Unraveling the 2020 Marriott Breach & Examining Credential Theft Attacks
by Mahesh Babu, on Nov 17, 2020
The Marriott breach this year involved the theft of employee credentials. Specifically, attackers obtained the login credentials for two franchise property employees which gave them access to a third party guest application used to deliver guest services. From there, attackers were able to harvest guest information needed to execute spear-phishing campaigns: Full contact details were exposed, including names, mailing addresses, email addresses and phone numbers as well as other personal data like company, gender and birthdays.
Based on known attacker patterns (as well as what transpired in the prior Marriott breach), the next step in the attack would be a convincing spear phishing campaign on the compromised guests. The goal of the campaign would be to gain access or deliver malware into a guest / victim’s business device. From there, attackers would use the access to create a backdoor into the victim’s company network by (1) finding the administrator accounts that have standing access to the victim’s workstation (e.g., IT admins, helpdesk) and (2) using Mimikatz to dump the password or password hash of those accounts to pivot into other systems on the company network that account might have access to.
Two key observations from this breach:
- The intent behind the theft is more strategic: Guest data has not shown up on dark web sites indicating the theft is not a “smash and grab.” The intent is more strategic, much like the prior Marriott breach and the Office of Personnel Management (OPM) breach. In the OPM breach, the attackers were selective about what identities were stolen, with a focus on key government officials.
- The application may not be the prize, but a means to administrator privileges on the OS: The initial stages of a spear phishing campaign indicate that the end goal is phishing into a Marriott guests company workstation. This MO is also readily apparent in the recent SFO airport breach (where employee web application credentials were stolen and used to authenticate to their windows machines). In addition, in the case of the recent Zoom breach, two flaws (UNC path injection, unvalidated installer execution) were leveraged by attackers to gain administrator or “root” level privileges within the Zoom user’s device (and subsequently, their company network).
While no entity has claimed responsibility, both observations are consistent with attack methods of known nation state hackers.
How Remediant could have helped?
Remediant could have helped in two ways:
- Prevented the ultimate theft of administrator privileges: With Remediant in their environment, Marriott’s security team could have surfaced all the workstations and servers with standing administrator privileges and removed their access in bulk. This implies that even if attackers successfully stole credentials and authenticated, they would not have access. No access or administrator rights would render those credentials useless in carrying out an attack.
- Reduced the blast radius of the ongoing attack: One of Remediant’s key differentiators is the abiltiy to quickly configure policies and remove privileges across thousands of workstations and servers with a single action. During an ongoing attack where a threat actor is moving laterally, Remediant could have allowed Marriott to remove privileges across all their endpoints (at milliseconds per endpoint) thereby “boxing in” the attackers and limiting where they can move next.
Advice to organizations
Firms should “assume breach” when it comes to their employee credentials. This is especially true when your critical assets are of interest to nation state actors. The credential is low hanging fruit with 74% of breached organizations admitting the breach involved access to a privileged account. Instead, firms should shift their focus to authorization and reduce the value of those credentials to attackers.
This can be done by enforcing Zero Trust privileged access by removing the standing, always on privileges granted to workstations and granting them back on a just enough, just in time basis. Firms can achieve Zero Trust privileged access by first (1) understanding where administrator standing rights exist, (2) continuously monitoring the rights to see how they evolve and (3) removing those standing rights and only granting them back on a just in time, just enough basis.
To learn more, please visit: https://www.remediant.com/blog/who-really-has-access-to-your-work-laptop