Lateral movements: the success of recent malware
Too often ignored, lateral movement is the main reason for the unsuspected scale of cyberattacks over the last few years. What is it? Why do so few organizations take into account this technique used by cybercriminals? How can you protect yourself against it? Let’s decipher.
An objective: gain privileges
As a vector for the spread of malware like WannaCry and NotPetya, the lateral movement technique has largely contributed to the success of these attacks. The principle of this technique is to gain privileges on a client computer. Remember that privileges are the rights granted to a user, which give him access to more or less computer resources. This typically corresponds to the different profiles that can be found on a client computer. The guest profile, which only has temporary access rights to a very limited number of applications, the user profile, which only authorizes the use of the client workstation, and the administrator profile, which has all the rights: use, installation, modification and deletion of applications and settings.
In concrete terms, once a hacker has managed to access a machine on the company network, his goal is to find connection identifiers - also known as credentials - that will give him more rights to perform more malicious operations. The first step starts with the use of a small spyware called "Credential dumper", which will collect the other credentials present on the machine. Then, it will check if one of the credentials thus recovered would not have more important access rights than the credentials already in its possession.
These login credentials are often stored in the client computer’s cache, as soon as someone has authenticated on it with a method that deposits these credentials on the computer. These are login credentials corresponding to other profiles, such as those of an IT employee who came in to solve a problem a few days earlier.
The second step consists of repeating this operation, but this time on the machines accessible from the first. The goal is to collect even more credentials and with even more privileges in order to gradually expand into the environment and gain more power.
A very popular technique because it is simple
This is a very popular technique for hackers because it does not require great resources, nor does it require significant access from the start. All that is required is to gain access to a machine, then escalate privileges as you explore neighboring machines.
The ultimate goal is to take control of as many machines as possible, with the highest possible privileges, in order to have a network of computers and servers ready to launch an attack or to be infected without reacting. It is, for example, much easier to set up than a network attack, largely because it is an attack surface that is largely underestimated by IT departments, for whom having visibility on the subject is very difficult.
But solutions exist
Fortunately, there are simple ways to protect oneself by taking several concrete steps. The first one, which seems obvious, is to properly manage the administrator delegations on the workstations. The second, which is also very simple, is to close the SMB protocol between client machines, because it allows a machine to explore the network in search of other machines, and is the main vector of propagation of malware using lateral movements. Another measure is to set up authentication with a temporary (random) password for the local administrator profile. This way, the attacker will not be able to reuse the found password, since it can only be used once.
Another measure to be implemented is to reinforce the training of IT departments in these hacker techniques. Indeed, often, IT staff, rather than using the account that has sufficient privileges to perform an operation, prefer to use their profile that has the maximum rights, even if it is not necessary for this maintenance. The risk of this careless behavior is that if the hacker stumbles upon these credentials, he will very quickly recover an account with the maximum privileges, which allows him to take control of all the machines on the network quickly.
Another gap that needs to be filled is the lack of visibility IT departments have on the machines on their network. This lack of visibility prevents security departments from knowing which credentials are on which machines. With more accurate visibility, it would be possible to see which sessions are still cached on computers and servers, and therefore remove them quickly to block the lateral movement of the attack.
In light of the success of recent malware attacks, organizations need to take action swiftly and implement these measures. Doing so, they will be better prepared and more able to prevent cybercriminals from taking control of their network using the lateral movement technique.