Organizations of all sizes and across all industries are accelerating their efforts to become fully digital. Automating business processes achieves numerous benefits for their adopters; however, it also widens their attack surface.
Digital acceleration has increased in popularity over the past two years, pushed by the wide adoption of the remote-working model during the COVID-19 pandemic. Organizations worldwide were forced to move their work to the cloud and allow their employees to work from home. The new working model provides a golden opportunity for threat actors to infiltrate business networks by using different methods such as privilege escalation attacks.
Privilege escalation is when attackers try to raise their access permission to a higher level to get broad access to sensitive resources. Advanced Persistent Threats (APT) groups and other advanced threat actors commonly use this attack technique to move laterally across the target network to exfiltrate data and remain undetected.
We will define privilege escalation attacks, list privilege escalation types and attack vectors, and discuss the mitigation strategies to counter this attack type.
Defining Privilege Escalation
Privilege escalation is a cyberattack that grants adversaries privileges beyond what the system or application intended to give. The attack can be carried out by internal or external threat actors and is considered a key phase in many advanced cyberattacks, including APT and ransomware attacks.
Privilege escalation is dangerous because it allows attackers to perform various malicious activities, like:
- Installing malware, such as a backdoor, on the target user’s device to gain broad access to the target organization’s IT environment.
- Accessing confidential information from the target, such as Personality Identifiable Information (PII), Patient Health Information (PHI), trade secrets, and other sensitive business information.
- Infiltrating critical network areas to cause work interruption through sabotaging essential business services or facilitating other cyberattacks, such as a DDoS attack.
Privilege escalation exploits a vulnerability or bug in the target system, application, API, or misconfiguration errors in cloud services, apps, or in the access controls mechanism. Credentials theft and social engineering attacks are common attack vectors used by adversaries to steal user accounts and credentials and perform various malicious actions.
Privilege Escalation Types
There are two types of privilege escalation:
Horizontal Privilege Escalation
In this type, adversaries try to gain access to a user account (whether this account belongs to a user or a device) on the same authorization level to view the target’s private data or impersonate the target account owner to gain more access. For example, an attacker who has a standard account may try to access another user’s standard account to view data belonging to that account (for example, the work files of that user).
Vertical Privilege Escalation
Most IT security professionals refer to this type of attack when talking about a Privilege Escalation cyberattack. In Vertical Escalation, attackers try to increase their access privilege from a limited user account to an account with unlimited privilege (under Windows OS it is called System Administrator, and under LINUX/UNIX devices, it is called a Root). Vertical escalation attacks can be executed in a series of steps. For example, the attacker begins with a guest account, then moves to become a user, and finally escalates privilege to gain a root account.
Vertical escalation is dangerous because adversaries can access system functions that are unavailable to other user types. For instance, if a standard user account gains access to an admin panel where they can view, add, update, and delete other users’ accounts, they could cause issues for a company and its assets. This an example of Vertical Privilege Escalation.
Privilege Escalation Attack Vectors
There are several different attack vectors threat actors use to conduct their privilege escalation attacks. In this section, we review the most prominent ones.
Malicious programs remain the primary vehicle cyber attackers use to infiltrate IT systems and devices. There are different types of malware, including ransomware, backdoor, spyware, virus, keylogger, trojan, and worm. Adversaries use malware for various purposes, such as data exfiltration, encrypting target device data, requesting a ransom to remove the restriction, stealing users’ credentials, and executing Denial of Service Attack (DoS).
Adversaries install malware on target systems using different methods:
- Via social engineering attacks, especially phishing
- By attaching it to legitimate programs
- Through vulnerabilities in supply chain networks
- By using malvertising and exploit kits
Regardless of the delivery method, when malware evades detection and enters the target device, attackers can run it to steal target credentials, such as usernames and passwords, to perform vertical privilege escalation.
Social Engineering (SE)
SE attacks use different psychological techniques to manipulate individuals’ minds and convince them to act against the implemented security policies or ordinary behavior. Through email, phone calls, SMS, internet messaging, and even direct interactions, social engineers use various tactics to steal target individuals’ account credentials to conduct privilege escalation attacks.
Today’s IT environments are complex and span across on-premise and cloud infrastructures. These environments include endpoints and Internet of Things (IoT) devices, servers, applications, APIs, systems, services, and security devices such as firewalls, IPS/IDS, NDR, and networking appliances (routers, switches).
Accessing these resources requires proper authentication mechanisms to ensure only authorized users and devices can retrieve certain assets. Many networking and security appliances require settings to be configured before they are fully operational. For example, leaving the default admin account using the manufacturer’s default password allows threat actors to execute a vertical privilege attack.
There are different types of misconfiguration errors that lead to privilege escalation, such as:
- Putting work files on FTP servers or uploading them to cloud storage without protecting them with a password.
- Leaving unused services running within your IT environment.
- Leaving unused ports open.
- Implementing Authentication poorly for some apps.
- Failing to configure the network firewall, allowing threat actors to sneak in using this gap.
Vulnerabilities are defined as any security flaw in software systems that threat actors can utilize to gain unauthorized access to IT systems. A vulnerability can also include any weakness in implemented security procedures, internal controls, or access control mechanisms that a threat actor could exploit.
The vulnerability alone cannot cause a privilege escalation; however, it can lead to a privilege escalation attack when discovered and exploited by attackers.
There are different methods to exploit an open vulnerability to force the software to behave in ways it is not intended to, including:
- SQL Injection
- Buffer Overflows
- Cross-Site Scripting (XSS)
- Exploit Kits
- Broken Authentication
- Cross-Site Request Forgery
Not all vulnerabilities lead to a vertical privilege escalation status; however, if the vulnerability leads to stealing root user credentials or results in moving a standard user account to an admin account, then the risk can be considered a privilege attack threat.
Compromising account credentials is the most accessible method threat actors use to perform privilege escalation attacks. If the target individual was using a single-factor authentication scheme (username and password), attackers could execute various attack techniques to discover the password. Passwords can be cracked using several different methods:
- Brute Force
- Dictionary Attacks
- Email Phishing Attacks
- Malware – Keyloggers and Spyware
- Credential Stuffing
Privilege Escalation Mitigation Strategies
Now that we understand privilege escalation and how adversaries can execute it to elevate privilege and gain more access to sensitive resources, let us see how organizations can mitigate the risk of this type of attack.
- Install advanced security solutions to protect your IT environment. Network Detection and Response (NDR) is a critical solution for detecting abnormal activities crossing your network, especially if your environment spans on-premise and in the cloud.
- Conduct a vulnerability scan assessment regularly across your IT infrastructure. This allows your organization to discover vulnerable components and fix them before threat actors do.
- Make sure all your IT environment components are up to date. This includes operating systems, apps, and any software components used in your software solutions (e.g., modules, libraries).
- Keep a close eye on all root users within your IT environment. Make sure to disable any root account that behaves strangely or generates many failed login attempts.
- Use an Identity and Access Management (IAM) solution to store all users’ credentials and their associated permission levels.
- Enforce security policies for all employees, especially password management policies. For instance, users should change their passwords periodically and use complex and lengthy passwords to prevent password guessing attacks.
- Enforce Two-Factor Authentication (2FA) for all employees.
- Adopt passwordless authentication where possible. The passwordless format does not use a regular password scheme to authenticate users; instead, it uses biometrics and Multi-Factor Authentication (MFA) to authenticate users.
- Cybersecurity training remains the most critical countermeasure to prevent privilege escalation and other types of cyber threats. By educating users about the best security practices when using information systems and how to behave when receiving suspicious emails and phone calls, you will guarantee that your IT environment will be protected at a high level against all types of cyber threats.
The possibility of a data breach or cybersecurity threat is imminent, but there are ways to mitigate this risk. Whether by privilege escalation or some other type of cyberattack, cyber criminals are always looking for ways to infiltrate your system and harvest valuable assets. To ensure your data is protected, consider conducting a penetration test.
DruvStar offers penetration testing services, which take place over a designated period and involve various strategies for ethically detecting vulnerabilities in your infrastructure. Once a test is complete, customers are provided with recommendations and solutions to avoid future problems.
Contact the DruvStar team to learn more about our security assessment and penetration testing services.