Semperis adds detection for BadSuccessor flaw in Windows 2025

Cybersecurity firm Semperis has introduced new detection capabilities in its Directory Services Protector (DSP) platform, aiming to protect organisations against "BadSuccessor" — a newly disclosed privilege escalation technique in Windows Server 2025 that currently has no available patch.
The BadSuccessor flaw, revealed by researchers at Akamai, targets delegated Managed Service Accounts (dMSAs), a new Windows Server 2025 feature designed to enhance the security of service accounts. Instead, the researchers demonstrated how the feature can be exploited to impersonate highly privileged users in Active Directory, such as Domain Admins, without needing additional credentials or triggering alerts.
In direct response to Akamai's findings, Semperis worked with the researchers to develop and deploy new detection indicators within its DSP platform. The enhancements include one new Indicator of Exposure (IOE) and three Indicators of Compromise (IOCs), designed to help organisations identify early signs of potential abuse.
"Semperis moved quickly to translate the vulnerability into real-world detection capabilities for defenders, demonstrating how collaboration between researchers and vendors can lead to rapid, meaningful impact," said Yuval Gordon, Security Researcher at Akamai.
The detection indicators are focused on revealing abnormal behaviour around dMSAs, including excessive delegation rights, suspicious links between dMSAs and privileged accounts, and attempts to target sensitive credentials like the KRBTGT account. According to Semperis, this can give security teams a vital head start in identifying attacks before they can escalate.
"Service accounts remain one of the least governed yet most powerful assets in enterprise environments," said Tomer Nahum, Security Researcher at Semperis. "This collaboration with Akamai allowed us to close detection gaps fast and give defenders visibility into a deeply complex area of Active Directory that attackers continue to exploit."
The vulnerability has broad implications. Any organisation operating at least one domain controller (DC) running Windows Server 2025 may be at risk. According to Semperis, even a single misconfigured DC using dMSAs could expose the entire Active Directory environment to compromise.
As there is currently no fix for the vulnerability, Semperis is urging organisations to take immediate steps to protect their environments. These include auditing dMSA configurations, reviewing delegation permissions, and employing detection tools such as the updated DSP platform.
The new detection features aim to support defenders in closing a critical visibility gap. Service accounts, such as dMSAs, often run with elevated privileges but remain unmonitored or poorly managed in many enterprise environments. This lack of oversight creates a potential blind spot for attackers to exploit — a challenge the BadSuccessor technique highlights sharply.
Semperis stated that the DSP update is available now and is intended to offer a stopgap solution for organisations as they await official mitigation from Microsoft.
The case also serves as a reminder of the growing complexity of managing hybrid identity environments. With attackers increasingly targeting infrastructure such as Active Directory, new features — however well-intentioned — can quickly become unexpected attack vectors.
Gordon added, "The abuse of service accounts is a growing concern, and this high-profile vulnerability is a wake-up call."
Until a patch is released, security teams are advised to remain vigilant and proactive. By monitoring dMSA activity and understanding their configuration risks, organisations can reduce their exposure to what could otherwise be a silent but highly impactful method of privilege escalation.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

Techday NZ

11-06-2025

• Techday NZ

APAC financial sector faces 245% surge in DDoS attacks, report finds

Financial institutions in the Asia-Pacific (APAC) region saw a 245% rise in volumetric Layer 3 and 4 distributed denial-of-service (DDoS) attacks last year, accounting for 38% of such incidents globally, according to a new joint report by FS-ISAC and Akamai. The report, titled From Nuisance to Strategic Threat: DDoS Attacks Against the Financial Sector, outlines the growing scale and persistence of DDoS attacks targeting APAC's financial sector. In 2023, APAC only accounted for 11% of these incidents, highlighting the extent of the increase. The analysis found that over 20 financial institutions across six countries were affected by sustained DDoS campaigns in the fourth quarter of 2024, creating downstream risk that could impact up to USD $8 trillion in value. These attacks were notable not for their size, but for their persistence and continuity, a trend not previously seen in APAC. The wave of attacks impacted multiple sectors, including retail banking, payment processing, investment banking, and financial governmental institutions. The report attributes a significant growth in application-level (Layer 7) attacks to the increasing use of application programming interfaces (APIs) within financial services. This expansion of digital infrastructure has introduced new vulnerabilities and a broader attack surface for malicious actors. FS-ISAC's Chief Intelligence Officer and Managing Director, EMEA, Teresa Walsh, commented on the changing character of DDoS threats: "DDoS attacks are becoming increasingly sophisticated, evolving from simple network flooding to targeted, multi-dimensional assaults that exploit intricate vulnerabilities across the entire supply chain. As threat tactics continue to evolve — including those impacting APAC's increasingly digital financial systems — we must ensure our technical defenses evolve and our people, tools, and processes work seamlessly together. It is critical that we harden our infrastructure and foster a culture of continuous vigilance and collaboration to protect continuity and customer trust." Reuben Koh, Director of Security Technology & Strategy, APJ at Akamai, highlighted the changing nature of DDoS campaigns in the region: "DDoS attacks in APAC are no longer blunt-force attempts, but sophisticated multi-vector campaigns that exploit vulnerable systems and exposed APIs. As highly coveted target sectors like financial services, commerce, and manufacturing accelerate digital growth, these continuous attacks pose growing operational and reputational risks, and organizations must work with trusted cybersecurity partners who can provide the intelligence, scalability, and agility needed to defend themselves in today's threat landscape." The joint report also connects the increase in attacks to broader developments, including ongoing geopolitical tensions such as the Israel-Hamas and Russia-Ukraine conflicts. These events have led to a noted rise in ideologically driven hacktivism and blurred the lines between DDoS-for-Hire groups, hacktivists, and state-sponsored actors. The proliferation of DDoS-for-Hire platforms has made these attack tools accessible to a wider range of threat actors. Globally, the financial sector remained the most targeted industry segment for Layer 3 and 4 DDoS attacks, making up 37% of incidents. This marks the second consecutive year that financial services have led in reported attack numbers, followed by gaming at 20% and manufacturing at 17%. No other sector experienced a similar surge, according to the report's findings. The publication discusses strategies for improving defences through the FS-ISAC and Akamai-developed DDoS Maturity Model. This framework provides a benchmark for readiness and recommends targeted investment in defence strategies for organisations managing financial infrastructure and sensitive data. The DDoS Maturity Model highlights several key actions for financial institutions and related entities: Adopt real-time behavioural analytics and traffic baselining Implement threat intelligence-led automation for detection and mitigation Strengthen DNS and API security with continuous testing and hardening Use geo-IP filtering to reduce exposure from high-risk regions The report also contains regional data, profiles of hacktivist groups, and an overview of mitigation strategies and best cyber hygiene practices. It notes the importance of mapping organisational capabilities and practices against different stages of maturity in DDoS defence, offering a structured approach to managing a rising strategic threat. Akamai's collaboration with FS-ISAC on this research builds on the company's involvement in FS-ISAC's Critical Providers Program, which was launched to strengthen supply chain security within the financial sector.

Techday NZ

10-06-2025

• Techday NZ

Semperis adds detection for BadSuccessor flaw in Windows 2025

Cybersecurity firm Semperis has introduced new detection capabilities in its Directory Services Protector (DSP) platform, aiming to protect organisations against "BadSuccessor" — a newly disclosed privilege escalation technique in Windows Server 2025 that currently has no available patch. The BadSuccessor flaw, revealed by researchers at Akamai, targets delegated Managed Service Accounts (dMSAs), a new Windows Server 2025 feature designed to enhance the security of service accounts. Instead, the researchers demonstrated how the feature can be exploited to impersonate highly privileged users in Active Directory, such as Domain Admins, without needing additional credentials or triggering alerts. In direct response to Akamai's findings, Semperis worked with the researchers to develop and deploy new detection indicators within its DSP platform. The enhancements include one new Indicator of Exposure (IOE) and three Indicators of Compromise (IOCs), designed to help organisations identify early signs of potential abuse. "Semperis moved quickly to translate the vulnerability into real-world detection capabilities for defenders, demonstrating how collaboration between researchers and vendors can lead to rapid, meaningful impact," said Yuval Gordon, Security Researcher at Akamai. The detection indicators are focused on revealing abnormal behaviour around dMSAs, including excessive delegation rights, suspicious links between dMSAs and privileged accounts, and attempts to target sensitive credentials like the KRBTGT account. According to Semperis, this can give security teams a vital head start in identifying attacks before they can escalate. "Service accounts remain one of the least governed yet most powerful assets in enterprise environments," said Tomer Nahum, Security Researcher at Semperis. "This collaboration with Akamai allowed us to close detection gaps fast and give defenders visibility into a deeply complex area of Active Directory that attackers continue to exploit." The vulnerability has broad implications. Any organisation operating at least one domain controller (DC) running Windows Server 2025 may be at risk. According to Semperis, even a single misconfigured DC using dMSAs could expose the entire Active Directory environment to compromise. As there is currently no fix for the vulnerability, Semperis is urging organisations to take immediate steps to protect their environments. These include auditing dMSA configurations, reviewing delegation permissions, and employing detection tools such as the updated DSP platform. The new detection features aim to support defenders in closing a critical visibility gap. Service accounts, such as dMSAs, often run with elevated privileges but remain unmonitored or poorly managed in many enterprise environments. This lack of oversight creates a potential blind spot for attackers to exploit — a challenge the BadSuccessor technique highlights sharply. Semperis stated that the DSP update is available now and is intended to offer a stopgap solution for organisations as they await official mitigation from Microsoft. The case also serves as a reminder of the growing complexity of managing hybrid identity environments. With attackers increasingly targeting infrastructure such as Active Directory, new features — however well-intentioned — can quickly become unexpected attack vectors. Gordon added, "The abuse of service accounts is a growing concern, and this high-profile vulnerability is a wake-up call." Until a patch is released, security teams are advised to remain vigilant and proactive. By monitoring dMSA activity and understanding their configuration risks, organisations can reduce their exposure to what could otherwise be a silent but highly impactful method of privilege escalation.

Techday NZ

09-06-2025

• Techday NZ

Semperis adds detection for dMSA attacks in Windows Server

Semperis has announced new detection capabilities in its Directory Services Protector platform in collaboration with Akamai to address the "BadSuccessor" privilege escalation technique in Windows Server 2025. BadSuccessor targets a new Windows Server 2025 feature called delegated Managed Service Accounts (dMSAs), which was designed to improve service account security. Researchers at Akamai have shown that attackers can exploit dMSAs to impersonate highly privileged users, such as Domain Admins, within Active Directory. At present, there is no patch available to address this vulnerability. Service accounts, including dMSAs, often operate with extensive or unmonitored privileges, creating potential security risks for enterprises. The exploitation method uncovered by Akamai highlights ongoing challenges in securing service accounts and preventing unexpected attack vectors within large organisations. In response, Semperis has updated its Directory Services Protector platform to include one new Indicator of Exposure and three Indicators of Compromise aimed at detecting abnormal dMSA activity. These enhancements will enable security teams to identify excessive delegation rights, malicious connections between dMSAs and privileged user accounts, and attacks directed at sensitive accounts such as KRBTGT. "Semperis moved quickly to translate the vulnerability into real-world detection capabilities for defenders, demonstrating how collaboration between researchers and vendors can lead to rapid, meaningful impact. The abuse of service accounts is a growing concern, and this high-profile vulnerability is a wake-up call," said Yuval Gordon, Security Researcher at Akamai. "Service accounts remain one of the least governed yet most powerful assets in enterprise environments. This collaboration with Akamai allowed us to close detection gaps fast and give defenders visibility into a deeply complex area of Active Directory that attackers continue to exploit," said Tomer Nahum, Security Researcher at Semperis. The vulnerability is present in any organisation that operates at least one domain controller running Windows Server 2025. According to Semperis, a single misconfigured domain controller can place the entire environment at risk. Until vendors release an official patch, organisations are encouraged to audit dMSA permissions and use detection tools to monitor for misuse. Semperis is reinforcing cybersecurity for enterprises by protecting critical identity services that underpin hybrid and multi-cloud environments. Purpose-built for securing complex identity infrastructures — including Active Directory, Entra ID, and Okta — Semperis' AI-powered platform safeguards more than 100 million identities from cyberattacks, data breaches, and operational missteps. Headquartered in Hoboken, New Jersey, the privately held international company supports major global brands and government agencies, with customers spanning over 40 countries. Beyond its core technology offerings, Semperis is recognized for its commitment to the cybersecurity community. The company sponsors a range of industry resources, including the award-winning Hybrid Identity Protection (HIP) Conference, the HIP Podcast, and free identity security tools such as Purple Knight and Forest Druid. With its dual mission to protect digital infrastructure and empower the security community, Semperis continues to play a pivotal role in advancing global cyber resilience. Follow us on: Share on: