|

Web mail Webmail Login


0
  • No products in the cart.
Total:$0.00
Active Directory Certificate Services Under Attack: New Exploitation Method Bypasses MFA - Compudent Systems
Information Technology Solutions for Dentists and the Dental Industry. Serving the GTA and Southern Ontario.
Dental I/T, Dental Information Technology, Network Security, Toronto, GTA, Dental, Network, I/T, Information Technology, Computer, Data, Abeldent, Dentrix, LiveDDM, Patterson Dental, Henry Schein, K-Dental, Sinclair Dental, Schick CDR, Dexis, Carestream, Carestream Dental, Digital Radiography, X-ray, Dental X-ray, Dental Software Support, Software
17003
bp-nouveau,wp-singular,post-template-default,single,single-post,postid-17003,single-format-standard,wp-theme-bridge,wp-child-theme-bridge-child,theme-bridge,woocommerce-no-js,ajax_fade,page_not_loaded,,columns-4,qode-child-theme-ver-1.0.0,qode-theme-ver-10.0,wpb-js-composer js-comp-ver-4.12,vc_responsive

Active Directory Certificate Services Under Attack: New Exploitation Method Bypasses MFA

25 Mar Active Directory Certificate Services Under Attack: New Exploitation Method Bypasses MFA

Posted at 10:47h in News by

Cybersecurity researchers at Mandiant have uncovered a dangerous new exploitation technique targeting Active Directory Certificate Services (AD CS) that allows attackers to create administrator accounts while completely bypassing multi-factor authentication requirements.

According to Mandiant’s M-Trends 2026 report, threat actors are exploiting misconfigured AD CS templates to establish persistent, high-privilege access to enterprise networks. This technique has been observed in multiple ransomware operations where attackers systematically disabled recovery infrastructure before deploying encryption.

Understanding the AD CS Vulnerability

Active Directory Certificate Services manages public key infrastructure (PKI) within Windows environments, handling digital certificates for authentication and encryption. When AD CS templates are misconfigured, they can be exploited to issue unauthorized certificates that grant administrative privileges.

Security team analyzing certificate vulnerabilities

The exploitation process typically involves several steps:

  • Template Discovery: Attackers scan for vulnerable certificate templates with overprivileged permissions
  • Certificate Request: Malicious requests are submitted using compromised credentials
  • Authentication Bypass: The resulting certificates allow MFA-exempt access to domain resources
  • Privilege Escalation: New administrator accounts are created using certificate-based authentication

Impact on Dental and Healthcare Organizations

Healthcare organizations, including dental practices, face particular risks from AD CS exploitation due to their reliance on Windows-based infrastructure for patient management systems, imaging equipment, and electronic health records.

The healthcare sector was among the most targeted industries in 2025, according to Mandiant data. Dental practices using integrated practice management software, digital radiography systems, and cloud-based backup solutions are especially vulnerable if their AD CS configurations contain security gaps.

Healthcare security infrastructure protection

Ransomware Groups Exploit AD CS for Maximum Damage

Mandiant observed ransomware operators using AD CS exploitation as part of comprehensive attack chains designed to prevent recovery. Once administrative access is established through certificate abuse, attackers focus on:

  • Compromising backup management servers
  • Extracting credentials from enterprise vaults
  • Forcing password changes on privileged accounts
  • Encrypting virtualization infrastructure
  • Wiping cloud-based backup repositories

This systematic approach to disabling recovery capabilities represents a significant escalation in ransomware tactics, moving beyond simple encryption to comprehensive business disruption.

Detection and Prevention Strategies

Organizations can protect themselves against AD CS exploitation through several key measures:

  • Template Auditing: Regularly review certificate template permissions and remove unnecessary privileges
  • Certificate Monitoring: Implement logging and alerting for unusual certificate issuance patterns
  • Access Controls: Restrict certificate template modification rights to essential personnel only
  • MFA Enforcement: Ensure multi-factor authentication applies to certificate-based authentication flows

For dental practices and healthcare organizations, working with experienced IT security providers is essential for identifying and remediating AD CS vulnerabilities before they can be exploited.

Immediate Action Required

The rapid adoption of AD CS exploitation by multiple threat groups indicates this technique will become increasingly common. Organizations should prioritize certificate services security alongside traditional endpoint and network defenses.

Given the 22-second median time between initial access and threat actor handoff observed by Mandiant, defensive measures must be proactive rather than reactive. Dental practices particularly should ensure their IT support providers understand PKI security requirements and can audit certificate configurations effectively.

As cyber threats continue evolving, maintaining comprehensive security across all infrastructure components – including often-overlooked certificate services – becomes critical for protecting patient data and ensuring business continuity.

Tags:
, ,


Contact us today - How can we help you?