A Crucial Insight Derived from Repeated Cybersecurity Incidents

DISCLAIMER:

The information provided in this article is intended solely for awareness and education purposes. Please note that sirar by stc shall not bear liability for any use or misuse of the information provided hereunder without consulting sirar by stc’s experts. Furthermore, it is important to note that any possible risk arising from the use or misuse of the provided information will be at the reader’s own risk. Lastly, any references made hereunder to any entity/brand are solely for the purpose of providing corroborative context, with no malicious intent to defame or tarnish the reputation of such entity/brand.

Introduction:

The article underscores the critical role of administrative positions within organizations, emphasizing their responsibilities in managing privileged accounts and their contribution in detecting security incidents. The article highlights how simple and unintentional human mistakes with high privileges can lead to a complete business and operational disruption. While there is a growing investment in cybersecurity technologies by organizations, reinforced by the National Cybersecurity Authority‘s (NCA) guidelines on privileged access management, a single human mistake can cost the organization double their cybersecurity budget. History has repeatedly shown us through past incidents that investing in cybersecurity protection goes beyond implementing security technologies. The recurring patterns emphasize that altering user behavior, especially among those with high privileges, is crucial to achieve cybersecurity resilience and comes at almost no financial cost.

The Background:

The rapid adoption of digital technologies in recent years has helped organizations keep pace with the evolving digital landscape, creating numerous business opportunities and benefits. However, this expansion has significantly increased the attack surface, leading to severe consequences for organizations.

Over the past two years, it was observed that threat actors used privileged accounts to breach organizations with minimal efforts to obtain them. Unfortunately, the threat actors are finding these privileged accounts with default passwords, clear-text passwords saved in publicly accessible files, easily guessed passwords for built-in accounts and more. The root cause of these types of incidents has always been the lack of awareness in handling privileged accounts which raises a major concern due to their ease of exploitation and substantial impact.

Privileged accounts have elevated access rights, allowing users to perform critical tasks such as modifying system configurations, accessing sensitive data, managing other user accounts, and having full control over critical infrastructure services. An unsophisticated threat actor can cause considerable damage if these accounts are compromised or mishandled, leading to potentially devastating operational, financial, and reputational consequences.

From this stand, significant investments in cybersecurity technologies become worthless when organizations are still having gaps in privileged accounts management practices.

Notable Numbers:

The rise in concerning statistics over the past years underscores the seriousness of cybersecurity incidents in relation to the mishandling of privileged accounts. According to sirar by stc intelligence (2023-2024) , about 41.7% of incidents were directly linked to the mishandling of highly privileged accounts. The following showcases a detailed breakdown of these incidents:

• 42.9% of involved threat actors were effortlessly using unattended built-in privileged accounts for their initial access.
• In 57.14% of incidents, the passwords were easily guessable with no account lockout mechanism configured in-place, requiring no additional effort to compromise.
• 42.85% of these incidents resulted in a total disruption of business operations, necessitating recovery efforts such as restoring from valid backups, rebuilding environments, or paying ransoms.
• All incidents comprised traces of unauthorized access to sensitive information or noticeable data exfiltration.

Incident Response Use Case:

This use case is developed from a collection of observed incidents, demonstrating the potential impact of mishandling privileged accounts and the implications of underperforming detection capabilities. It is outlined according to MITRE ATT&CK framework which is a publicly available framework that categorizes and documents real-world cyber adversary tactics, techniques, and procedures (TTPs). The following table presents relevant tactics and techniques observed in this use case (descriptions of the tactics and techniques can be found in Appendix A):

Table 1: MITRE ATT&CK Tactics and Techniques

1- Initial Access [TA0001]

The initial access occurred when an administrator used their assigned privileged domain account to download a free untrusted tool from the internet without taking proper precautions or measures. The tool was then executed under the same privileged account, resulting in dropping and executing multiple executables with different functionalities on the endpoint. One of these executables established a network connection to download a malicious file, which turns out to be a Cobalt Strike Beacon that becomes a door opener for further malicious activities.

Cobalt strike is a known commercial adversary simulation software designed for targeted attacks, allowing threat actors to gain and maintain control over the compromised endpoints through the planted Beacons.

Although the behavior of a privileged domain account downloading an untrusted file and the execution of widely known malicious files can be easily detected from different angles in the environment, such as host-level detection, network-level detection, web activities level detection, and cumulative correlation of available log sources through a Security Information and Event Management (SIEM) system. Yet, there were no triggered alerts for such behavior. This oversight was due to the lack of properly fine-tuned detection rules, inadequate training on security detection tools, lack of continuous monitoring, insufficient skills in assessing the risk of triggered alerts and suspicious behaviors, and most importantly, the lack of monitoring of privileged accounts activities. This allowed the attacker to establish a foothold in the environment, paving the way for further malicious activities and deeper compromise of the network.

2- Defense Evasion [TA0005]

In this use case, due to the ability to establish a foothold using a privileged domain account, the threat actor was able to disable host security technologies deeming them ineffective.

This is a common and widely seen technique used by threat actors, where they attempt to disable host security technologies on compromised endpoints by leveraging the compromised privileged account to evade detection and maintain stealth within the compromised environment.

Although this is a basic detection use case that should be implemented in all environments, the continuous effectiveness of this technique raises serious concerns about the state of monitoring and security detection rules in organizations.

3- Discovery [TA0007]

In this use case, the discovery phase started after establishing a foothold by installing Cobalt Strike Beacon on the endpoint with a full privileged domain account. The threat actor enumerated various aspects of the compromised environment, including domain controllers, user accounts, network shares, services, file shares, performing network scans, and even more.

Threat actors are using discovery tactics to understand and figure out the environment that they have accessed, positioning themselves to maximize their gain and achieve their ultimate objectives.

As part of this process, the threat actor employed native tools and commands specific to the compromised endpoint’s operating system to carry out these activities to successfully evade possible detection. Unfortunately, the unauthorized exploration persisted for some time without triggering any proper detection nor response due to the insufficient detection management capabilities.

4- Persistence [TA0003]

Threat actors aim to maintain a foothold in the compromised environment to sustain uninterrupted access, regardless of users’ actions like restarting systems or resetting credentials. The following techniques are simple yet are commonly seen to achieve persistence and were utilized in this use case:

4.1 Scheduled Tasks [T1053.005]

In this use case, the threat actor created a scheduled task that was configured using the Beacon to initiate network connections to Command and Control (C2) servers.

Threat actors are usually creating new scheduled tasks configured to trigger at system boot to ensure maintaining their execution as long as possible. The schedule tasks are usually configured to execute a malicious file that performs different functionalities.

4.2 Create or Modify System Process [T1543]

Cobalt Strike platform comes equipped with PsExec as a built-in functionality that allows threat actors to execute commands on remote endpoints. In this use case, the threat actor used the planted Cobalt Strike Beacon to execute commands that planted additional Beacons, as services, on other remote endpoints. The threat actor used the advantages of the compromised domain privileged account to achieve persistence using these services in the compromised environment.

From security detection aspects, these activities are basic and come by default in most of the built-in detection rules with the host and network security technologies. Nonetheless, in this use case, the host security tool, Endpoint Detection and Response (EDR), triggered various alerts from the behavior, but it was not properly configured to take preventative actions nor was there sufficient expertise to assess the risk of the behavior. As a result, the alerts went unanalyzed allowing more time for the threat actor to perform further malicious activities.

5- Lateral Movement [TA0008]

In this use case, the threat actor continued to use the planted Beacon with high privileges to deliver commands remotely from the Cobalt Strike platform, enabling free movement across the environment. One of the threat actors’ primary goals is to move laterally within a compromised environment, remotely control, and pivot between endpoints. The following techniques have been commonly observed to be used in association with Cobalt Strike:

5.1 Remote Desktop Protocol (RDP) [T1021.001]

Although Cobalt Strike platform does not directly support RDP, an RDP session can be established through a reverse proxy technique using the planted Beacons. This involves running a Socket Secure (SOCKS) proxy on the remote server by opening a listening port, which then enables the RDP connection. By leveraging this technique, the threat actor successfully can log into the compromised environment via RDP and gain access to more endpoints. In this use case, this approach was observed to be effectively used without triggering any network detection mechanisms.

Threat actors seek to establish a remote session using RDP on compromised endpoints, as it provides greater flexibility and easier navigation through a user-friendly graphical interface. In addition, once the threat actor is logged in via RDP, they can easily initiate additional RDP connections within the compromised environment using information gathered from the discovery phase, facilitating lateral movement.

5.2 Pass the Hash [T1550.002]

In this use case, the threat actor successfully compromised additional endpoints using Pass the Hash technique, evading detection by the existing security and monitoring solutions. This technique is a common feature in multiple offensive tools including Cobalt Strike. It enables threat actors to use collected and stolen password hashes (NTLM) during the discovery phase to remotely authenticate into endpoints without needing the plaintext passwords.

6- Exfiltration [TA0010]

Data exfiltration directly indicates a threat actor’s intent to steal sensitive information from compromised organizations. This allows the threat actor to extort the compromised organization using the stolen information. Commonly seen exfiltration techniques are as follows:

6.1 Automated Exfiltration [T1020]

Following the discovery phase in this use case, and once the domain controllers were identified, the threat actor executed encoded PowerShell commands to retrieve all joined domain accounts and computers. The data is then dumped into a simple Comma-Separated Value (CSV) file. Then using the existing Cobalt Strike Beacon on the compromised endpoint, the threat actor successfully exfiltrated the collected information.

It has been observed in multiple use cases that threat actors are likely to execute encoded commands using the compromised privileged account to retrieve as much information from the domain controller and increase the likelihood of evading detection.

Although the detection of such activity is easy, it usually goes unanalyzed due to the nature of administrators’ activities on querying domain controllers within the network. Additional detection factors should be considered, such as the extensive use of privileged accounts, time of performing tasks, the announcement of undergoing approved activities and more.

6.2 Exfiltration to Cloud Storage [T1567.002]

To bypass potential limitations related to large file transfers in the previous exfiltration technique, the threat actor leveraged cloud storage services to exfiltrate data by connecting a compromised server to a public cloud platform. Threat actors are commonly seen to utilize open-source command-line tools designed for file management tasks to copy and move files to remote cloud storage services. These tools come pre-configured with the necessary credentials for authentication. To avoid triggering network transfer threshold alerts, the threat actors typically restrict the bandwidth during data transfer process. Unfortunately, in this use case, the behavior of a server connecting to a public cloud platform was captured yet was not properly analyzed due to the lack of web detection management capabilities.

7- Impact [TA0040]

After performing various malicious activities in the compromised environment as mentioned in previous phases, and as a last attack stage, threat actors usually unleash their last shot of destroying the environment by executing ransomware. In this use case, a ransomware file was delivered to the compromised endpoint using the planted Beacon that was executed by a privileged account. Leveraging the capabilities and information gathered in earlier phases, the threat actor easily managed to spread devastating ransomware across the entire environment, leading to complete business and operational disruption.

Final Thought:

The severe impact of this use case highlights that the mishandling of privileged accounts, where a simple file download action using a privileged account resulted in stopping all operational business processes.

From an incident responder point of view, the impact of the mentioned gaps in managing and controlling privileged accounts, along with having immature detection capabilities have been highlighted and discussed for years, yet threat actors continue to exploit them successfully and effortlessly.

Strategic Recommendations:

The following strategic recommendations outline key measures to strengthen the security posture and minimize the risk associated with the mishandling of privileged accounts:

– Implementation of Necessary Principles

Organizations should establish and enforce strict security principles to protect privileged accounts. This includes implementing the principle of least privilege and Role-Based Access Controls (RBAC), ensuring that users only have the minimum level of access necessary to perform their roles. Moreover, ensure developing and enforcing comprehensive policies, processes, and procedures for privileged accounts management and password management. In addition, Multi-Factor Authentication (MFA) should be mandated for all privileged accounts especially in critical activities and tasks to minimize the risk of compromise.

– Privileged User Awareness and Training

A critical component of privileged account security is ensuring that users are aware of the risks and responsibilities associated with their elevated privileges. Organizations must invest in comprehensive training programs that educate employees with privileged accounts about the potential threats associated with mishandling a privileged account and best practices for protecting their credentials.

– Management of Privileged Account Lifecycle

Privileged accounts are always targets for cyberattacks as they allow performing critical tasks without restrictions. To ease the burden on organizations in managing privileged accounts, Privileged Access Management (PAM) solutions have come in place. Investing in a proper PAM solution would help manage the lifecycle of privileged accounts by reducing the risks of privileged accounts mishandling, identify malicious activities performed by privileged accounts, and reduce the attack surface of misusing unnecessary privileges while performing day-to-day operations.

– Visibility & Monitoring

Continuous monitoring remains the most effective and enduring recommendation. Organizations must invest in maximizing visibility across their environments, especially by identifying peculiar activities that deviate from the organization’s baseline. While a mature SIEM system is crucial, it might not capture all malicious behaviors, particularly those that do not leave traces at disk or not properly integrated. Enhancing and fine-tuning security stack solutions can help bridge these gaps and improve detection capabilities. While maximizing environment’s visibility is crucial, it is equally important to refine monitoring and analysis expertise to effectively evaluate triggered alerts and behaviors. It is a challenging and ongoing process, yet it firmly proves to be worthwhile.

References:

• Ransomware Rebounds: Extortion Threat Surges in 2023, Attackers Rely on Publicly Available and Legitimate Tools | Google Cloud Blog
• Tactics – Enterprise | MITRE ATT&CK®
•6-tips-for-implementing-privileged-asset-management-tda-cyber-snapshot.pdf (google.com)
• Cobalt Strike, a Defender’s Guide – The DFIR Report
• National Cybersecurity Authority – Regulations Documents

Appendix A: MITRE ATT&CK Tactics and Techniques Description:

This appendix provides a detailed breakdown of the MITRE ATT&CK tactics and techniques outlined in table 1, offering additional explanation for each category.