The video gives a short summary on how to defend your company against privileged attacks. Below, you can find the spoken text with some extra information and links.
Contents
Intro
On the 22nd of March, I went to the webinar of CyberArk – a global leader in privileged access management. The webinar was about major breaches of the past 5 years and was part of their “attack & defend” series.
CyberArk is the global leader in privileged access management. The company delivers solutions to reduce the risk created by privileged credentials and secrets. With its targeted security solutions, CyberArk helps leaders to get ahead of cyber threats, preventing attack escalation before irreparable business harm is done.
During the event, they discussed 5 cases, including the attacks on the Bangladesh Central Bank and SolarWinds. For each case, they also gave some security measures. I will summarize each case in chronological order and then give a list of solutions.
5 major breaches
Case #1 – The Bangladesh Central Bank
In 2016, attackers attempted to steal almost 1 billion dollars from the Bangladesh Central Bank. When the bank was closed for the weekend, they compromised its network to authorize 3 dozen requests.
They capitalized on weaknesses in the Central Bank, including the possible involvement of some of its employees. Only 17 of the 80 million dollars that were stolen were recovered, making this the largest bank heist ever.
The attackers presumably got access to privileged credentials and then elevated their privileges to domain admin. By executing a golden ticket attack, they could pivot to the Swift network and process the fraudulent transactions.
Case #2 – AdultFriendFinder
The same year, AdultFriendFinder was the victim of a data breach that leaked 400 million user accounts because of a small coding error. By using a simple Local File Inclusion (LFI) attack, the attacker exposed 2 big problems: password reuse and insecure credential storage.
An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the webserver. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the path to a file as input.
acunetix.com
Case #3 – A large American financial institution
In 2019, a large financial institution in the US was compromised. A hacker gained access to millions of customer accounts and credit card applications, making it one of the biggest data breaches ever.
The attacker was able to get access to the bank’s system on AWS by abusing a misconfiguration in the Cloud firewall. Via a Server-Side Request Forgery (SSRF) attack, the attacker could obtain a privileged WAF role.
With that role, he could list all S3 buckets and sync the private S3 bucket to get social security and bank account numbers. The attacker later bragged about his attack on Slack, which helped in his arrest.
An Amazon S3 bucket is a public cloud storage resource available in Amazon Web Services’ (AWS) Simple Storage Service (S3), an object storage offering. Amazon S3 buckets, which are similar to file folders, store objects, which consist of data and its descriptive metadata.
searchaws.techtarget.com
Case #4 – SolarWinds
In 2020, FireEye reported that their network had been breached and that their red team tools were leaked. Their investigation revealed that others had been breached as well thanks to a trojanized update of SolarWinds’ Orion.
Based on the Tool, Techniques, and Procedures (TTPs) leveraged, the adversary was assumed to be APT29 or Cozy Bear – the Russian foreign intelligence service – that used the update for a widespread espionage campaign.
Case #5 – Oldsmar Florida’s water treatment facility
In 2021, a breach occurred in a water treatment facility in Florida. The operator on duty saw how someone took control of the mouse to increase the amount of sodium hydroxide to a fatal level. As soon as the attacker left the system, the operator reversed the adversary’s actions so no one was ever harmed.
The factors that caused this problem, were that they were still using Windows 7 – which is no longer supported – and still had TeamViewer installed – although it was no longer used. On top of that, all systems used the same password for TeamViewer.
Solutions
General solutions
How can we protect ourselves from such privileged attacks? The solutions given below all help against general privileged attacks without needing third-party software.
- Minimize the attack surface by removing all unnecessary accounts and adopting a least privilege model and a Role-Based Access Control (RBAC) model.
- Use application whitelisting to prevent the installation of privilege escalation tools.
- Use Privileged Threat Analytics (PTA) to detect and stop unauthorized behavior.
- Use credential harvesting protection to prevent access to credential databases.
To prevent Local File Inclusion (LFI), save file paths in a database and assign an ID to each of them so only their ID gets exposed. Then, use a whitelist of paths and ignore every other path. Lastly, store contents of files in a database and not on a web server.
To prevent privileged attacks on ICS systems, disconnect all ICS systems from the internet and use up-to-date and patched systems. Then, also use complex, unique, and frequently rotating passwords and use secure remote access software.
CyberArk tools
On top of those, CyberArk has some specific solutions that help organizations prevent privileged attacks.
- Privileged Access Manager (PAM) helps to detect the abuse of privileges and mitigates pivoting in your network.
- Cloud Entitlements Manager (CEM) protects your cloud against privileged attacks.
- Endpoint Privilege Manager (EPM) prevents privileged attacks and pivoting on all endpoints.
Conclusion
If you feel confident about being prepared against a privileged attack, think again. Privileged attacks are difficult to detect. Assume breach, and more importantly: assume privileged breach.