The Hunt for Red October: Privileged Accounts Persist as Common Attack Vector
January 22, 2013 | Uncategorized | John Worrall
by John Worrall
Last week, another significant and advanced cyber-attack has caught the security headlines for all of the right—and wrong—reasons. The attack was first uncovered by researchers at Kaspersky Lab who identified what they described as a “high-level cyber-espionage campaign” that has infiltrated networks at diplomatic, governmental and scientific research organizations over the past five years. While the target of the attack, dubbed Red October, may be reminiscent of other noteworthy breaches, including Stuxnet and Flame, the campaign is, in essence, a malware-based external breach and espionage platform that siphons data from mobile devices, PCs, and network hardware. Once inside the enterprise, the attackers could scan across the network and exploit vulnerabilities, including those accessible with administrative credentials and/or default passwords.
While the attack is primarily gaining publicity due to its apparently sophisticated and deliberate cyber espionage initiative against government and diplomatic organizations, the virus is another example of the industry’s fascination with custom malware that can be used to bypass the enterprise perimeter and steal sensitive data. In the case of Red October, the attack penetrates the perimeter and gathers intelligence from both traditional attack targets (workstations), as well as other network-connected devices including smartphones, network equipment configuration software and removable disk drives.
What the media—and the industry—continues to overlook, however, is the common pathway between these external attacks and the stolen data. While cyber espionage, malware attacks and proactive perimeter security measures may gain more intrigue, the real issue is that once inside, attackers immediately target privileged accounts to gain widespread access to the rest of the network.
Examining Red October further, it’s clear that this attack is no different than others—including Stuxnet and Flame—that targeted and leveraged privileged accounts. In this case, once inside the networks of their government targets, the Red October perpetrators were able to move around the network as if they were a privileged employee and uncover additional vulnerabilities to exploit by accessing admin credentials retrieved from malware-infected databases and systems. Once these credentials are stolen, attackers can take things to the next level by reusing them in later attacks by guessing similar passwords and network credentials in other locations. This should come as no surprise—although they serve as the gateway to an organization’s most sensitive data, privileged accounts are often protected by weak passwords, which are seldom replaced.
So while news will continue to detail the ramifications of Red October, it is important to note that we have been here before. Saudi Aramco. Subway Restaurants. Global Payments. US Chamber of Commerce. The list goes on, and will continue to go, if organizations continue to fail to recognize the importance of locking down and securing these privileged access points. Ultimately, it is a new approach to security – starting on the inside and working out, but it is an imperative. Rather than focusing on firewalls or perimeter security, organizations need to prioritize the identification, monitoring and management of privileged accounts.
It may be bad news for headline writers, but this approach will block hackers from gaining the true spoils they desire—sensitive corporate and government data accessible only through privileged accounts.