If we look at all of the recent cyber attacks, including the recent Anunak/Carbanak financial breach, where $300 million was transferred under the open eyes of antivirus software and between the hands of other security controls, the attack actors were not going after the money – at least, not at first. To start, attackers were going for the privileged credentials that would bring them right through the main door of their target organization.
Numerous research reports and recent cyber attack forensics demonstrate that privileged account credentials are the key targets for hackers in almost all advanced attacks – which is why security needs to start with protecting these accounts.
The breaches that took place at the Sands Casino Corporation and Sony Pictures Entertainment – where the credential fields were blooming – provide stark examples of why privileged accounts are targeted and exploited. The attacks initially started with attackers stealing low level credentials from employees and snooping through the information on their devices. This was simply a foothold to target, steal and exploit a privilege account – the credential that is required to move about the network and gain access to the targeted assets.
By exploiting one single privileged account, the attackers were able to elevate privileges, steal additional accounts and move freely about the network undetected for months. This gave the attackers plenty of time to study the security infrastructure before targeting sensitive assets and exfiltrating data out of the network.
Exploiting privileged credentials gives an attacker nearly unlimited power and control over a company’s infrastructure and IT systems. These accounts empower them to conduct their attacks – regardless of what the end game is. For example, in the Sands Casino breach, attackers exploited privileged accounts to compromise “almost every Sands file.”
Techniques like Pass-The-Hash and Overpass-The-Hash allow attackers to utilize the compromised credentials and impersonate legitimate users. The impersonation provides the attacker access to their target assets without necessarily relying on malware, thereby avoiding possible friction with standard security controls.
Consider the recent Anunak/Carbanak attacks, where a multinational group of criminal attackers breached multiple financial institutions, stealing hundreds of millions of dollars. The group’s method was: attacking an employee; stealing a set of privileged credentials that would enable access to some server; stealing another set of privileged credentials from that server to gain access to central network assets, such as Active Directory; stealing more privileged credentials to gain control over financial administrators’ machines; initiate money transfers from those machines to attacker-controlled accounts.
These techniques are standard for targeted attackers, whether criminals, nation-state sponsored or others. We can identify a cycle which includes three main steps:
Gaining access to a resource – whether by spearphishing, vulnerability exploitation or other methods, the attackers gain access to some machine in the network. On this machine, the attackers attempt to find credentials that will enable them to gain access to other network resources.
Collecting Credentials – Retrieving and collecting credentials – the attackers look for and retrieve credentials used on the compromised machine. These may include typed passwords, which are collected through key logging, files with passwords, stored credentials in applications such as browsers, SSH keys, certificates and others. A leading type of credentials that are routinely stolen are NTLM hashes and Kerberos tickets, which can be used to authenticate to other resources in the network. Available off-the-shelf tools, such as mimikatz, make this step an easy one even for lower-skilled attackers.
Using the credentials – the stolen credentials are then used to access other network resources, such as servers, databases, applications and so on. On these, the attackers are able to steal more, higher privileged credentials. For example, a leading target is the Active Directory of the organizational network, which has the credentials for all the accounts in the domain.
The cycle repeats itself until the attackers gain a sufficiently privileged account that enables them to gain access to the goal of their attack. We can clearly see that the privileged accounts that are used throughout the network are the main enabler for the attackers operation and eventual attack success.
Securing Against Privileged Based Attacks
When I think about privileged account security, I often find myself drawing connections to military tactics and concepts. In WWII, the Russians adopted a scorched earth strategy and let the Germans get lost in a freezing desert. This same scorched earth philosophy can be a very effective defensive strategy in cybersecurity as well by “drying up” the credential fields the attack actors are targeting.
Implementation of a scorched credentials strategy delineates into three tactical guidelines:
Local Users’ Usage – Ensure that all local accounts have unique passwords, and then use local accounts and credentials for remote machine logins. When connecting to remote machines, the credentials of the accessing user are assimilated into the remote machine, hence exposing it for compromise. Connections with local accounts to the machine will only expose local account credentials, which are pretty much useless for an attacker operating from that machine.
Compartmentalization and Least Privilege approach – When assigning permissions to a specific user or service, allow only the minimum that is required for employees to complete their job tasks. Minimizing the number of privileged credentials used across the network, reduces the exposure of credentials to hackers and ultimatelydecreasesthe attack surface.
Protect Privileged Credentials – Focus organizational security resources and efforts on protecting privileged credentials. Securing and monitoring privileged credentials across the network will deliver the most effective security approach, precisely as ambushing the enemy on the narrowest spot along passage would.
Following these tactical guidelines will produce a hardened network environment which will be a burden on attack actors who are attempting to exploit privileged account flexibility to move around the network. Ultimately, the Anunak banking attacks, the Sands Casino breach and all other recent attacks demonstrate that the first arrow on the attack map almost always points to the privileged credentials bridges that will allow hackers to cross into the network. Protecting those bridges will make an effective strategy that will very likely take the lead in the ongoing cyber war landscape.
Lavi Lazarovitz is a Cyber Security Researcher at CyberArk.