespread, persistent access stems from the architectural flaw in how dMSA passwords are generated and managed. By exploiting the weak cryptographic and structural protections, attackers could automate the generation of valid account credentials for managed service accounts, undermining protections intended to secure critical identity services. Recent related work The Golden dMSA research builds on previous work by Semperis in the field of identity threat detection. The group has reported on other vulnerabilities, such as nOauth, which affects Microsoft's Entra ID and may permit full account takeover in software-as-a-service applications. Semperis has also implemented detection features in its Directory Services Protector platform to defend against BadSuccessor, another high-impact privilege escalation technique that targets a recently introduced functionality in Windows Server 2025. This comes in addition to the Silver SAML vulnerability discovered by the team, a new variant related to Golden SAML attacks from the SolarWinds incident, which can bypass conventional security measures in Entra ID-integrated applications. Recommendations and industry impact The research underscores the need for organisations using Windows Server 2025 and managed service accounts to carry out active risk assessments and update their security controls. Attackers exploiting weaknesses in dMSA structures could not only remain undetected but also have unrestricted access to valuable resources across a company's entire digital estate. Industry observers and IT departments are expected to analyse the implications of the flaw, explore mitigation options, and consider how tools such as GoldenDMSA can be used by defenders to better understand and counteract these attack vectors. The ability to simulate attacks is viewed as a vital capability for defenders and researchers, supporting a more robust defensive posture against evolving identity-based threats.
