Red Hat was fortunate to have Lee Jourdan and Shuchi Sharma participate in Red Hat Coffee Hour’s...
Long-Term DIB Organization Hack Created by Privilege Abuse
The Cybersecurity and Infrastructure Security Agency (CISA) responded to a significant cyberattack on an enterprise network of a Long-Term DIB Organization organization between November 2021 and January 2022.
Advanced persistent threat (APT) attackers broke into the environment and further penetrated the company’s network throughout that time using an open-source toolkit called Impacket. Even worse, according to CISA, the organization’s network may have been hacked by many APT groups.
These kinds of data breaches are most often the result of privileged credentials and hacked endpoints. In this instance, the abuse of user and admin privileges was a key factor in the attack’s success. The attack by the APT group is another piece of evidence of how important it is to monitor and safeguard privileged accounts for effective security.
Want to know more about Cybersecurity? Visit our course now.
Long-Term DIB Organization: Evolution of the Attack
APT attackers were able to access the company’s Microsoft Exchange Server as early as mid-January 2021 during the initial stages of the attack. The unknown is the original access vector. Within four hours of the initial breach, the actors examined mailboxes and obtained information about the exchange environment based on log analysis.
Four days later, the APT actors started analyzing the environment of the company and collecting data using Windows Command Shell. Data from shared drives that were taken included private contract information.
APT attackers installed Impacket into a different system at the same time. Impacket is a Python toolkit for creating and changing network protocols programmatically. The attackers were also able to try to move laterally within the network by using this toolbox.
Preventing Abuse of Privilege
The abuse of privilege was one of this attack’s defining characteristics. Hackers used existing account credentials to their advantage to build attacks such as initial access, persistence, privilege escalation, and defense evasion.
The CISA, FBI, and NSA advise organizations to keep an eye on their records for connections from strange VPSs and VPNs given the actors’ proven capacity to sustain persistent, long-term access in compromised enterprise environments. To do this, analyze connection records for access from unusual IP addresses.
Additionally, businesses should focus on any suspicious account activity, such as improper or unauthorized usage of administrator, service, or third-party accounts.
Signs of suspect account use, according to CISA, include:
- Changes to usernames, user agent strings, and IP address combinations that result in “impossible logins,” as well as logins where IP addresses do not fit the expected user’s location,
- Suspicious use of a privileged account following a password reset or user account mitigations
- Unusual activity on usually inactive accounts
- User-agent strings that are unusual, such as those not generally linked with regular user activity, may be a sign of bot activity.
Privileged Access Management Offers a Solution
With privileged access management (PAM) systems, this form of APT attack can be successfully prevented much more effectively. Unusual user activity can be quickly identified by providing least-privilege access to endpoints. Least privilege techniques, for instance, can identify when users access files that aren’t often related to their work, and PAM solutions can warn you if a dormant account suddenly becomes active.
Local administrator rights are a common target for cybercriminals, as seen by this DIB organization incident. Controls that protect both endpoints and privileged credentials must be in place to completely protect sensitive data.
Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.
For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com