DepEDs Active Directory Breached ?

Wilson Chua
5 min readJan 29, 2023

I am following the breaking story and “yet to be verified reports” that the Philippine DepED (Department of Education)’s Azure hosted Active directory service was breached.

A bit of background details about the incident:

MB Tech Editor Manong Art Samaniego Jr.’s post

However, sources inside DepED showed that login attacks have been flooding their network since Friday. This was strange, for if the hackers were able to steal the credentials, we shouldn’t see failed log in attempts like this log below:

Hackers targetting the Admin and other key accounts

Others doubt the veracity of the ‘alleged’ breach. For one, the hacker (Pigeon) himself posted that he was “locked out”. It seems the hacker was blocked before more damage could be done. However it does appear that Pigeon (the threat actor) was successful at AD enumeration:

Source: Lead Threat Intel Analyst from Red Rock IT Security (a local IT security firm)

How was it done? The hacker (Pigeon) was likely to have enumerated the AD devices in a similar fashion as this: https://medium.com/@navkang/active-directory-enumeration-and-exploitation-for-beginners-604a32f45011

Make no mistake, the breach did enable the hacker to gain vital information that could potentially lead to future compromise. So for the rest of us, here is what we can do in such a situation.

The Incident Response Plan

For companies that suffered an AD (Active Directory) breach, here is a simple Incident response plan for handling such incidents:

Preparation:

  • An incident response team (IRT) should have been convened with clear roles and responsibilities for responding to an Azure Active Directory (AAD) breach. Participation by DEPED’s Secretary would signal the seriousness of the matter and inspire faster resolution of the matter.
  • The key stakeholders are aware of the incident response plan and their role in the process.
  • Regularly review and test the incident response plan to ensure it is up-to-date and effective.

Identification:

  • Monitor for unusual or suspicious activity in AAD, such as failed login attempts or unauthorized access to sensitive data. We look to windows event logs for this. The crown jewel of any incident would be the Databases and sensitive files, so I would also look at SQL logs and file access logs to sensitive folders.
  • Investigate any incidents that are identified and determine if a breach has occurred. Typically you would first see a lot of failed attempts first. But where the AD was compromised (as claimed by the hackers), you should see more “successful” logins coming from unusual locations (IP addresses).
  • Document the incident, including the date and time of the breach, the type of breach, and any information about the potential impact.

Containment:

  • Implement additional security controls:

a. two-factor authentication or access controls, to prevent further breaches. Ironically, google authenticator is a good solution to this Microsoft Azure breach. This is critical if it can be quickly implemented (without the usual need for bidding and other govt red tape)

b. Limit access to Philippine IPs — if possible, limit it to ONLY the DepED admin NOC IP block. While this control will severely affect access by even the legitimate users, it will at least “keep the dogs out”. It will somewhat limit the damage by denying access to foreign actors.

c. Invalidate all passwords by requiring all users to “change password” on their next login. This forces a change in credentials and neutralizes the info in hackers’ hands. And while we are at it, why not enable the complexity and password length requirement in AD? (see pic)

  • Isolate the affected systems and accounts as soon as possible to prevent further damage.
  • Look for any signs of lateral movements. Examine DNS query logs for clues into which client side IPs/accounts are affected. Hint: malware infected users’ devices will typically ‘call home’ to the malware command and control systems (C&C). This usually involves query to the DNS (Domain Name Service) to resolve the synthetic GANs.

Eradication:

  • Identify the root cause of the breach and take steps to eliminate it. These might include the following:

Weak or easily guessable passwords: If users have weak or easily guessable passwords, it can make it easier for attackers to gain unauthorized access to AAD.

Phishing attacks: Phishing attacks are a common method used by attackers to gain access to sensitive information. Users may inadvertently provide their AAD credentials to a phishing website.

Malware: Malware, such as viruses, trojans and ransomware, can infect systems and steal AAD credentials, allowing attackers to gain unauthorized access to sensitive data.

Insufficient access controls: If access controls are not properly configured, it can allow unauthorized users to access sensitive data in AAD.

Lack of multi-factor authentication: AAD can be configured to require multi-factor authentication, but if it is not enabled it can make it easier for attackers to gain access.

Vulnerabilities in third-party software: Vulnerabilities in third-party software, such as plugins and add-ons, can be exploited by attackers to gain access to AAD.

Employee/User negligence: Employee/User negligence can be a big cause, such as sharing credentials with unauthorized personnel, falling for phishing scams, or connecting to unsecured networks.

Brute force attacks on mail servers: users credentials in AD (Active Directory) are usually the SAME ones they use for their emails. I have seen state-sponsored hacking groups do a slow and low bruteforce attempts at mailservers. These attempts are not usually logged in windows event logs. See: https://mb.com.ph/2022/12/22/alarming-email-gap-exploited-by-state-sponsored-hackers/

  • Conduct a thorough investigation (forensics) to determine the extent of the breach and what data may have been compromised. And be compliant with preserving “chain of custody” in case you pursue legal action. Raymond Nunez (Black Hat CTP winner) is my top of mind choice to do this.
  • Remove any malicious actors or malware from the affected systems. Run Microsoft Malicious Removal Tool AND scan with your anti-virus software on ALL devices with an IP address: servers, desktops, mobile devices, CCTV/DVRs, IoT devices among others.

Recovery:

  • Once the breach has been contained and eradicated, begin the process of restoring normal operations.
  • Review and update security controls and policies to prevent similar breaches in the future.
  • Communicate with affected parties and stakeholders to keep them informed of the situation and any actions taken to address it.
  • Remember to notify the Data Privacy Commission and the DICT cybercrime division of the breach. These are mandatory reportorial requirements for the handling of any breach.

Post-Incident Review:

  • Conduct a thorough review of the incident response process to identify any areas for improvement.
  • Document any lessons learned and implement any necessary changes to the incident response plan.
  • Share the report with stakeholders and higher management to notify them about the incident, actions taken and future preventive measures.

As always, I welcome your insights and comments, specially if I missed important steps to be done in such an Incident response plan. Thanks for reading this to the end :)

--

--