Pakistan Telecommunication Authority (PTA) has issued a Cyber Security Advisory concerning misconfigurations in Microsoft System Center Configuration Manager (SCCM), highlighting their potential use in cyberattacks.
According to the advisory, security researchers have unveiled a repository named Misconfiguration Manager, which delves into both attack and defense strategies arising from improperly configured Microsoft Configuration Manager (MCM). Since 1994, MCM has been integral to managing servers and workstations in Active Directory environments, yet its default settings have often been identified as vulnerabilities for attackers aiming to gain administrative control within Windows domains.
According to the advisory, the security researchers underscore the complexity of the MCM/SCCM setup, which frequently results in default configurations that present exploitable opportunities for malicious actors.
The Misconfiguration Manager repository illustrates various scenarios where misconfigured MCM installations allowed attackers to ascend to domain controller status by exploiting overprivileged Network Access Accounts (NAAs) and mishandled Configuration Manager sites.
The repository aims to educate administrators about the intricacies of MCM and simplify the management of attack paths. Currently, it documents 22 techniques for direct attacks on MCM/SCCM or its exploitation during post-exploitation stages. The defense strategies suggested are categorized into prevention, detection, and canary tactics, each designed to address the identified vulnerabilities effectively.
PTA has urged to adopt the provided guidance and strategies for detecting diverse attack techniques. It recommends deploying deception-based detection strategies that utilize features commonly exploited by attackers. Any incidents should be promptly reported to the PTA through the National CERT Portal or via email.
