Latest news with #BadSuccessor
Techday NZ
10-06-2025
- Business
- Techday NZ
Semperis adds detection for BadSuccessor flaw in Windows 2025
Cybersecurity firm Semperis has introduced new detection capabilities in its Directory Services Protector (DSP) platform, aiming to protect organisations against "BadSuccessor" — a newly disclosed privilege escalation technique in Windows Server 2025 that currently has no available patch. The BadSuccessor flaw, revealed by researchers at Akamai, targets delegated Managed Service Accounts (dMSAs), a new Windows Server 2025 feature designed to enhance the security of service accounts. Instead, the researchers demonstrated how the feature can be exploited to impersonate highly privileged users in Active Directory, such as Domain Admins, without needing additional credentials or triggering alerts. In direct response to Akamai's findings, Semperis worked with the researchers to develop and deploy new detection indicators within its DSP platform. The enhancements include one new Indicator of Exposure (IOE) and three Indicators of Compromise (IOCs), designed to help organisations identify early signs of potential abuse. "Semperis moved quickly to translate the vulnerability into real-world detection capabilities for defenders, demonstrating how collaboration between researchers and vendors can lead to rapid, meaningful impact," said Yuval Gordon, Security Researcher at Akamai. The detection indicators are focused on revealing abnormal behaviour around dMSAs, including excessive delegation rights, suspicious links between dMSAs and privileged accounts, and attempts to target sensitive credentials like the KRBTGT account. According to Semperis, this can give security teams a vital head start in identifying attacks before they can escalate. "Service accounts remain one of the least governed yet most powerful assets in enterprise environments," said Tomer Nahum, Security Researcher at Semperis. "This collaboration with Akamai allowed us to close detection gaps fast and give defenders visibility into a deeply complex area of Active Directory that attackers continue to exploit." The vulnerability has broad implications. Any organisation operating at least one domain controller (DC) running Windows Server 2025 may be at risk. According to Semperis, even a single misconfigured DC using dMSAs could expose the entire Active Directory environment to compromise. As there is currently no fix for the vulnerability, Semperis is urging organisations to take immediate steps to protect their environments. These include auditing dMSA configurations, reviewing delegation permissions, and employing detection tools such as the updated DSP platform. The new detection features aim to support defenders in closing a critical visibility gap. Service accounts, such as dMSAs, often run with elevated privileges but remain unmonitored or poorly managed in many enterprise environments. This lack of oversight creates a potential blind spot for attackers to exploit — a challenge the BadSuccessor technique highlights sharply. Semperis stated that the DSP update is available now and is intended to offer a stopgap solution for organisations as they await official mitigation from Microsoft. The case also serves as a reminder of the growing complexity of managing hybrid identity environments. With attackers increasingly targeting infrastructure such as Active Directory, new features — however well-intentioned — can quickly become unexpected attack vectors. Gordon added, "The abuse of service accounts is a growing concern, and this high-profile vulnerability is a wake-up call." Until a patch is released, security teams are advised to remain vigilant and proactive. By monitoring dMSA activity and understanding their configuration risks, organisations can reduce their exposure to what could otherwise be a silent but highly impactful method of privilege escalation.
Techday NZ
09-06-2025
- Business
- Techday NZ
Semperis adds detection for dMSA attacks in Windows Server
Semperis has announced new detection capabilities in its Directory Services Protector platform in collaboration with Akamai to address the "BadSuccessor" privilege escalation technique in Windows Server 2025. BadSuccessor targets a new Windows Server 2025 feature called delegated Managed Service Accounts (dMSAs), which was designed to improve service account security. Researchers at Akamai have shown that attackers can exploit dMSAs to impersonate highly privileged users, such as Domain Admins, within Active Directory. At present, there is no patch available to address this vulnerability. Service accounts, including dMSAs, often operate with extensive or unmonitored privileges, creating potential security risks for enterprises. The exploitation method uncovered by Akamai highlights ongoing challenges in securing service accounts and preventing unexpected attack vectors within large organisations. In response, Semperis has updated its Directory Services Protector platform to include one new Indicator of Exposure and three Indicators of Compromise aimed at detecting abnormal dMSA activity. These enhancements will enable security teams to identify excessive delegation rights, malicious connections between dMSAs and privileged user accounts, and attacks directed at sensitive accounts such as KRBTGT. "Semperis moved quickly to translate the vulnerability into real-world detection capabilities for defenders, demonstrating how collaboration between researchers and vendors can lead to rapid, meaningful impact. The abuse of service accounts is a growing concern, and this high-profile vulnerability is a wake-up call," said Yuval Gordon, Security Researcher at Akamai. "Service accounts remain one of the least governed yet most powerful assets in enterprise environments. This collaboration with Akamai allowed us to close detection gaps fast and give defenders visibility into a deeply complex area of Active Directory that attackers continue to exploit," said Tomer Nahum, Security Researcher at Semperis. The vulnerability is present in any organisation that operates at least one domain controller running Windows Server 2025. According to Semperis, a single misconfigured domain controller can place the entire environment at risk. Until vendors release an official patch, organisations are encouraged to audit dMSA permissions and use detection tools to monitor for misuse. Semperis is reinforcing cybersecurity for enterprises by protecting critical identity services that underpin hybrid and multi-cloud environments. Purpose-built for securing complex identity infrastructures — including Active Directory, Entra ID, and Okta — Semperis' AI-powered platform safeguards more than 100 million identities from cyberattacks, data breaches, and operational missteps. Headquartered in Hoboken, New Jersey, the privately held international company supports major global brands and government agencies, with customers spanning over 40 countries. Beyond its core technology offerings, Semperis is recognized for its commitment to the cybersecurity community. The company sponsors a range of industry resources, including the award-winning Hybrid Identity Protection (HIP) Conference, the HIP Podcast, and free identity security tools such as Purple Knight and Forest Druid. With its dual mission to protect digital infrastructure and empower the security community, Semperis continues to play a pivotal role in advancing global cyber resilience. Follow us on: Share on:
Forbes
21-05-2025
- Forbes
New Windows Server 2025 Attack Compromises Any Active Directory User
New Windows Server 2025 vulnerability confirmed. Although you are far more likely to read about vulnerabilities impacting the Windows operating system, including those that have long since reached end-of-support status such as Windows 7, this doesn't mean that Windows Server users are not in the crosshairs of threat actors. Far from it, and not just legacy versions either, as security researchers reveal a new, and trivial to implement, Windows Server 2025 vulnerability that could compromise any Active Directory user. Here's what you need to know. Privilege escalation vulnerabilities are among the worst you can be faced with, as, rather obviously, they enable a successful attacker to do way more than they should be able to given the lack of permissions they started with. Yuval Gordon, a senior security researcher at Akamai Technologies, has exclusively shared details of a particularly concerning privilege escalation vulnerability impacting Windows Server 2025. Not only because, as Gordon explained, it allows an attacker to 'compromise any user in Active Directory,' but also as it 'works with the default configuration, and is trivial to implement.' If you thought things couldn't get any worse, you'd be wrong: no patch is currently available. Akamai has named the vulnerability and associated exploit as BadSuccessor, and confirmed that it abuses the delegated Managed Service Account feature introduced with Windows Server 2025. 'In 91% of the environments we examined,' Gordon said, 'we found users outside the domain admins group that had the required permissions to perform this attack.' BadSuccessor might be trivial to implement, but the consequences of a successful attack are far from the same. Full attack flow, showing all steps needed to have a BadSuccessor. A key feature of dMSA is the ability to migrate existing and non-managed service accounts by seamlessly converting them into dMSAs, and it's this that is the issue. 'By abusing dMSAs, attackers can take over any principal in the domain,' Gordon said. All an attacker needs to be able to exploit the BadSuccessor vulnerability is a seemingly benign permission on any organizational unit in the domain. Here's the real killer though: as long as you have one Windows Server 2025 domain controller, your domain doesn't even need to be using dMSAs at all, the exploit will work anyway. I would advise every Windows Server administrator to read the full report in its entirety, and as a matter of some urgency. In the meantime, I spoke with Yuval Gordon who reiterated that BadSuccessor is not only 'so dangerous because the attack is so simple,' but added that Akamai researchers were 'surprised that we were first to discover it.' The only good news, such as it is, would be that there is no evidence to conclusively show that BadSuccessor has been exploited by attackers in the wild at this point, but given that 'most organisations aren't currently monitoring the relevant events,' Gordon said it's hard to say for certain . Gordon recommended that organizations and admins need to identify which users have the specific permissions that make this attack possible, and, having done so, review and remove unnecessary permissions. 'We're releasing a PowerShell script alongside the blog post to help with that,' Gordon told me, so that would be a good starting point. 'It highlights exactly which users have risky access so defenders know where to focus,' Gordon concluded. I reached out to Microsoft for a statement, and a spokesman said: 'We appreciate Akamai for identifying and responsibly reporting this issue. After careful investigation, this case was rated as a Moderate severity that does not meet our bar for immediate servicing, as the technique requires elevated user permissions to be successful. We will look to address this issue in a future update.' Microsoft also said that for BadSuccessor to be successful, an attacker would require access to the msds-groupMSAMembership attribute of the dMSA. This attribute allows the user to utilize the The attacker needs write access to this attribute, which allows them to specify a user, such as an administrator, that the dMSA can act on behalf of. All users of Windows Server 2025 are advised to take action and protect against the threat until Microsoft issues a fix.
