Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/17/2019
10:30 AM
Igal Gofman
Igal Gofman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Simulating Lateral Attacks Through Email

A skilled attacker can get inside your company by abusing common email applications. Here are three strategies to block them.

A big portion of breaching an organization's infrastructure involves challenging normal procedures and processes. A red team's main purpose is to simulate adversary activities and help the security administrators understand, monitor, and remediate the threats.

As a security researcher, I'm constantly looking for new ways to simulate advanced lateral movement, sophisticated Active Directory escalation, persistence, and exfiltration. One of our recent areas of focus has been on defeating network and domain boundaries by moving laterally within the network, with a focus on pivoting from unsecured networks to isolated secure networks.

One of the most common attack methods used by all adversaries is email, mostly because of the ease of use. Phishing attacks have always been a major source of worry for organizations. Over the last year, we have witnessed more organizations and individuals targeted by phishing campaigns designed to capture an employee's login credentials. Recently, the FBI's Internet Crime Complaint Center (IC3) issued a warning regarding some of those threats targeting the online payroll accounts of employees in a variety of industries.

My team and I decided to dig deeper into simulating how a skilled adversary can easily pivot to a compromised network segment by abusing commonly used email applications. Many email clients are built right into modern operating systems and can potentially help facilitate lateral movement.

The techniques described here are considered as post-exploitation, which means the user account has been breached and the adversary has full control over the user's workstation.

In many cases, adversaries use compromised account credentials to access employees' email in order to change their bank account information, sometimes adding a malicious Outlook rule to prevent the user from receiving alerts regarding a deposit or withdraw change. There are many account breach vectors, including phishing and password spraying.

By performing a phishing campaign, the adversary can easily gain system access to a user's workstation and can obviously control the installed mail client and all related communication. Instead of targeting users outside the organization by sending phishing emails or using cloud services to sync malicious metadata, the adversary can control all communication. Let's take this concept one step further to see how local access to an email client advances our agenda to pivot from network to network.

Use Case 1
Many times, advanced adversaries establish an internal command and control server (commonly referred to as a C2 server) to be used as a jump server to the outside world. The jump server can act as middleware between the infected workstations and an external C2 server. The internal C2 server can also be used as a man-in-the-middle proxy or a watering hole site. The adversaries can easily manipulate all mail hyperlinks shared by the compromised user/workstation to redirect the recipients to an internal watering hole website, bypassing many of the link detection and firewall application control mechanisms.

Use Case 2
Let's look at how we can build on top a known attack technique "fileshare infection" to pivot on an internal network using a compromised mail application. First, the adversaries must have the ability to weaponize a legitimate file. They would do this by focusing on widely used shared files by email platforms. There are many exploit options available online for free, including Office documents, PDF documents, and archive file vulnerabilities.

Now imagine what happens when a user's workstation is compromised. We all know many users love to share documents with their colleagues through email. The attacker has gained full control over email communication and can now inject malicious code into legitimate office files. These malicious files are now shared over a legitimate mail channel, which means that the adversaries use actual email correspondence instead of faking and acting on behalf of the user. The user would then reply or create a new email message using the malicious file. The mail recipient does not suspect that anything is wrong and opens the malicious file, exploiting the responsible file application.

As collateral damage, they can dump the global address book of the company and conduct a targeted phishing campaign against high-value targets such as IT or executive management.

Use Case 3
Instead of exploiting vulnerabilities in common files as described above, an adversary can use a much stealthier technique to leak credentials in the form of NTLM hashes to an internal C2 server. Usually, this is achieved by silently forcing a file application to authenticate against the C2 server using a specific protocol such as Server Message Block (SMB). The adversary can use the C2 to relay the received authentication attempt to any network protocol supporting NTLM authentication.

Microsoft has issued an optional security enhancement (Microsoft Advisory ADV170014) that provides organizations with the ability to disable NTLM single sign-on authentication as a method for public resources. However, this method is usually inefficient for internal resource communication, and in many cases will allow an internal network boundary bypass. A much more efficient way to mitigate this threat is by forcing NTLM signing on client and servers.

All the above examples show how linking several existing techniques together can be combined into one or more complex attack flows to achieve lateral movement and pivoting inside a network. Our team has demonstrated that this approach together with scalable automation is highly efficient and can be used to gain control over critical targets in real enterprise environments.

Related Content:

Igal Gofman is Head of Security Research at XM Cyber. He has a proven track record in network security, research-oriented development, and threat intelligence. His research interests include network security, intrusion detection, operating systems, and Active Directory. Prior ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.