Last week , whilst at Infosecurity Europe 2014, I was fortunate enough to have a meeting with Amichai Shulman, CTO of Imperva, during which he revealed some very interesting research.
Previewing the company’s April Hacker Intelligence Initiative report, “The Non-Advanced Persistent Threat,” Shulman revealed that some ‘advanced’ threats are actually incredibly simple to execute, requiring only basic technical skills.
Advanced Persistent Threats (APTs) have traditionally been viewed as complex attacks requiring a level of skill that puts them beyond the reach of lone hackers and into the area of hacktivism, cyber criminality and governmental interference.
However, this new report from Imperva exposes simple ways that attackers are obtaining access privileges and accessing protected data by targeting weaknesses of the Microsoft NTLM protocol using nothing more than knowledge of common Windows protocols, basic social engineering, and readily available software.
“As our research team reveals in our Hacker Intelligence Initiative Report, some APTs are relatively simple to execute. There needs to be a fundamental shift in how we view APTs and how we protect against them. These types of attacks are difficult to prevent and our report shows that they can be conducted relatively easily. In order to mitigate damage, security teams need to understand how to protect critical data assets once intruders have already gained access.”
The report focuses on the phases of escalating privileges and collecting confidential business information stored on file servers, Microsoft SharePoint or database servers, showing how attackers achieve their goals without resorting to keyloggers, zero-day vulnerabilities or sophisticated exploits.
The research examines how attacks target commonly known weaknesses in the Windows NTLM protocol, a standard Microsoft authentication protocol. Imperva notes that this protocol, while considered weak, is still widely used in corporate environments.
The research then shows how attackers can exploit these vulnerabilities to expand their reach within a target organisation and access critical data assets, often within hours to days, rather than weeks to months.
The key findings from the report are:
- Data breaches commonly associated with APT can be achieved by relatively simple (and commonly available) means, using basic technical skills.
- Built-in Windows functionality, combined with seemingly “innocent” file shares and SharePoint sites, can provide attackers with an entry-point to accessing an organisation’s most critical data.
- A mitigation strategy should be implemented that focuses on monitoring the authentication process itself and data access patterns, in addition to tailoring authorisation mechanisms for increased security.
The report highlights how an attacker, who has gained access to a single workstation by any means, will gain the access privileges of the currently logged on user. By extending his access privileges further by compromising further accounts he can then gain access to larger parts of the company’s data store.
NTLM protocol weaknesses provide an attacker a perfect opportunity to do just that, by extending his access privileges to targeted resources (as long as those resources support NTLM authentication). The report notes that Windows file shares and some databases – mainly MS SQL and Oracle – support windows based authentication using NTLM.
Once an attacker has compromised an organisational asset and has an available communication channel to that machine, i.e. by stealing a corporate laptop, he will gain the privileges associated with the user currently logged into that device, be that access to the file share or even possibly databases.
From that starting point the attacker can then intercept the authentication process of a privileged account to the compromised machine and leverage it to connect to the data center.
Using one of many available hacking tools the attacker can perform an NTLM Relay attack. in such a scenario once a privileged account tries to connect to the compromised machine, the script performs the SMB Relay attack against the file share (the target). This specific script tries to install a service on the target server. However, with small modifications it could be used simply to explore the file share using the relayed credentials.
With file shares often hosting folders that are accessible to even the least privileged users (“wells”) within an organisation, monitoring of the less sensitive areas may not be particularly intense due to the low value of the data (pictures, manuals, etc.) stored there, and threat protection will likely be limited to regular antivirus scans.
However, a large number of users will be “drinking from the well.” Whilst each of those users may have limited access to the file share, collectively the sum total of all that access may be substantial. Therefore an attacker has the motivation to “poison the well.”
One way in which such an act can be accomplished is via the use of shortcut files. The Windows operating system allow users to customise the appearance of shortcuts by modifying the properties of icons and, in particular, allows for the referencing of a remote file. This allows an attacker to place a shortcut on the common folder and then set its icon to reference the compromised machine. A user browsing this folder will then unknowingly engage in SMB authentication with the compromised machine which in turn then performs a SMB relay attack on the file share.
The Imperva report ends by concluding that upgrading to more secure authentication protocols is always a good idea but that it shouldn’t be seen as a silver bullet for stopping APTs.
So how then does one mitigate against the non-advanced persistent threat?
Shulman suggested that looking at the context of access was key, saying that the majority of breaches exhibit tell-tale signs, such as too many files being accessed, multiple users appearing to operate from one machine, user access attributed to the ‘wrong’ machine and access being recorded at the wrong time of day.
Therefore, you actually need relatively simple file security to protect against a relatively significant threat. Mitigation of these kinds of attacks should focus on monitoring the authentication process itself and on data access patterns, rather than the authentication protocol and authorisation mechanisms. It should also be remembered that privileged processes inside the network that routinely authenticate to endpoints are a potential threat vector.
For a far more detailed analysis of the non-advanced persistent threat, read the full report here.