Why Shadow IT is the oxygen for APTs & how to contain it?
1st post in series highlighting real life APT attacks examples.
By Shai Mendel, Team leader at XM Cyber
Ah, shadow IT errors; so common, yet hidden disasters in the making. In fact Gartner predicts that by 2020, a third of enterprise attacks will target data located in shadow resources. Despite the alarming figure, almost 75% of IT security professionals are unaware of exposure in their organizations, which could affect GDPR compliance. In this series, we provide fully anonymized real-life examples, highlighting how easily APTs (Advanced Persistent Threats) can move laterally through your network, taking advantage of simple, common and elusive shadow IT mishaps.
Hacker’s love affair with Shadow IT
Although largely unauthorized, Shadow IT is common practice and is here to stay. Before we dive in, let’s just clarify: Shadow IT involves employees using systems and software that have not been granted authorization by the IT unit. Whether we like it or not, SaaS downloads, the unauthorized use of apps, and the BYOD (Bring Your Own Device) trends are growing, and expanding to the IoT scape, casting an even larger shadow. From our perspective: Shadow IT is the gap between the IT security status, as perceived by the IT department, and the real picture. Here lies the crux of the matter; hackers often rely on these very network gaps to operate in a stealthy mode and remain undetected under the radar.
Why are these errors difficult to detect and monitor ?
Despite heightened security awareness training, employees are still prone to daily cybersecurity errors; it’s part of human nature. Short-lived errors, even with a lifecycle of only 24 hours, can evade red teams that were not active during these timely, but critical gaps. Even if they were, it’s difficult to pay attention to each event on a specific PC or device in a large network. So, it seems; it is an inhuman mission for the IT department or assigned red team to find all of the problems and recognize their influence on large networks. APTs often patiently wait for these organizational errors to exploit them.
Just so we’re on the same page; APT refers to a network attack by a third party that gains unauthorized access and remains there undetected for a long time. APTs are characterized by their high-level of sophistication, covertness, and use of bespoke software back doors, as well as zero-day vulnerabilities. A disturbing aspect is the ‘Persistency’ factor, since hackers aim to stay in the undetected for a lengthy period until they pursue their end goals.
Real life case: Remote file infection by an APT
Let’s begin with a real use case we experienced recently at a manufacturer: The Shadow IT case involved lack of awareness of file permissions. The symptom; remote file infections by an APT. The cure: Far better management of file permissions.
Event description: We launched the APT attack campaign in the evening on the premises and in the following morning the entire network was compromised. The case was mind blowing; every time a computer was switched on, it was compromised.
The figures were frightful: 97% of the network was compromised. It took two hours for our system to achieve definite network superiority.
What our automatic purple team exposed
The source was a lack of file write access awareness. Each time a computer switched on it ran a batch file (windows script) from a remote server. The batch file was found to be writable by the entire organization. In effect all the network clients and server stations ran a globally writable batch file from a remote share, at boot. Our report highlighted the exact remote file path and the credentials used to change it.
Anatomy of an APT paradise – what an APT would do
We found that an IT person was scheduled to run a routine set of commands on the entire network for a week. The implementation method was to change the organization’s log-on script to run a batch file from a remote share. So, every time a user logged on, the workstation would automatically run the log-on script, which in turn ran the batch file from the remote server. Unfortunately, the employee mistakenly dropped the file in the remote share without being aware that it was globally writable.
Modus operandi
Firstly, after infecting patient zero an APT would probably search for remote files commonly run by the network in remote file shares. Files that run in log-on scripts are always more attractive to APTs. It can just infect the remote file with malicious malware and wait until the users login . Of course, the APT must gain write permissions to the remote files. In this case, it would have hit the jackpot.
Next, batch files (or other script files) in login scripts are even more attractive to APTs, as the bulk of cyber protection products mostly pay attention to executables (exe,dll,elf,so files) and not to script files. An APT would probably modify the batch file to run malicious payload and wait for the endpoints to run it
Finally, the APT would have free reign to leapfrog to multiple workstations, and most importantly to the critical assets
The organization’s policy was to turn off the PC at the end of the day. Unfortunately, the entire network was compromised the next morning, as the login script began to run once an employee logged on.
The truth is this kind of attack, capable of producing apocalyptic results is very common.
Why the organization provided the perfect APT paradise
- An APT can compromise myriad endpoints in a single, quick act
- APTs were able to remain undetected
- The attacker has no direct communication with the compromised endpoints (only to the remote file share)
- Has a “legitimate” write permission
- Was mostly undetected by defensive software because it could change the script, not an executable file
Ways to starve a hacker’s oxygen supply
- Pay attention to write permissions: When using shared resources in a remote location, pay extra attention to the write access you give
- Reduce your permissions; the more permissive you are, the larger the attack surface
- Use whitelisting solutions that run only authorized/signed binaries on endpoints
How we helped the client fix the problem
Beyond exposing the loophole, we instigated a path of remediation that dramatically improved the security posture of the organization through the following:
- Awareness is key – we raised a red flag about the problem
- We fixed all file permissions to the files indicated in our report
- We helped the IT unit find other potential loopholes enabling permission issues
- We convinced the customer to install a whitelisting solution, making it possible to run only approved signed binaries
Results
We’re happy yo say; the network security posture significantly improved, the organization’s IT hygiene experienced a big lift, the level of awareness in the organization had risen dramatically and up-to-date reports help the organization to make data-driven decisions
For more information about cases like this contact us
Comic strip created by Shai Mendel, XM Cyber