Network defense has traditionally focused on vulnerability management. However, as network and endpoint defenses improve, attackers increasingly target user credentials. When I first started learning about penetration testing and ethical hacking, I encountered plenty of material about exploiting individual vulnerabilities on a computer system. However, as I began penetration testing as a career, I found that I tended to focus on attacking environments, as opposed to single services.
At Sikich we see organizations take a similar approach with vulnerability management. That is, they run vulnerability scans and review each result as an individual item to be addressed based on the risk ranking retuned by a scanner. However, attackers increasingly view the target as an environment, as opposed to a bunch of individual services. While fixing those one-off vulnerabilities is important, as they can provide an attacker with an initial foothold in the environment, gaining access to credentials provides a means for an attacker to move through a target environment with the access of the compromised user account. This allows an attacker to act as a “malicious insider” even if the compromised employee is unaware his or her account is being used to conduct these attacks.
External Targeting of Credentials
When most people think of external breaches, the first thing that comes up is often phishing. Phishing gets a lot of press and can be quite effective. However, targeted attacks often focus on gaining some level of credentialed access from the Internet. This typically involves conducting open source intelligence (OSINT) operations—reviewing publicly available data—about the company being targeted.
Attackers can gather email addresses, and sometimes passwords, from publicly available breach data. An attacker can then try to log in to Internet-facing resources with these credentials. This technique is called credential stuffing. This attack has a tendency to work best with recent breach data. Have I Been Pwned? is an excellent resource for determining if email addresses associated with your corporate domain have been compromised as part of third-party breaches, and has a domain search feature that can alert an organization if corporate credentials are identified in future breaches.
Another method for gathering usernames involves harvesting a list of employee names from social media. This can include gathering data from Google and Bing search results for the company on sites such as LinkedIn. Attackers can also include any email addresses identified in the aforementioned breach data in the list of potential usernames that they compile.
Once an attacker has a list of employee names and/or email addresses, he or she will attempt to determine the format used by the target organization for their usernames (e.g., email@example.com, firstname.lastname@example.org) and create a list of potential usernames in that format from the data they were able to gather during their reconnaissance. At this point, an attacker can use search engines to find target sites and services to which they can attempt to log in. The most desirable targets are often services that authenticate against Active Directory, such as Outlook Web Access (OWA) or Skype for Business. These services are appealing in that they allow an attacker to determine valid username formats, even if the password is not correct, based on the response time of a login attempt.
In order to avoid locking out accounts, attackers often conduct password guessing via password spraying attacks. Rather than attempting a large number of passwords against each account, attackers select a single, weak password that is likely to be used somewhere across the organization. Examples might include Password1, 123 or Summer2019!. Making a single authentication attempt against each target account only increments the failed login count once per guess. The attacker can try one or two passwords per day against all the accounts he or she is aware of with minimal risk of locking out accounts. One way to identify being targeted by this type of targeted attack is to create a LinkedIn profile for a non-existent employee and generate an alert any time this fake account attempts to log in to any resources.
Once in possession of a valid username and password combination, attackers can take additional steps to find resources that they can log in to as a given user without the need for multi-factor authentication. Resources like OWA or Skype for Business allow an attacker to gather a list of all company employees or engage in social engineering attacks from within those platforms. Other sites, such as Citrix Virtual Desktop sites, can allow an attacker to gain access to a desktop environment. One way to combat this sort of attack is to enforce multi-factor authentication on all Internet-facing authentication portals.
Executing Code on the Internal Endpoints
As defenses improve, attackers are shifting to making use of built-in Windows functionality to conduct attacks. This can include the use of PowerShell in attacks. However, that is becoming more challenging given the logging capabilities available to defenders. More recent attack trends make use of trusted operating system utilities to bypass anti-virus or application whitelisting. One example of this is the use of MsBuild.exe, the C# compiler built in to the .NET Framework, which is present in modern versions of Windows and allows the attacker to compile and execute arbitrary code in memory to bypass application controls. Defending against these sorts of attacks involves detailed logging and active log monitoring, including capabilities to filter out false positives specific to the target environment.
Attackers change tactics as defensive capabilities evolve, and the cat-and-mouse game continues. Defenders need to continuously think about the changing threat landscape and identify new ways attackers might target their organizations. Should your organization require assistance fortifying or testing its defenses, do not hesitate to reach out to Sikich’s team of cybersecurity experts.