Consulting with a Conscience™

A cruciallogics blog

close
Written by Amol Joshi
on July 19, 2021

Cybercrime is on the rise around the world, and hackers are getting bolder and more sophisticated by the day. Companies are stepping up their cybersecurity protocols but, according to a recent IDG Research Services survey, almost 80% of IT executives believe their organizations still have insufficient protection in place against cyberattacks. This is despite their increased IT spend to deal with technical issues related to the Covid-19 pandemic and work-from-home environments. Constant vigil and ever tighter IT security protocols are needed to stay ahead of today’s cybercriminal.

 

In our latest webinar, The Hitchhikers Guide to Hacking, CrucialLogics’ Amol Joshi discussed 4 of the most common cyberattacks around today with Richard Rogerson, the Managing Partner at Packetlabs.

 

  1. Credential Spraying and Stuffing

Credential Spraying: Hackers use MSOLSpray software – a password spraying tool for Microsoft Online accounts like Azure/​O365 – or similar credential spraying toolkits to uncover passwords. Another credential spraying method hackers use is to target a domain and launch a dictionary attack to guess a weak password. They only need to gain access to one user’s account on a domain or tenant to exploit the domain further. Intelligent credential spraying, using multiple passwords into multiple accounts to gain access to a domain, is also widespread.

 

Credential Stuffing: Hackers exploit known compromised passwords, or ones found on databases, and use them on multiple targets to search for domains where the login credentials have been reused. The success of this method assumes most people reuse the same credentials on multiple sites.

 

How to mitigate credential attacks:

  • Use Password Manager with Multifactor Authentication (MFA).
  • Encourage the use of stronger passwords – include symbols and numbers.
  • Ensure Active Directory (AD) Identity Protection policies are configured.
  • Secure third-party apps with Single Sign-on (SSO) integration into your AD, so identity policies can traverse between applications.
  • Use different passwords for different services if SSO integration isn’t possible.
  • Implement token codes as a secondary password.
  • Use conditional access to block logins from unauthorized devices or unidentified users.
  • Configure alert and lockout protocols and review suspicious logon attempts on a regular basis. Usually, a lockout is activated after five incorrect password entries.
  • Conduct frequent password audits to ensure password policies are effective.

 

  1. Credential access due to legacy protocols using Responder

As soon as a hacker has gained access to your IT environment, they can install the Responder toolkit on your domain. Now the hacker can monitor users as they try to access a file share and watch as the computer checks the Domain Name System (DNS) for the file share IP address. If the user mistypes the file share name, or the DNS entry for that file share is misconfigured and the DNS resolution fails to resolve the query, the computer will send the user a message, informing them it is unable to locate the file share.

 

The computer will then broadcast the query to the wider network, asking other computers for the whereabouts of the requested file share. This is managed by three main protocols, namely NetBIOS Name Service (NBT-NS), Link-Local Multicast Name Resolution (LLMNR), and multicast DNS (mDNS). Using these protocols, the attacker can now respond to the user’s search query and redirect their authentication information to a compromised machine to harvest passwords.

 

How to mitigate against Responder:

  • Disable your LLMNR and NBT-NS protocols. Or if this is not possible, set up security procedures for these ports on the host servers.
  • Monitor and set up alerts for event IDs 4697 and 7045, which will notify you when a relay attack has been launched on your IT infrastructure.
  • Monitor for changes to your registry, like DWORD EnableMulticast, which would signify that there is malicious activity happening in your IT environment.
  • Enable Server Message Bloc (SMB) signing-in protocols in your group policy settings.
  • Segment your network and isolate sensitive/administrative systems.

 

  1. Active Directory Privilege Escalation using BloodHound

Once a hacker has gained access to your network using Responder, they can launch BloodHound. The primary function of BloodHound is to visualize and plot the shortest path to obtaining access and compromising your domain, by providing the attacker with a path to move laterally within your IT environment and then elevate privileges.

 

BloodHound can also evaluate sensitive permissions that can be granted to attackers, such as resetting passwords, adding users to a sensitive member group, gaining full control of a user where they can edit write permissions on an object, and so much more. A successful cyberattack using BloodHound can put the hacker on a level within your IT environment that enables them to implement a ransomware attack on your company.

 

How to mitigate against BloodHound:

  • Leverage Endpoint Detection & Response (EDR) tools like Microsoft Defender ATP, Carbon Black or CrowdStrike, that can detect and alert you to a BloodHound attack.
  • Manage your computers on a workstation level, as opposed to having them tied to your domain. This will limit BloodHound’s lateral movement ability within your IT environment.
  • Do not leave domain admin sessions active. Ensure that group policies are in place that terminate domain admin sessions when the administrator logs off.
  • Revoke domain admin privileges from all server admins and delegate authority to a server admin group to perform activities on each server using the principle of least privilege.
  • Minimize cache credentials from the default setting of 10 to 1 for endpoints and 10 to 0 for servers.
  • Harden your Computer Information Systems (CIS), National Institute of Standards and Technology (NIST), and Microsoft Security Compliance Manager (SCM) settings.
  • Mitigate against lateral movement by implementing the Microsoft Local Administrator Password Solution (LAPS).
  • Run BloodHound in your own IT environment before hackers do. This enables you to see the attack paths before an attacker, which will give you time to act before a risk is realized.

 

  1. Credential access due to insecure storage using Mimikatz

In 2007, Benjamin Delpy created the open-source Mimikatz tool as a proof of concept, to show Microsoft that their authentication protocol was vulnerable to attack. His demonstration was dismissed. Instead, his tool became the most widely used malware program by hackers to gain access to stored passwords on computers everywhere.

 

Mimikatz takes advantage of a Windows feature called WDigest, which is intended for users to authenticate applications within their computer or over the internet, by remembering their logins and reusing them. Even though the password is encrypted in the memory, the decryption key is stored on the same computer. Benjamin Delpy commented, “It’s like storing a password-protected secret in an envelope with the password in the same email.”

 

How to mitigate against Mimikatz:

  • Disable local admin on all servers and workstations and deactivate credential caching.
  • Upgrade the schema and functional levels of your forest and domain to at least 2012 R2, which will introduce a new group called protected users. This group of users will work within the protocols of New Technology LAN Manager (NTLM), Digest Authentication and/or the Credential Security Support Provider (CredSSP) solution to safeguard against Mimikatz.
  • Upgrade to Microsoft Windows 8 or newer, as these operating systems offer a policy where you can disable WDigest protocols.
  • Configure your Local Security Authority (LSA) protection protocols. Windows has a service that is used to validate local and remote logins on a windows system, called Local Security Authority Server Service, which will prevent untrusted processes from communicating with your server.
  • Monitor LSA access events like Sysmon Event ID 10 and Event ID 4656 in the Security Event Log for Windows 10.

 

By paying special attention to your configuration, alerting, monitoring and general cyber hygiene protocols you can maintain a secure and healthy tech environment, making it difficult for cybercriminals to access your IT infrastructure. To learn more about these four most common attacks and how to avoid them, watch our on-demand webinar: The Hitchhikers Guide to Hacking.

 

To improve the security posture of your IT environment and reduce your vulnerability to a cyberattack, reach out to our team today.

You may also like:

Security Microsoft

Augment Your Pentest with a Comprehensive Office 365 Assessment

While the Covid-19 crisis is “moving the world toward increased technological innovation and online collaboration,” acco...

Security Data Security Cybercrime

8 Protocols to Protect your IT Infrastructure and Prevent Data Leaks

This year, it's estimated that worldwide financial losses due to cybercrime will reach US$6 trillion. Data exfiltration,...

Security

How the Hackers Stole Christmas

Since the Covid-19 pandemic began, most of our business activities have been conducted remotely online giving hackers mo...