14 DAY TRIAL // Microsoft may be involved in negotiations to buy Israeli security firm Aorato, the company that reported a critical design flaw in the way Active Directory authenticates clients.
Aorato is a startup that developed a solution (Directory Services Application Firewall) focused on the protection of the Active Directory service on Windows. In January, they received $10 / €7.4 million in funding from investors such as Accel, Trusteer co-founders, Innovation Endeavors and Glilot Capital Partners.
According to The Wall Street Journal, the Redmond company is currently in talks to acquire it, for about $200 / €148 million. The publication has learned from sources familiar to the matter that the deal is planned to be closed in the next two months. However, no confirmation has been issued by either of the parties.
The news comes after Aorato published a report on Tuesday, July 15, about a critical vulnerability in Active Directory, that allowed an attacker to authenticate with a NTLM hash using a weaker encryption.
It was a flaw in the design of the service that Microsoft admitted to be a known limitation in the newer Kerberos authentication protocol.
Kerberos has been designed to supplant NTLM on machines running Windows OS newer than XP SP3. However, for backward compatibility reasons, NTLM is still supported and can be used to obtain an authentication Kerberos ticket, allowing an attacker to access sensitive areas of the network.
Tal Be'ery, Aorato's vice president of research, draws attention to the fact that such an attack, called “pass-the-hash” (PtH), is not logged in the event logs, making it completely invisible.
The worrying aspect is that most of the Fortune 1000 companies (~95%) have an Active Directory deployed and they could fall victim to this sort of attack.
“Millions of businesses are blindly trusting Active Directory as a foundation to their overall IT infrastructure. The unfortunate truth is that this trust is naively misplaced, leaving the vast majority of Fortune 500 enterprises and employees susceptible to a breach of personal and company data,” Be'ery told us via email.
Aorato also offers some mitigation solutions, but if the rumors of the acquisition are true, their product could be integrated in Microsoft’s operating system to allow administrators the possibility to monitor traffic and detect suspicious activity.
Directory Services Application Firewall has the capability to learn, profile and predict the behavior of the monitored entities, taking into consideration the context of the event.