Endpoint

1/17/2019
10:30 AM
Igal Gofman
Igal Gofman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Simulating Lateral Attacks Through Email

A skilled attacker can get inside your company by abusing common email applications. Here are three strategies to block them.

A big portion of breaching an organization's infrastructure involves challenging normal procedures and processes. A red team's main purpose is to simulate adversary activities and help the security administrators understand, monitor, and remediate the threats.

As a security researcher, I'm constantly looking for new ways to simulate advanced lateral movement, sophisticated Active Directory escalation, persistence, and exfiltration. One of our recent areas of focus has been on defeating network and domain boundaries by moving laterally within the network, with a focus on pivoting from unsecured networks to isolated secure networks.

One of the most common attack methods used by all adversaries is email, mostly because of the ease of use. Phishing attacks have always been a major source of worry for organizations. Over the last year, we have witnessed more organizations and individuals targeted by phishing campaigns designed to capture an employee's login credentials. Recently, the FBI's Internet Crime Complaint Center (IC3) issued a warning regarding some of those threats targeting the online payroll accounts of employees in a variety of industries.

My team and I decided to dig deeper into simulating how a skilled adversary can easily pivot to a compromised network segment by abusing commonly used email applications. Many email clients are built right into modern operating systems and can potentially help facilitate lateral movement.

The techniques described here are considered as post-exploitation, which means the user account has been breached and the adversary has full control over the user's workstation.

In many cases, adversaries use compromised account credentials to access employees' email in order to change their bank account information, sometimes adding a malicious Outlook rule to prevent the user from receiving alerts regarding a deposit or withdraw change. There are many account breach vectors, including phishing and password spraying.

By performing a phishing campaign, the adversary can easily gain system access to a user's workstation and can obviously control the installed mail client and all related communication. Instead of targeting users outside the organization by sending phishing emails or using cloud services to sync malicious metadata, the adversary can control all communication. Let's take this concept one step further to see how local access to an email client advances our agenda to pivot from network to network.

Use Case 1
Many times, advanced adversaries establish an internal command and control server (commonly referred to as a C2 server) to be used as a jump server to the outside world. The jump server can act as middleware between the infected workstations and an external C2 server. The internal C2 server can also be used as a man-in-the-middle proxy or a watering hole site. The adversaries can easily manipulate all mail hyperlinks shared by the compromised user/workstation to redirect the recipients to an internal watering hole website, bypassing many of the link detection and firewall application control mechanisms.

Use Case 2
Let's look at how we can build on top a known attack technique "fileshare infection" to pivot on an internal network using a compromised mail application. First, the adversaries must have the ability to weaponize a legitimate file. They would do this by focusing on widely used shared files by email platforms. There are many exploit options available online for free, including Office documents, PDF documents, and archive file vulnerabilities.

Now imagine what happens when a user's workstation is compromised. We all know many users love to share documents with their colleagues through email. The attacker has gained full control over email communication and can now inject malicious code into legitimate office files. These malicious files are now shared over a legitimate mail channel, which means that the adversaries use actual email correspondence instead of faking and acting on behalf of the user. The user would then reply or create a new email message using the malicious file. The mail recipient does not suspect that anything is wrong and opens the malicious file, exploiting the responsible file application.

As collateral damage, they can dump the global address book of the company and conduct a targeted phishing campaign against high-value targets such as IT or executive management.

Use Case 3
Instead of exploiting vulnerabilities in common files as described above, an adversary can use a much stealthier technique to leak credentials in the form of NTLM hashes to an internal C2 server. Usually, this is achieved by silently forcing a file application to authenticate against the C2 server using a specific protocol such as Server Message Block (SMB). The adversary can use the C2 to relay the received authentication attempt to any network protocol supporting NTLM authentication.

Microsoft has issued an optional security enhancement (Microsoft Advisory ADV170014) that provides organizations with the ability to disable NTLM single sign-on authentication as a method for public resources. However, this method is usually inefficient for internal resource communication, and in many cases will allow an internal network boundary bypass. A much more efficient way to mitigate this threat is by forcing NTLM signing on client and servers.

All the above examples show how linking several existing techniques together can be combined into one or more complex attack flows to achieve lateral movement and pivoting inside a network. Our team has demonstrated that this approach together with scalable automation is highly efficient and can be used to gain control over critical targets in real enterprise environments.

Related Content:

Igal Gofman is Head of Security Research at XM Cyber. He has a proven track record in network security, research-oriented development, and threat intelligence. His research interests include network security, intrusion detection, operating systems, and Active Directory. Prior ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20122
PUBLISHED: 2019-02-21
The web interface on FASTGate Fastweb devices with firmware through 0.00.47_FW_200_Askey 2017-05-17 (software through 1.0.1b) exposed a CGI binary that is vulnerable to a command injection vulnerability that can be exploited to achieve remote code execution with root privileges. No authentication is...
CVE-2018-6687
PUBLISHED: 2019-02-21
Loop with Unreachable Exit Condition ('Infinite Loop') in McAfee GetSusp (GetSusp) 3.0.0.461 and earlier allows attackers to DoS a manual GetSusp scan via while scanning a specifically crafted file . GetSusp is a free standalone McAfee tool that runs on several versions of Microsoft Windows.
CVE-2019-8982
PUBLISHED: 2019-02-21
com/wavemaker/studio/StudioService.java in WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value, leading to disclosure of local files and SSRF.
CVE-2019-8980
PUBLISHED: 2019-02-21
A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.
CVE-2019-8979
PUBLISHED: 2019-02-21
Koseven through 3.3.9, and Kohana through 3.3.6, has SQL Injection when the order_by() parameter can be controlled.