by David Levine, on Apr 05, 2022
Unfortunately for the security industry, this is the second time this month that I am writing about a highly publicized incident that has taken place using elevated credentials and lateral movement. This time the attack was against the identity platform OKTA. I am saddened by these attacks on many levels, but primarily because these types of attacks are
easily preventable.Briefly the events of the compromise are as follows:
Beginning on January 16th, 2022, hacker(s) obtained access to Sitel’s internal network over RDP (Remote Desktop Protocol). Later, the hacker(s) apparently used a known Windows user profile service elevation of privilege vulnerability (CVE-2021-34484) to escalate privileges.
Using the newly established privileged user account, the hacker was able to move laterally and terminate the FireEye’s EDR agent.
The next step in the attack was to download and execute Mimikatz. Mimikatz is a well-known open-source tool, often used for credential dumping. Mimikatz also allows users to view and save authentication protocols.
Lastly the hacker(s) found and exfiltrated and document titled DomAdmins-LastPass.xlsx
Similar to the Disk-Wiper attack a month ago, the methods used in the attack and many others are possible due to privilege access. According to the 2020 Verizon Data Breach Report, approximately 74% of breached organizations admitted the breach involving access to a privileged account, now coined privilege misuse.
The MITRE ATT&CK framework defines these types of tactics in the Privilege Escalation technique section.
Coined by Gartner, Zero Standing Privileges (ZSP) is an emerging, reframed approach to privileged access management. We believe these methods of attacks can be mitigated by adopting a Zero Trust Privileged Access model that constitutes Zero Standing Privilege (ZSP) along with Just-in-time Access (JITA).
We need to ask ourselves why admin accounts need to be persistent, always-on always-available? This is a large attack surface that hackers prioritize in their attacks, like this Okta incident and the HermiticWiper cases. The techniques used are not novel, but rather well-researched and understood. It is time we put a stop to these preventable attacks.
Remediant SecureONE was purpose-built to address this problem and is a force multiplier to Identity & Access Management programs worldwide. The founding team especially had in mind those looking to secure and enable access to global, distributed and always scaling infrastructure. Specifically, SecureONE was developed to:
SecureONE provides coverage from many of the Privilege Escalation tactics in the MITRE ATT&CK framework as depicted below.
easily preventable.Briefly the events of the compromise are as follows:
Beginning on January 16th, 2022, hacker(s) obtained access to Sitel’s internal network over RDP (Remote Desktop Protocol). Later, the hacker(s) apparently used a known Windows user profile service elevation of privilege vulnerability (CVE-2021-34484) to escalate privileges.
Using the newly established privileged user account, the hacker was able to move laterally and terminate the FireEye’s EDR agent.
The next step in the attack was to download and execute Mimikatz. Mimikatz is a well-known open-source tool, often used for credential dumping. Mimikatz also allows users to view and save authentication protocols.
Lastly the hacker(s) found and exfiltrated and document titled DomAdmins-LastPass.xlsx
Similar to the Disk-Wiper attack a month ago, the methods used in the attack and many others are possible due to privilege access. According to the 2020 Verizon Data Breach Report, approximately 74% of breached organizations admitted the breach involving access to a privileged account, now coined privilege misuse.
The MITRE ATT&CK framework defines these types of tactics in the Privilege Escalation technique section.
Coined by Gartner, Zero Standing Privileges (ZSP) is an emerging, reframed approach to privileged access management. We believe these methods of attacks can be mitigated by adopting a Zero Trust Privileged Access model that constitutes Zero Standing Privilege (ZSP) along with Just-in-time Access (JITA).
We need to ask ourselves why admin accounts need to be persistent, always-on always-available? This is a large attack surface that hackers prioritize in their attacks, like this Okta incident and the HermiticWiper cases. The techniques used are not novel, but rather well-researched and understood. It is time we put a stop to these preventable attacks.
Remediant SecureONE was purpose-built to address this problem and is a force multiplier to Identity & Access Management programs worldwide. The founding team especially had in mind those looking to secure and enable access to global, distributed and always scaling infrastructure. Specifically, SecureONE was developed to:
- Rapidly deploy and inventory with no agent
- Continuously monitor
- Remove standing access enterprise-wide with a single action
- Administer privileges Just-In-Time with no shared accounts
SecureONE provides coverage from many of the Privilege Escalation tactics in the MITRE ATT&CK framework as depicted below.
