Cyber security for the weakest link
Secret, Quick, Quiet
Virus scanners and firewalls have been around in the IT world for years and have established themselves in people's minds as recognized security measures – which is unfortunate, because attacks on computer systems are no longer just amusement for script kiddies. Instead, attackers, sometimes even autonomous states, systematically target IT resources. The proven defenses are no longer capable of withstanding the current threat situation.
Why should a firewall not be sufficient against these directed attacks? A city wall is a good example of what can happen: It is constructed to protect a city against uninvited guests, much like a firewall, although cyberattacks against a firewall can't necessarily be compared with a cannon that tears city walls down. Instead, imagine the city to be a heavily frequented trading town, where the hackers have disguised themselves as traders. The city wall (firewall) and the city guards (virus scanners) fail to identify the hitherto unknown thieves, because they first behave like normal merchants. However, once they are inside the city, the city wall no longer helps, and the city guards are limited in the extent to which they can check the criminal activity.
How does such a hacker currently proceed in practice? In principle, an attack always follows the same phases:
1. Break-in
2. Persistence
3. Preparatory work (lateral movement)
4. Perseverance and system surveillance
First, the hacker needs to gain access to the system, either by exploiting a vulnerability or inducing a user to execute malicious code. Security gaps are always present (e.g., the well-known Spectre and Meltdown threats). Attackers automatically and permanently check whether they can find computers on the Internet that have the kind of vulnerabilities they can exploit. Keep in mind that the attacker only needs one computer capable of being compromised, so the chain is only as strong as its weakest link.
Therefore, it is always surprising to see how little care companies take when they connect computers to the Internet by opening ports that are not at all necessary and offering additional targets. For example, a gap in the SMB protocol became public in early 2017; web servers still had this port open and thus allowed an attack at that time. The city thus left an unguarded, unlocked door in the wall that was never used by the city's inhabitants. A thief then could happily enter and leave the city through the unguarded door.
Users as a Risk Factor
Users probably pose the greater risk, however, especially when it comes to a directed attack on a company. Today's users are aware that well-constructed email phishing attacks exist that try to induce them to execute malicious code. How difficult is it today to write an email message that looks like it came from a bank you trust? Quite simple! The sender address can be forged so easily that phishing is quickly accomplished.
In targeted attacks, information about the victim is obtained first, such as org charts published on the Internet or from organizations that gather personal information. This information is then used to send fake email such that a user thinks it is from their boss or a coworker. The idea is to tempt the user to open an attached file. Fortunately, with this type of attack, the user still must actively do something, which is why Office macros are disabled in most companies; otherwise, even opening a Word document would enable the attack.
Another very simple possibility is to drop a USB stick with the malicious code in front of an office. Usually an employee will find the stick and (be honest, wouldn't you want to know what's on it?) attach it to their computer. The USB stick could even be prepared so that the system recognizes it as a keyboard when it is connected and immediately starts to execute malicious commands. Because the code is typed normally, as with a keyboard, an antivirus scanner is no help. The malicious code could establish a connection to the hacker's computer – usually not the hacker's home computer, of course, but perhaps the computer of a private individual who has already been hacked – which then forwards the connection.
Foothold
This connection now allows the hacker to work with the user's rights, and if the user has administrative rights, the hacker has hit the jackpot. If not, the hacker can at least do everything the user can, such as switch on the webcam and see what the other person looks like, read their email and documents, and so on. You can quite easily imagine that a hacker can plan the next step far better armed with this information alone. First, however, they have to make sure the connection is maintained. The hacker needs persistence (i.e., a permanent connection), which is the easiest part, because Windows, for example, offers so many ways to execute code whose execution is difficult to identify or prevent.
Just download and run the Autoruns program from the Windows Sysinternals website [1] to see what is automatically launched on your own system. Would you trust yourself to identify a hacker from this information? The attacker could hide code execution and thus the establishment of a new connection in a scheduled task. With so many, one more task or modified task would be hardly noticeable. This task could then direct that a connection to the hacker is established every Monday at 9am, for example, and even employ one of the ways to execute code only when the screen is locked, so that users or administrators cannot use the task manager to search for the program.
Even tried and tested virus scanners do not usually help in these cases, because the code is individually tailored and only carries out actions that a user would also perform (i.e., opening a connection from one computer to another).
Other Targets
After gaining permanent access to one computer, the hacker either targets the resident data, which is probably why the hacker started the attack in the first place, or tries to spread further across the network. This spread is known as "lateral movement." The hacker now uses their internal view of the network to attack other systems – for example, by sending email to a coworker, which can now be composed in a far better way because of new, internal information. The aim in particular is to gain administrative access to a system. After all, with appropriate rights, hackers can execute pass-the-hash attacks [2] on the computer, which require system access but can then very easily misuse the passwords of users or service accounts.
The hacker tool of choice today is Mimikatz, which is freely available and can be learned within a few hours. (See also the box "Hacker Tools: Good or Bad?") Although an antivirus scanner typically will react to Mimikatz, attackers can easily modify it so that no virus scanner recognizes the code. This procedure is documented; scanners usually work in such a way that they look for something known in the malware code. If the code is modified, it can be so unique that the antivirus scanner no longer recognizes it. After modification, hackers can simply check their code with the VirusTotal website [3] or corresponding Darknet services to see whether the respective malware scanner can still identify it.
Hacker Tools: Good or Bad?
How difficult is it to perform the attacks described in this article? Can only a few people do this? The know-how and software are easily obtained on the Internet, such as the Mimikatz pass-the-hash attack tool. USB sticks that act like a keyboard are called USB Rubber Ducky and cost less than $50 online. Programs that set up a backdoor are also available for download (e.g., Empire, a PowerShell and Python post-exploitation agent, and the Kali Linux distribution, which includes all kinds of hacker tools). These tools are available for download because they are educational. Genuinely criminal organizations or state-sponsored hacking groups already have these tools. Although by making them public a larger number of people can do fundamental damage, the "white hats" are now familiar with the risks and can protect themselves against them.
With local admin rights on a computer and Mimikatz, the attacker can obtain the account information of any user who logs on to the computer. With the newly acquired rights, they then jump to the next computer and so on. Companies often assign the same local admin rights on every computer. In such an environment, the hacker has immediate access to all computers. Often, the same account is used on all computers to install software. If this account is connected to a service, the hacker can also gain access to that account.
As a rule, the hacker can then do everything they intended, but they can also go one step further: They can attack the domain itself. For this they would need domain admin authorization, which can be secured with the steps described above. By compromising a domain admin account and gaining access to a domain controller, the attacker can gain access to the key distribution center service account responsible for granting a Kerberos authentication ticket (KRBTGT) from Active Directory. This account is the passport office of the domain, and it can legitimize any user account.
Armed with this account, hackers can temporarily generate their own accounts and assign whatever authorizations they need. The hacker is now the king of the domain. A hacker who has advanced this far will be difficult to keep out of the system in the future. The attack on Germany's Bundestag in 2015 may have been such an attack. The solution back then was to rebuild the entire IT system, because, after all, a hacker with a golden ticket [4] can create any number of backdoors.
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.