Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Igal Gofman
Igal Gofman
Connect Directly
E-Mail vvv

Simulating Lateral Attacks Through Email

A skilled attacker can get inside your company by abusing common email applications. Here are three strategies to block them.

A big portion of breaching an organization's infrastructure involves challenging normal procedures and processes. A red team's main purpose is to simulate adversary activities and help the security administrators understand, monitor, and remediate the threats.

As a security researcher, I'm constantly looking for new ways to simulate advanced lateral movement, sophisticated Active Directory escalation, persistence, and exfiltration. One of our recent areas of focus has been on defeating network and domain boundaries by moving laterally within the network, with a focus on pivoting from unsecured networks to isolated secure networks.

One of the most common attack methods used by all adversaries is email, mostly because of the ease of use. Phishing attacks have always been a major source of worry for organizations. Over the last year, we have witnessed more organizations and individuals targeted by phishing campaigns designed to capture an employee's login credentials. Recently, the FBI's Internet Crime Complaint Center (IC3) issued a warning regarding some of those threats targeting the online payroll accounts of employees in a variety of industries.

My team and I decided to dig deeper into simulating how a skilled adversary can easily pivot to a compromised network segment by abusing commonly used email applications. Many email clients are built right into modern operating systems and can potentially help facilitate lateral movement.

The techniques described here are considered as post-exploitation, which means the user account has been breached and the adversary has full control over the user's workstation.

In many cases, adversaries use compromised account credentials to access employees' email in order to change their bank account information, sometimes adding a malicious Outlook rule to prevent the user from receiving alerts regarding a deposit or withdraw change. There are many account breach vectors, including phishing and password spraying.

By performing a phishing campaign, the adversary can easily gain system access to a user's workstation and can obviously control the installed mail client and all related communication. Instead of targeting users outside the organization by sending phishing emails or using cloud services to sync malicious metadata, the adversary can control all communication. Let's take this concept one step further to see how local access to an email client advances our agenda to pivot from network to network.

Use Case 1
Many times, advanced adversaries establish an internal command and control server (commonly referred to as a C2 server) to be used as a jump server to the outside world. The jump server can act as middleware between the infected workstations and an external C2 server. The internal C2 server can also be used as a man-in-the-middle proxy or a watering hole site. The adversaries can easily manipulate all mail hyperlinks shared by the compromised user/workstation to redirect the recipients to an internal watering hole website, bypassing many of the link detection and firewall application control mechanisms.

Use Case 2
Let's look at how we can build on top a known attack technique "fileshare infection" to pivot on an internal network using a compromised mail application. First, the adversaries must have the ability to weaponize a legitimate file. They would do this by focusing on widely used shared files by email platforms. There are many exploit options available online for free, including Office documents, PDF documents, and archive file vulnerabilities.

Now imagine what happens when a user's workstation is compromised. We all know many users love to share documents with their colleagues through email. The attacker has gained full control over email communication and can now inject malicious code into legitimate office files. These malicious files are now shared over a legitimate mail channel, which means that the adversaries use actual email correspondence instead of faking and acting on behalf of the user. The user would then reply or create a new email message using the malicious file. The mail recipient does not suspect that anything is wrong and opens the malicious file, exploiting the responsible file application.

As collateral damage, they can dump the global address book of the company and conduct a targeted phishing campaign against high-value targets such as IT or executive management.

Use Case 3
Instead of exploiting vulnerabilities in common files as described above, an adversary can use a much stealthier technique to leak credentials in the form of NTLM hashes to an internal C2 server. Usually, this is achieved by silently forcing a file application to authenticate against the C2 server using a specific protocol such as Server Message Block (SMB). The adversary can use the C2 to relay the received authentication attempt to any network protocol supporting NTLM authentication.

Microsoft has issued an optional security enhancement (Microsoft Advisory ADV170014) that provides organizations with the ability to disable NTLM single sign-on authentication as a method for public resources. However, this method is usually inefficient for internal resource communication, and in many cases will allow an internal network boundary bypass. A much more efficient way to mitigate this threat is by forcing NTLM signing on client and servers.

All the above examples show how linking several existing techniques together can be combined into one or more complex attack flows to achieve lateral movement and pivoting inside a network. Our team has demonstrated that this approach together with scalable automation is highly efficient and can be used to gain control over critical targets in real enterprise environments.

Related Content:

Igal Gofman is Head of Security Research at XM Cyber. He has a proven track record in network security, research-oriented development, and threat intelligence. His research interests include network security, intrusion detection, operating systems, and Active Directory. Prior ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-18
AdPlug 2.3.1 has a double free in the Cu6mPlayer class in u6m.h.
PUBLISHED: 2019-08-18
core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. The Ansible extension is unaffected.
PUBLISHED: 2019-08-18
DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack (application crash via an out-of-bounds read) by crafting a corrupted JB2 image file that is mishandled in JB2Dict::JB2Codec::get_direct_context in libdjvu/JB2Image.h because of a missing zero-bytes check in libdjvu/GBitmap.h.
PUBLISHED: 2019-08-18
GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4 bytes) in GPMF_Next in GPMF_parser.c.
PUBLISHED: 2019-08-18
GoPro GPMF-parser 1.2.2 has an out-of-bounds read and SEGV in GPMF_Next in GPMF_parser.c.