Latest news with #Semperis
Techday NZ
3 days ago
- Business
- Techday NZ
Windows Server 2025 flaw lets attackers persist in Active Directory
Semperis researchers have identified a design flaw in Windows Server 2025 that could leave managed service accounts vulnerable to undetected attacks. Vulnerability details The flaw, which researchers are calling 'Golden dMSA', affects delegated Managed Service Accounts (dMSAs) within Windows Server 2025. According to Semperis, the vulnerability could allow attackers to achieve persistent, undetected access to these accounts, potentially exposing resources across Active Directory for indefinite periods and enabling cross-domain lateral movement. Researcher Adi Malyanker from Semperis has developed a tool named GoldenDMSA, which incorporates the logic of the attack and enables security professionals to simulate and understand the risks posed by the vulnerability. The tool aims to help defenders evaluate how the technique might be exploited in their own environments. Technical findings The Golden dMSA attack centres on a cryptographic vulnerability in Microsoft's newly introduced security features within Windows Server 2025. The architectural setup of dMSAs is exploited because the ManagedPasswordId structure contains time-based components that are predictable. These components offer only 1,024 possible combinations, making it computationally trivial for attackers to brute-force service account passwords. "Golden dMSA exposes a critical design flaw that could let attackers generate service account passwords and persist undetected in Active Directory environments," said Malyanker. "I built a tool that helps defenders and researchers better understand the mechanism of the attack. Organisations should proactively assess their systems to stay ahead of this emerging threat." This flaw means that threat actors could potentially move laterally across domains and maintain access over time, evading detection by traditional monitoring methods. Industry context The new research on Golden dMSA follows previous identity-related discoveries by Semperis. The company's researchers have also highlighted a vulnerability called nOauth in Microsoft's Entra ID, which is known to enable full account takeover in certain vulnerable SaaS applications with limited attacker interaction. Within the last year, Semperis further developed detection capabilities in its Directory Services Protector platform to defend against BadSuccessor, described as a severe privilege escalation technique that targets a newly introduced feature in Windows Server 2025. The team previously identified Silver SAML, which is a variant of the SolarWinds-era Golden SAML technique. Silver SAML is notable for its ability to bypass standard security defences in applications integrated with Entra ID. Recommendations and implications Semperis is advising organisations using Windows Server 2025 to consider proactively assessing their managed service accounts and other identity infrastructure. By understanding the mechanism of the newly disclosed attack and employing simulation tools such as GoldenDMSA, security and IT teams can evaluate their exposure and consider mitigation strategies. The discovery of Golden dMSA highlights ongoing challenges in identity and account management security, particularly as new features are introduced into widely used enterprise systems like Active Directory. The predictability of password generation mechanisms, as exposed by Malyanker's research, underscores the importance of cryptographic design choices in authentication frameworks. Semperis continues its focus on identity security research and has called on others in the cybersecurity community to stay vigilant as new issues emerge with changes in enterprise software architecture and security models. Follow us on: Share on:
Techday NZ
4 days ago
- Techday NZ
Golden dMSA flaw in Windows Server 2025 exposes Active Directory
Security researchers have identified a critical flaw in delegated Managed Service Accounts (dMSA) within Windows Server 2025 that could allow attackers to maintain persistent and widespread access across Active Directory environments. Flaw found in dMSA The vulnerability, uncovered by Semperis security researcher Adi Malyanker, has been termed the Golden dMSA attack. It takes advantage of a design issue in dMSAs, a security feature first introduced in Windows Server 2025, which can be misused by bad actors to gain ongoing access and elevate privileges across domains after compromising a forest-level account. Malyanker developed a tool named GoldenDMSA to demonstrate and analyse the technique, enabling security practitioners to examine in detail how the attack could be executed in operational networks. The research shows that the attack leverages a predictable element within the ManagedPasswordId structure of dMSAs. This identifier includes time-based components that, according to Semperis, present only 1,024 possible combinations. This low number of possibilities makes brute-force attacks on service account passwords computationally straightforward, potentially enabling a threat actor not only to persist in an Active Directory environment but also to move laterally across domains. "Golden dMSA exposes a critical design flaw that could let attackers generate service account passwords and persist undetected in Active Directory environments. I built a tool that helps defenders and researchers better understand the mechanism of the attack. Organisations should proactively assess their systems to stay ahead of this emerging threat," said Malyanker. Risk assessment and implications Semperis has rated the risk associated with the Golden dMSA technique as moderate. However, the researchers warn that in cases where an attacker achieves initial forest-level compromise, the method could make it possible to completely take over dMSA or Group Managed Service Account (gMSA) environments. Successful exploitation would allow attackers to maintain control without detection for extended periods, posing a severe threat to corporate and governmental IT infrastructure. The potential for widespread, persistent access stems from the architectural flaw in how dMSA passwords are generated and managed. By exploiting the weak cryptographic and structural protections, attackers could automate the generation of valid account credentials for managed service accounts, undermining protections intended to secure critical identity services. Recent related work The Golden dMSA research builds on previous work by Semperis in the field of identity threat detection. The group has reported on other vulnerabilities, such as nOauth, which affects Microsoft's Entra ID and may permit full account takeover in software-as-a-service applications. Semperis has also implemented detection features in its Directory Services Protector platform to defend against BadSuccessor, another high-impact privilege escalation technique that targets a recently introduced functionality in Windows Server 2025. This comes in addition to the Silver SAML vulnerability discovered by the team, a new variant related to Golden SAML attacks from the SolarWinds incident, which can bypass conventional security measures in Entra ID-integrated applications. Recommendations and industry impact The research underscores the need for organisations using Windows Server 2025 and managed service accounts to carry out active risk assessments and update their security controls. Attackers exploiting weaknesses in dMSA structures could not only remain undetected but also have unrestricted access to valuable resources across a company's entire digital estate. Industry observers and IT departments are expected to analyse the implications of the flaw, explore mitigation options, and consider how tools such as GoldenDMSA can be used by defenders to better understand and counteract these attack vectors. The ability to simulate attacks is viewed as a vital capability for defenders and researchers, supporting a more robust defensive posture against evolving identity-based threats.
Techday NZ
11-07-2025
- Business
- Techday NZ
Hybrid identity security scores decline as vulnerabilities rise
Organisations are finding it increasingly difficult to identify and manage security vulnerabilities in hybrid identity environments, according to the latest 2025 Purple Knight Report from Semperis. Declining security scores The report, based on an online survey using the free Purple Knight security assessment tool, reveals an average initial security score of 61 out of 100 across participating organisations. This marks an 11-point decrease from the previous year's average of 72, highlighting a worsening situation in securing hybrid identity platforms such as Active Directory, Entra ID, and Okta. Developed by Semperis, Purple Knight enables organisations to discover indicators of exposure (IoEs) and indicators of compromise (IoCs) in their hybrid directory environments, offering both a benchmarking mechanism and ongoing tracking support. Variations by company size The survey documented notable differences in security posture between organisations of varying sizes. The highest scores were observed among large organisations with over 10,000 employees, achieving an average of 73. Small companies with up to 500 employees reported an average score of 68. In contrast, mid-sized organisations (2,001 to 5,000 employees) registered the lowest average score of just 52, reflecting particular difficulties faced by this segment. "The largest organisations have more resources, and the smallest organisations often have less-complicated environments to secure," said Sean Deuby, Semperis Principal Technologist, Americas. Addressing the challenges encountered by mid-sized organisations, Deuby added, "The midsized companies are where the IT pros have to do everything. You don't have full-time AD specialists." Sector-specific findings Security gaps were also distributed unevenly across industries. The government sector recorded the lowest average score at 46, followed by the retail industry at 51, and the transportation and education sectors at 57. Despite healthcare achieving the highest industry score of 66, this result still indicates significant room for improvement. Vulnerability categories When examining categories of vulnerabilities, organisations scored lowest in the AD Infrastructure category, followed by Account Security, Kerberos, Group Policy, Entra ID, and Okta. This illustrates a broad range of challenges faced when managing hybrid identity systems. "Hybrid identity environments are complex, and threat actors know it. Overall, organisations can't protect what they can't see. The lower average scores in the 2025 Purple Knight Report indicate how crucial it is for companies to proactively assess vulnerabilities across their hybrid identity systems so they can close security gaps before attackers exploit them," said Deuby. "Purple Knight gives organisations of all sizes the ability to identify vulnerabilities and remediate them before risks become damaging losses because of a compromise." Remediation impact According to the report, organisations that utilised Purple Knight's security recommendations achieved an average improvement of 21 points on their security assessment scores, with some reporting gains as high as 61 points. This demonstrates the measurable benefit of following expert mitigation guidance. Bob G., infrastructure team lead at a global shipping company, explained, "My company has launched a multi-year project to reorganise the environment, which currently consists of about 30 AD forests. Using Purple Knight to scan those environments helps us understand what might break in our permissions structure or what open security vulnerabilities we need to fix." Jose G., global administrator at an IT services company, described the tool's real-world impact: "We suffered an attack that compromised some of our systems, and we thought we were pretty secure in terms of Active Directory. We learned a lot from that event. Out of curiosity, I ran Purple Knight on the environment, and I found a new world of stuff to fix." Eric M., senior identity engineer at a global printing company, reflected on his experience, "I do a pretty good job. And we haven't been breached. But then you see the D-minus on your report card and it's like, wow. There are some things we could do better." Usage and recommendations Purple Knight is officially recommended by organisations including the Five Eyes alliance and the Australian Cyber Security Centre. More than 45,000 organisations have used the tool to date to assess and bolster their hybrid Active Directory security.
Techday NZ
10-07-2025
- Business
- Techday NZ
Mid-size firms, government trail in hybrid identity security
The latest Purple Knight Report from Semperis indicates ongoing and worsening security vulnerabilities across hybrid identity systems, including Active Directory, Entra ID, and Okta. According to the 2025 report, the average identity security score for organisations globally now stands at 61 out of 100, reflecting a 15% drop compared to 2023 figures, which showed an average score of 72. The assessment is based on data from over 45,000 organisations that have downloaded and used the Purple Knight Active Directory security assessment tool. Mid-size organisations, defined as having between 2,001 and 5,000 employees, reported the lowest average security score, at just 52. The government sector performed worst among industry verticals, scoring an average of 46, with retail, transportation and education following at 51 and 57, respectively. The healthcare sector achieved the highest industry average, though still at a modest 66 out of 100. Larger organisations with more than 10,000 employees scored highest, averaging 73, while the smallest companies, with up to 500 employees, followed closely with an average of 68. The findings attribute these higher scores to the greater resources of large organisations and the simpler environments of smaller ones. "The largest organisations have more resources, and the smallest organisations often have less-complicated environments to secure," said Sean Deuby, Semperis Principal Technologist, Americas. Deuby highlighted the particular challenges faced by companies in the mid-size range. "The midsized companies are where the IT pros have to do everything. You don't have full-time AD specialists," he said. Vulnerabilities by category The Purple Knight Report reviews six categories of security vulnerabilities. Across these, the AD Infrastructure category recorded the lowest scores, pointing to persistent risks in the configuration and maintenance of directory services. This was followed by vulnerabilities in Account Security, Kerberos, Group Policy, Entra ID, and Okta respectively. Deuby explained the wider picture driving the results: "Hybrid identity environments are complex, and threat actors know it. Overall, organisations can't protect what they can't see. The lower average scores in the 2025 Purple Knight Report indicate how crucial it is for companies to proactively assess vulnerabilities across their hybrid identity systems so they can close security gaps before attackers exploit them. Purple Knight gives organisations of all sizes the ability to identify vulnerabilities and remediate them before risks become damaging losses because of a compromise," said Deuby. Remediation impact Despite the generally low baseline scores, the report shows that organisations using Purple Knight's expert mitigation guidance have seen significant improvements. Users cited an average score increase of 21 points after applying the recommended remediations, with some reporting improvements as high as 61 points. Real-world feedback from users better illustrates the practical value of the toolkit. Bob G., an infrastructure team lead at a global shipping company, commented: "My company has launched a multi-year project to reorganise the environment, which currently consists of about 30 AD forests. Using Purple Knight to scan those environments helps us understand what might break in our permissions structure or what open security vulnerabilities we need to fix." Jose G., a global administrator at an IT services company, described how a security incident prompted a reassessment: "We suffered an attack that compromised some of our systems, and we thought we were pretty secure in terms of Active Directory. We learned a lot from that event. Out of curiosity, I ran Purple Knight on the environment, and I found a new world of stuff to fix." Eric M., senior identity engineer at a global printing company, shared his experience: "I do a pretty good job. And we haven't been breached. But then you see the D-minus on your report card and it's like, wow. There are some things we could do better." Ongoing challenges The report highlights the persistent challenges presented by hybrid identity systems, particularly for mid-sized organisations and sectors such as government and retail, where resources may not match the complexity of environments at risk. The findings reinforce the role of continuous assessment and remediation in improving identity security and reducing the risk of compromise.
Techday NZ
27-06-2025
- Business
- Techday NZ
Semperis warns nOAuth flaw in Entra ID risks SaaS accounts
Semperis has published new research highlighting the ongoing risk posed by the nOAuth vulnerability in Microsoft's Entra ID, which may allow attackers to take over SaaS application accounts with minimal effort. According to the research, nOAuth remains undetected by many SaaS vendors and is very difficult for enterprise customers to defend against. The vulnerability, originally disclosed in 2023 by Omer Cohen of Descope, arises due to a flaw in how certain SaaS applications implement OpenID Connect, particularly when unverified email claims can be used as user identifiers in Entra ID app configurations. This practice contrasts with recommended OpenID Connect standards. Semperis' follow-up investigation examined applications listed in Microsoft's Entra Application Gallery, finding that over a year after its initial disclosure, a substantial portion of applications remain vulnerable to nOAuth abuse. Risk to enterprises The core issue with nOAuth is that attackers require only their own Entra tenant and the email address of a target user to potentially gain full access to that person's account in a vulnerable SaaS application. Traditional defences, including Multi-Factor Authentication (MFA), conditional access, and Zero Trust policies, do not mitigate this risk. This presents a challenge for both developers and end-users. As Eric Woodruff, Chief Identity Architect at Semperis, explained, "It's easy for well-meaning developers to follow insecure patterns without realising it and in many cases, they don't even know what to look for. Meanwhile, customers are left with no way to detect or stop the attack, making this an especially dangerous and persistent threat." Through comprehensive testing of more than 100 Entra-integrated SaaS applications, Semperis identified that nearly 10% were susceptible to nOAuth exploitation. Once access is obtained via this vulnerability, attackers may exfiltrate data, maintain persistence, and potentially move laterally within the victim organisation's environment. Detection and mitigation challenges Detection of nOAuth abuse is exceptionally difficult, as successful attacks leave minimal traces within standard user activity logs. Deep correlation across both Entra ID and individual SaaS platform logs is required to identify potential breaches. Semperis' research indicates that exploitation continues to be possible, despite the initial public disclosure and vendor recommendations. Highlighting the severity of the nOAuth issue, Woodruff added, "nOAuth abuse is a serious threat that many organisations may be exposed to. It's low effort, leaves almost no trace and bypasses end-user protections. We've confirmed exploitation is still possible in many SaaS apps, which makes this an urgent call to action. We encourage developers to implement the necessary fixes and help protect their customers before this flaw is exploited further." Semperis has communicated its findings to both affected SaaS vendors and Microsoft, beginning in December 2024. Some vendors have taken steps to address the issue, while others reportedly remain vulnerable. Industry response and recommendations The Microsoft Security Response Centre (MSRC) advises SaaS application vendors to implement its security recommendations regarding user identification and OpenID Connect integration. Firms failing to comply may risk removal from the Entra Application Gallery. Semperis continues to focus on identity threat detection, with recent announcements regarding new detection features addressing other critical vulnerabilities such as BadSuccessor and Silver SAML. These findings exemplify ongoing risks within enterprise identity services, where configuration weaknesses in authentication protocols can present significant challenges for both software providers and their customers. The nOAuth vulnerability underlines the importance of not only secure development practices but also continuous monitoring as enterprise reliance on SaaS and identity federation increases. Semperis' report calls for prompt action from SaaS vendors to update their authentication implementations to address this persistent risk.
