How SSO can lead to a Pass-The-Hash Attacks
Apple AirTags. Google Maps. Single sign-on technology. What do these three seemingly random tech advancements have in common? Each was created to make our daily experiences more convenient, yet each has been exploited for evil purposes. Stalkers are using AirTags to track the whereabouts of unsuspecting victims; criminals are plotting attacks and burglaries using detailed views from Google Maps; threat actors are leveraging the widespread use of single sign-on (SSO) technology to enter networks and launch cyberattacks.
Gaining access to low-level company accounts can (unfortunately) easily be achieved with typical phishing attacks and is the first stage of most ransomware attacks. However, those accounts rarely allow hackers to access the company’s most valuable data. To profit from an attack, a threat actor needs to go further. They have to move through the organization’s network laterally, escalating their privileges as they go to gain access to highly sensitive data, which can then be encrypted and held for ransom or leaked on the dark web.
Recently, threat actors have turned to pass the hash attacks to get the job done and demand a hefty ransom. In this type of attack, threat actors obtain stored hashed credentials to access different systems until they hit the payload: access to file and applications servers, domain controllers, and more.
SSO and pass the hash attacks: A match made in hacker heaven
Companies have complicated and continuously expanding tech stacks packed with numerous applications and programs that employees need to access daily. To streamline employees’ user experience, improve productivity and eliminate password fatigue while still keeping applications secure, many organizations have implemented single sign-on technology.
However, for all the benefits it provides, Windows’ SSO authentication technology, in particular, known as New Technology LAN Manager (NTLM), has an exploitable vulnerability that hackers can’t resist. The issue stems from the fact that NTLM stores hashed passwords on the server and domain controller but fails to ‘salt’ them. That means that if a hacker obtains a user’s NTLM stored hashed credentials, they can authenticate a session without knowing the user’s actual cleartext password.
Although Active Directory has replaced NTLM as the authentication protocol for Windows, all Windows systems still use NTLM to enable compatibility with older servers, so the vulnerability still exists and provides the perfect entry point for a pass the hash attack.
Pass the hash attacks aren’t new; they’ve been around for over two decades. Like other identity-based attacks, threat actors initially gain access to an employee’s account with a simple phishing attack. Those stolen credentials allow the hacker to log in exactly like a legitimate employee and access any application that the employee can. Once they enter the network, they can use tools like Mimikatz or Metasploit to scrape memory, extract, and save any unsalted password hashes.
If the first few hashes they find don’t offer up admin-level access, the hacker can launch a hash spray attack, moving laterally and logging into other workstations to harvest additional hashes until they find an admin’s hashed password. Armed with that level of access, the hacker can steal data, modify records, create backdoors, or install malware.
Hive targets Microsoft Exchange Server with pass the hash attack
Outdated software and unpatched vulnerabilities are too common at companies and too attractive for hackers to pass up. In recent months, Microsoft Exchange Server customers who failed to patch the three known ProxyShell vulnerabilities were hit with a spate of pass the hash attacks facilitated by the ransomware-as-a-service (RaaS) platform known as Hive. According to the Varonis Forensics Team, which analyzed Hive’s tactics, one attack was completed just 72 hours after infiltrating the company’s network.
Varonis discovered that after exploiting ProxyShell, the attackers executed a web shell backdoor, giving them a path into the targeted server. They then deployed Powershell code with SYSTEM-level privileges and launched a Cobalt Strike beacon. Next, they created a new admin user account and stole the NTLM hash using Mimikatz. With the domain admin NTLM hash in hand, they reused it in a pass the hash attack, moving laterally and taking control of the domain admin account.
The attackers scanned the network looking for file names that included the word ‘password,’ collected IP addresses and device names, RDPs to backup servers, and more. Finally, they delivered and executed a ransomware payload named Windows.exe, which encrypted all of the company’s data, cleared event logs, deleted shadow copies, and disabled security tools. After the encryption, the victim company received a ransomware note detailing how it could obtain an encryption key and prevent its data from being leaked online.
Detecting pass the hash attacks
Part of what makes these attacks so dangerous is that they are extremely challenging to detect. Since the pass the hash attacks use hashed passwords, security tools can’t know whether the person on the other end of the screen is an authorized employee or bad actor. Strong passwords also offer no defense, as attackers don’t need to know the user’s original password. On top of that, and in the specific case of the Hive attacks, security tools were rendered useless, eliminating yet another typically reliable layer of defense.
The power of knowing your enemy
Within the MITRE ATT&CK framework, the pass the hash attack is classified as a defense evasion tactic, meaning that ‘adversaries use [it] to avoid detection throughout their compromise’ which includes techniques such as disabling security software, encrypting data, and abusing ‘trusted processes to hide and masquerade their malware.’
Instead of examining attacks from the defender’s perspective, the MITER ATT&CK framework provides critical insights into the attacker’s point of view and internal processes from preparation through execution. Organizations with the right in-house teams can count themselves lucky as they can apply the learnings from MITER to proactively improve their security defenses.
Many SMBs and MSPs, however, don’t have the in-house knowledge, leaving them at a disadvantage and open to an attack. For these companies, the best way to prevent or detect attacks is to incorporate a SOC platform like CYREBRO, which uses the MITER ATT&CK framework to inform and develop advanced detection algorithms that respond to newer and emerging threats. With a SOC on their side, smaller companies can achieve the same hardened security postures as enterprises, making them less vulnerable to attacks and better able to identify and mitigate attacks should they occur.