The Privileged Aspect of the Recent Kerberos Vulnerability
By John Worrall
A rare, out-of-band patch from Microsoft a couple of weeks ago once again reminds us all that targeted attackers are constantly going after privileged accounts. Microsoft pushed out an emergency patch to address a critical vulnerability in Microsoft Windows Kerberos KDC. According to the Microsoft Security Bulletin, the vulnerability, “could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account.”
This vulnerability is severe, as it essentially bypasses the established privileged controls making it possible to perform privileged operations with a hijacked standard user account. Attackers exploiting this vulnerability will have the ability to compromise any computer in the domain, including domain controllers.
Microsoft has patched this vulnerability, but it’s another reminder that attackers covet access and operational powers associated with privileged accounts. In fact, most targeted attacks are focused on gaining these privileges, first and foremost, by stealing the credentials for these accounts as was born out in a recent threat research report we conducted.
In that report we interviewed six leading threat investigation teams from leading firms and found more than 80% of serious cyber attacks exploit privileged accounts at some point in the process. Threat investigators from Deloitte explain, “Privileged accounts are a hall pass that can get attackers where they want to go without constraints. It enables them to traverse the network without hindrance.”
There are constantly new vulnerabilities being found even in the most established controls, such as SSL (Heartbleed), SSH (Shellshock) and now Microsoft’s implementation of Kerberos. Stopping privileged accounts exploitation is often an organization’s last line of defense before a data breach, which highlights the need for anomaly detection and privileged user behavior monitoring. With proper control of privileged accounts in place and anomaly detection employed to detect the abuse of privileged accounts, it becomes possible to mitigate these targeted attacks. As Jim Aldridge of Mandiant observes in CyberArk’s report, “At this point, it’s critical to detect attacker movements, because it’s basically the last chance you have before they steal data.”