Network and user privileges are the powers that are granted to a user. They define what a user can access, execute, and modify. What is privilege escalation? It’s the bad guys getting superpowers.
What is Privilege Escalation?
A threat actor has two related goals. One is to get unauthorized access to your network. The second is to obtain administrative or root privileges.
Often, the account they compromise to gain access to your network is a regular user account. If the principles of least privilege have been followed, each user will be awarded only the capabilities and authority required for them to correctly perform their role, and no more. In order for our threat actor to acquire administrative privileges they have to use privilege escalation techniques.
Let’s look at one typical scenario. Most organizations have multi-function devices (MFD) that will print, scan, fax, and make photocopies. More often than not these are supplied by a printer specialist. Not security specialists, and not even an IT company.
The provider can remotely access the MFD to check on your toner levels, and to monitor the print statistics so that they can see when a service is due. And because the device can scan documents it must either have an email account to send the scan to you, or it must have write access to a location on your network that it can save the scans in. So in summary, the device must have an account on your network and it is remotely accessible. That is an attractive proposition to a threat actor.
If the device provider has followed best practice and secured remote access to the MFD with a strong and unique password all well and good. But if they have made life easy for themselves they may have re-used a weak password across all of the devices they’ve supplied to all of their customers. That gives the threat actor a means of entry to your network, and to the network of every other customer of that printer provider. If that is the case the threat actor will have access to a user account that—hopefully—has been granted the minimum user and network privileges.
Another common attack vector is websites. Threat actors often use web attacks to gain basic access and then continue with privilege escalation techniques to gain more control. If your website has been constructed using a security by design and default methodology you’ll be more protected than you are if your website’s look, feel, and content came first, with security tagged on as an after thought.
But, regardless of the attack vector, privilege escalation is carried out once the threat actor has gained access to your network. The ultimate goal might be sabotage, accessing sensitive data, installing ransomware, or introducing some other malicious code such as spyware, rootkits, and keyloggers.
There are two types of privilege escalation: horizontal privilege escalation and vertical privilege escalation.
Vertical Privilege Escalation
In a vertical privilege escalation attack the threat actor uses various techniques to grant the compromised account they are using privileges usually reserved for higher-access users. It is called vertical privilege escalation because they are promoting themselves to higher levels of capability and moving up through the ranks of the users. It’s the cyber criminal form of social climbing.
They achieve this by using vulnerabilities in the operating system that will permit them to manipulate privileges. They search for known vulnerabilities and if they are present—perhaps the operating system hasn’t had the most recent security patches applied—they can use the vulnerabilities to illicitly increase their privileges.
For example, data execution is a technique where injected code is executed from areas reserved for use by Windows and its approved processes. If the threat actor can run their own programs from this privileged area they can use the elevated rights granted to their program to make changes to the user account they have compromised.
If the threat actor is successful in exploiting the vulnerabilities they will gain the power to perform whatever activity they wish. They can create new system users (and superusers), access any files, and change system settings. If they choose to, they can hijack the entire network.
Mobile devices are vulnerable too. Lock screens can be bypassed. Obviously, this gives the threat actor access to the contents of the device, but it also gives them access to the connectivity that the device has. Does it have business email on it, or a connection back to the corporate network? Perhaps it has a VPN application with stored credentials in it. That means the threat actor has easy access to the corporate network.
Both Android and iOS have been affected by such vulnerabilities in the past. This is why patching and upgrade schedules must include mobile devices, and remote wipinbg of lost corporate mobile devices should be implemented.
Horizontal Privilege Escalation
In horizontal privilege escalation the threat actor has access to a regular user account, just like the threat actor in the vertical privilege escalation attack. However, they don’t seek to gain higher privileges and apply them to their compromised account, they instead try to obtain access to other accounts that already have those privileges.
This is normally achieved using less technical techniques, such as guessing or knowing weak passwords or logging keystrokes and extracting authentication details from the logged data.
Social engineering is a common ploy used to coerce users into revealing information about themselves that can give a clue to their passwords. Sometimes users can be persuaded to ‘share’ their log in credentials temporarily while ‘someone from IT’ does something on their computer.
Avoiding Privilege Escalation Vulnerabilities
Privilege escalation vulnerabilities arise for different reasons:
- Software Errors: Poorly designed applications, websites, and other portals can include vulnerabilities that make them susceptible to web attacks, such as buffer overflows and SQL injection. Websites are easy to overlook when patching schedules are drawn up. Remember to patch the protocols, technologies, and frameworks that your website uses.
- Misconfiguration: Giving users or processes higher privileges than the minimum they need to perform their role is bad practice. It is sometimes done because a networking issue is preventing a user or device account from accessing something they should be able to, and giving them full or elevated privileges is a quick fix. Willful misconfiguration is still misconfiguration, and just as damaging if exploited.
- Poor Patching and Security Hygiene: Not patching operating systems, applications, network devices, and websites in a timely fashion puts you at risk. if you don’t keep your patching up-to-date your systems will become progressively more exposed and weakened.
- Weak Passwords: Implement a password policy that governs the composition of passwords, and their safeguarding. Make sure it mentions never sharing passwords and never disclosing passwords.
- Staff Awareness Training: Keep staff informed about best practices, and role play some social engineering scenarios. Your staff won’t magically pick this stuff up by osmosis. Give them the guidance they need.