Lateral Movement Attacks 101

  By Suleyman Ozarslan, PhD  •  January 02, 2023

 

Keep up to date with latest blog posts

Introduction

Organizations primarily focus on defending the perimeters of their network and often overlook the security of their internal assets. However, both the effectiveness of your organization's security infrastructure and adversaries' accomplishing their objectives heavily depends on the success of the lateral movement techniques. Studies reveal that although lateral movement techniques take 80% of adversaries' attack time, SIEM products identify these attacks poorly [1]. In fact, another research shows that while 54% of the tactics and techniques used to test lateral movement attacks were missed, 96% percent of lateral movement attack behaviors do not trigger a corresponding alert on security controls [2]. In other words, organizations are fighting almost blindly with lateral movement attacks.

Considering the devastating financial and reputational outcomes of targeted attack campaigns such as cyber espionage, data exfiltration, and ransomware attacks, organizations are to benefit significantly from being prepared against lateral movement attacks. In this blog, we explained what lateral movement is and why lateral movement techniques are a prevalent practice among adversaries. 

Test Your Security Posture Against Lateral Movement Attacks with Picus

What Is Lateral Movement?

Lateral Movement is an umbrella term that refers to a collection of techniques that adversaries use to extend their access and progressively move through the compromised network. It may also help attackers elevate their privileges to the administrator level and gain control of multiple assets within the organization's network to accomplish their objectives.

Sophisticated attackers like Advanced Persistent Threat (APT) actors perform targeted and objective-oriented attack campaigns. Even though these objectives can vary from getting financial gain to harming the reputation of organizations or even countries, every adversary wants a higher impact while staying hidden and persistent in the compromised network. Thus, getting a foothold on the targeted system is only the first step, and a patient-zero - the initially accessed machine - does not provide much to an adversary all by itself. After attackers get initial access via 

  • a public-facing server running a vulnerable service
  • a client computer, or 
  • any weak point on the security infrastructure, 

adversaries are unaware of their surroundings. They usually do not have any idea about the organization's infrastructure, which network segment they are currently in, how the compromised host is placed in the organizational environment, which hosts or services are up and running, etc. 

lateral-movement

Figure 1. How Do Attackers Get Into the Corporate Network? [3]

Thus, jumping into and compromising other machines within the organization's internal network is only possible through a successful discovery phase. Discovery techniques allow adversaries to harvest critical information about the organization's infrastructure, domain users, machine accounts, servers, group policies, and OS credentials. Gathering this critical information allows adversaries to plan the most effective and stealthy follow-up actions of the lateral movement attack. 

Why Do Adversaries Use Lateral Movement Attacks?

Lateral movement is prevalent in attack campaigns like ransomware and data exfiltration attacks. In fact, a quantitative analysis conducted by VMware, Lateral Movement in the Real World (2022), shows that 45% of intrusions contain a lateral movement event [4]. In this section, we will examine why adversaries leverage lateral movement attacks to learn more about the motivation behind this high statistic.

1. Accessing Valuable Assets

As mentioned earlier, APT groups perform goal-oriented actions rather than acting randomly.  Even though these objectives can vary, adversaries aim to achieve them while staying hidden and persistent in the compromised network. Thus, rather than just compromising a single asset, attackers prefer expanding their access through lateral movement techniques in search of the most valuable assets of your organization that contain sensitive information worth selling on the black market or asking for ransom. 

However, there are several obstacles that an adversary has to overcome. If the sensitive information requires privileged access, how does an adversary get to the point of having complete control of the target system and exfiltrate and/or encrypt organization-related information? Well, this is where lateral movement techniques, the star of the show, come into the picture. 

An internal network, also known as an intranet, is a private enterprise local area network (LAN) designed to securely share company information, easier communication, collaboration tools, operational systems, and other computing services within an organization. Intranets can contain highly sensitive information within organizational assets such as network shares, user computers, servers, and directory services. As internal networks are not publicly accessible to clients, getting initial access to a low-privileged network segment like Demilitarized Zone (DMZ) is not enough on its own. 

Hence, after adversaries get their foothold on the compromised machine, they need to expand their access and progressively move through the enterprise (LAN) to find where the most valuable assets, juicy and publicly non-available information resides. 

As targeted attack campaigns like cyber espionage, data exfiltration, and ransomware attacks have a "the more, the merrier" mentality, it is no surprise that adversaries use lateral movement techniques to gain unauthorized access to internal networks to find sensitive information.

2. Remaining Persistent

In some cyberattack scenarios, adversaries may need access to the victim's network for an extended period to achieve their objectives. Thus, adversaries perform a collection of lateral movement techniques to maintain their persistence in the network via restarts or change in valid account credentials to survive possible interruptions that are likely to cut off their access to the target network.

For example, compromising a single or low-privileged account may not be enough for an adversary. Users can always change their passwords, domain machines can be isolated by security staff as part of the incident response, or firewall rules and configurations can be updated to protect public-facing servers, machines can be taken down, etc. Hence, gaining second initial access and re-doing everything from scratch is not the most brilliant and practical thing to do. Through lateral movement, adversaries remain persistent and maintain their access to many machines and/or accounts from different network segments and local domains on the compromised network.

The time that adversaries remain persistent on the target system can vary according to their objectives. In a ransomware campaign, adversaries may want to encrypt or exfiltrate files as soon as possible and might not care about remaining stealthy and persistent in the system for a long time. However, in a cyber espionage campaign, adversaries may need to remain persistent for an extended period of time and passively collect critical information. In that case, persistence is vital for the success of the attack.

In fact, some threat actors, especially state-sponsored ones, remain persistent on the target system for years. For instance, CozyBear/APT29, a Russian state-sponsored hacker group, is known for staying persistent for two years on an organization's network. Of course, maintaining access for such a long period of time requires some effort. CozyBear periodically refreshed the valid account credentials to avoid losing their access by stealing the new ones, usually via Mimikatz

These examples show that adversaries not only move laterally but also establish persistence in the compromised internal assets.

3. Gaining Privileged Accounts and Machines

A typical enterprise network comprises many hosts, services, and users with varying privileges to access sensitive information. Unless they have administrative access to the victim's network, adversaries often need to compromise users and assets with different privileges to achieve their objectives.

Adversaries leverage many lateral movement techniques to dump OS and domain credentials. The motivation behind these techniques is highly correlated with the attacker's objective and the impact they want to create. For instance, if adversaries seek complete control over the internal network and/or gain full access to the organization's directory services and sensitive information, administrative-level accounts are excellent targets for them. For example, the Security Account Manager (SAM) database is often abused in the T1003 OS Credential Dumping technique. To make a quick recap, SAM is a database stored as a file on your local disk containing information related to local accounts, including the username and the hashed password. The SAM file is stored in %systemroot%\system32\config\SAM and is mounted on the HKEY_LOCAL_MACHINE/SAM registry hive. 

In an example attack scenario, upon initial access, adversaries can run customized LDAP queries to extract detailed information about members of the Domain Admins group. This group's members are especially important and must be guarded carefully as they have complete control over all the domain objects, such as AD-joined computers, servers, services, and applications in the entire local domain. Hence, having a list of local admin accounts and machines, adversaries can utilize this list to dump NTLM hashes from the SAM file using registry, in-memory, and volume shadow copy techniques. For detailed information, please visit our blog post on Credential Dumping [5].

Obtaining privileged account credentials can lead to devastating results. For instance, while we were writing this blog post, Uber suffered from a massive data exfiltration attack, which appeared to have compromised all the internal systems of Uber. 

Analysis shows that an 18-year-old hacker launched an MFA fatigue attack by sending too many text messages to one of the Uber employees and tricking them into accepting a multi-factor authentication (MFA) prompt, which allowed the attacker to have VPN access to Uber's internal network [6]. Upon the initial access, the attacker conducted an internal reconnaissance and found a shared network folder. Within that folder, the attacker found some PowerShell scripts that included the administrative credentials for a Privileged Access Management (PAM) tool. Then, using the secrets stored in PAM, the attacker gained access to Uber's critical internal systems, such as the Sentinel incident response platform, Google Cloud Platform, AWS, DUO, OneLogin, and Slack. In addition, the hacker claims that he found highly critical vulnerability reports submitted by the bug bounty program HackerOne

Looking at this simple but effective attack path, one cannot help but notice how lateral movement allows an adversary to start from simple initial access and escalate to a point where the attacker has complete control over an organization's critical internal systems.

4. Increasing the Impact

While adversaries' goals can vary from disrupting business continuity, harming the victim's reputation, and cyber espionage to financial gain, one thing is common: Adversaries want to create a bigger impact, if possible. And lateral movement techniques are competent for this purpose.

To exemplify this, think of a politically motivated adversary who wants to cause data destruction by irrecoverably rendering files and/or directories through overwriting randomly generated data. However, destroying data on a single asset with limited privileges may not have much of an impact on a large organization. As a result, sophisticated adversaries often move laterally in the network and compromise privileged accounts to have a bigger impact. In fact, there are cases where adversaries get initial access to an on-prem machine and manage to move laterally to an organization's cloud environments (like cloud storage, cloud storage accounts, etc.) to destroy or overwrite randomly generated data to the organization's sensitive data. 

As another data destruction method, adversaries commonly leverage the MITRE ATT&CK T1561.001 Disk Wipe: Disk Structure Wipe technique in the wild [6], [7]. For instance, on January 13, just before the Russo-Ukrainian war started, MSTIC tracked down a Master Boot Records (MBR) Wiper activity originating from Ukraine [8]. The analysis points to a 2-stage destructive malware targeting multiple governmental, non-profit, and information technology organizations in Ukraine. Further investigation shows that the first stage of the malware, stage1.exe, gets executed via Impacket, a collection of Python classes adversaries often use for lateral movement. This part of the malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note, which is nothing but a gimmick. In reality, the malware destructs MBR and the contents of the files it targets. Then, stage2.exe drops a malicious file corrupter malware. Once executed in-memory, the file corrupter malware locates the directories containing files with specific extensions on the target system. If it finds a file with a matching extension, "the corruptor overwrites the contents of the file with a fixed number of 0xCC bytes" [8].

Defense Against Lateral Movement Attacks

Briefly, a holistic approach must be followed to defense against lateral movement attacks. In this approach, you need to focus on the whole attack paths instead of atomic lateral movement attacks. An attack path is a route that attackers traverse by exploiting attack vectors to reach their goals. Thus, an attack path includes the sequence of actions in the attack lifecycle of an attacker.

attack-path
Figure 2. Simplified Attack Paths

Validation of attack paths is essential for determining the actual cybersecurity risk organizations face. It reveals the actions an attacker would likely take to compromise your network, such as exploiting vulnerabilities, moving laterally within a network, gaining elevated privileges, and stealing sensitive data. Picus Attack Path Validation (APV) is a comprehensive solution that enables the elimination of attack paths in production environments. Once you have determined where the risks are, you may begin mitigating them through technological, procedural, and regulatory measures, as well as by constructing an end-to-end risk-based defense.

What Is Next?

So far, we have briefly explained what lateral movement is and why adversaries perform lateral movement techniques as a common practice in their cyberattacks. In addition, we described how adversaries leverage lateral movement techniques to gain unauthorized access to organizations' valuable assets, remain persistent on the compromised network, gain privileged accounts, and increase the impact of their attacks. 

Stay tuned! In the upcoming blog, we will discuss why organizations need to simulate lateral movement attacks.

 
#Article #Attack Path Validation #Blog

Keep up to date with latest blog posts

References

[1]     "Top Lateral Movement Techniques." [Online]. Available: https://www.smokescreen.io/assets/uploads/2020/08/GUIDE-Smokescreen-Top-Lateral-Movement-Techniques-Red-Team-Edition.pdf. [Accessed: Nov. 14, 2022]

[2]     "Security-Effectiveness-Report-2020.pdf." [Online]. Available: https://mandiant.widen.net/s/gsvtgb5hdj/security-effectiveness-report-2020. [Accessed: Nov. 14, 2022]

[3]     "Website." [Online]. Available: https://www.cloudflare.com/learning/security/glossary/what-is-lateral-movement/

[4]     "Website." [Online]. Available: https://blogs.vmware.com/security/2022/06/lateral-movement-in-the-real-world-a-quantitative-analysis.html

[5]     H. C. Yuceel, "The MITRE ATT&CK T1003 OS Credential Dumping Technique and Its Adversary Use," Mar. 23, 2022. [Online]. Available: https://www.picussecurity.com/resource/the-mitre-attck-t1003-os-credential-dumping-technique-and-its-adversary-use. [Accessed: Sep. 20, 2022]

[6]     K. Alspach, "Uber's breach shows how hackers keep finding a way in," Protocol, Sep. 19, 2022. [Online]. Available: https://www.protocol.com/bulletins/uber-breach-hacker-twilio-mfa. [Accessed: Nov. 14, 2022]

[7]     "Disk Wipe: Disk Content Wipe." [Online]. Available: https://attack.mitre.org/techniques/T1561/001/. [Accessed: Nov. 14, 2022]

[8]     Microsoft Threat Intelligence Center (MSTIC), Microsoft Digital Security Unit (DSU), M. D. T. Intelligence, and M. Detection, "Destructive malware targeting Ukrainian organizations," Microsoft Security Blog, Jan. 16, 2022. [Online]. Available: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/. [Accessed: Sep. 20, 2022]

 

DISCOVER MORE RESOURCES