{"id":7438,"date":"2021-11-29T09:49:00","date_gmt":"2021-11-29T08:49:00","guid":{"rendered":"https:\/\/hansesecure.de\/2021\/11\/top-security-quickfails-5-attack-of-the-cloneadmins-aka-missing-laps\/"},"modified":"2023-06-12T15:01:57","modified_gmt":"2023-06-12T13:01:57","slug":"top-security-quickfails-5-attack-of-the-cloneadmins-aka-missing-laps","status":"publish","type":"post","link":"https:\/\/hansesecure.de\/en\/2021\/11\/top-security-quickfails-5-attack-of-the-cloneadmins-aka-missing-laps\/","title":{"rendered":"Top Security QuickFails: #5 Attack of the CloneAdmins aka Missing LAPS"},"content":{"rendered":"\n
\"\"<\/a><\/figure>\n\n

#5 Attack of the CloneAdmins aka Missing LAPS<\/h2>\n\n

The attack<\/h3>\n\n

At FaulerHund AG in Munich, the employees are starting a new business year and are looking forward to new challenges. So also the administrator Karl KannNixDaf\u00fcr, who noticed on Thursday noon around 12:30 that the account of Ute Unbeschwert is still logged in, although she went on vacation around 11 o’clock. However, due to the fact that he has not yet had a lunch break and will return no later than 2 p.m., this problem will have to wait a little longer.<\/p>\n\n

Around 1 p.m., Karl was sitting at the table of a restaurant around the corner and was about to start eating when suddenly numerous calls and text messages came in. No one in the company could work anymore and a strange message was placed on employees’ desktops.<\/p>\n\n

\"Sample<\/figure>\n\n

Now Karl is faced with the all-important question:<\/p>\n\n

\n

How can attackers compromise a company with 1500 workstations in 2 hours?<\/p>\n<\/blockquote>\n\n

What happened?<\/h3>\n\n

Ute Unbeschwert checked her e-mails shortly before her well-deserved vacation and fortunately received an e-mail with the latest travel advice. After she had gathered all the information on the portal, she could finally leave and the attacker could look around in her system \ud83d\ude09<\/p>\n\n

After the attacker gained local admin rights on the system, he discovered that the local administrator password used was valid on all systems. Unfortunately, this remains a very common practice in companies to facilitate the initial setup of computers or servers. <\/p>\n\n

\"\"<\/a><\/figure>\n\n

However, this gave the attacker complete control over the entire company within a few minutes and allowed him to deploy his ransomware<\/a> across the board.<\/p>\n\n

The countermeasure<\/h3>\n\n

For this problem Microsoft has released<\/a> a simple & ingenious tool: LAPS<\/strong><\/p>\n\n

This tool is configured via group policies and then takes care of the local admin accounts. The following advantages come with the use of the tool:<\/p>\n\n