#5 Attack of the KlonAdmins aka Missing LAPS

The attack

At FaulerHund AG in Munich, the employees are starting a new business year and are looking forward to new challenges. So also the administrator Karl KannNixDafür, who noticed on Thursday noon around 12:30 that the account of Ute Unbeschwert is still logged in, although she went on vacation around 11 o’clock. However, due to the fact that he hasn’t had a lunch break yet and will be back by 2pm at the latest, this problem will have to wait a bit.

Around 1 p.m., Karl was sitting at the table of a restaurant around the corner and was about to start eating when suddenly numerous calls and text messages started coming in. No one in the company could work anymore and a strange message was placed on the desktops of the employees.

Sample message for ransom demand by a ransomware exposure (Zimba,... | Download Scientific Diagram

Now Karl is faced with the all-important question:

How can attackers compromise a company with 1500 workstations in 2 hours?

What happened?

Ute Unbeschwert checked her e-mails shortly before her well-deserved holiday and luckily received an e-mail with the latest travel advice. After she had gathered all the information on the portal, she could finally leave and the attacker could look around in her system 😉

After gaining local admin rights on the system, the attacker discovered that the local administrator password used was valid on all systems. Unfortunately, this is still a very common practice in companies to facilitate the initial setup of computers or servers.

However, this gave the attacker complete control over the entire company within a few minutes and allowed him to deploy his ransomware across the board.

The countermeasure

For this problem Microsoft has released a simple & ingenious tool: LAPS

This tool is configured via group policies and then takes care of the local admin accounts. The following advantages come with the use of the tool:

  • Individual admin passwords per computer
  • Long passwords (default 30 characters)
  • Automatic change of passwords in regular cycles

Thus, compromising a single system and exposing the local admin password does not immediately compromise the entire domain (domain admin session excluded xD).

Finally, I would like to point out that the implementation of LAPS is extremely trivial and requires very little time (maximum 2h). So read the MS documentation or ask a trusted advisor, download LAPS and get started 😉

Safety gain

Very high

*From the blog series Top Security QuickFails