Video Screencast Help
Security Response

Beyond the Initial Compromise

Created: 18 Mar 2010 22:25:25 GMT • Updated: 23 Jan 2014 18:28:49 GMT
Greg Ahmad's picture
0 2 Votes
Login to vote

Over the past few years, targeted attacks against organizations have become increasingly common and have gained notoriety. One of the most well known of these attacks is the recent compromise of Google, Adobe, and many other companies as part of the Trojan.Hydraq or the “Operation Aurora” incident. This particular attack involved organized and well-resourced cyber criminals who used a zero-day memory-corruption exploit for Microsoft Internet Explorer as an attack vector to deliver a malicious payload, known by the name of Trojan.Hydraq. The attackers behind this operation targeted various organizations and sent messages using the spear phishing technique, which makes email messages look like they come from a trusted source, thereby increasing the chance of victims following links or opening attachments. Once the vulnerability was successfully exploited and the Hydraq malware was installed, the compromised machines established a remote connection to a command-and-control server to obtain further instructions. Trojan.Hydraq allows attackers to carry out a variety of attacks, including theft of sensitive information such as intellectual property.

Though an important aspect of information security is the prevention and investigation of targeted attacks that exploit zero-day or unpatched vulnerabilities to initially compromise systems in an organization, post-exploitation activities and subsequent attacks against the internal network accessible from a compromised machine should not be overlooked. Attackers typically exploit flaws to gain access to a computer on an organizational network, then attempt to escalate privileges or attack other systems in the targeted network to gain access to further, possibly more lucrative, resources. Attacks against the internal network may involve gaining access to Windows password databases on the local system and Active Directory servers, using local administrator credentials to gain elevated privileges on the network, using password sniffers to obtain password hashes from the network, attacking domain controllers, and much more.

In addition to traditional attacks against Windows passwords, attackers also leverage unpatched or zero-day vulnerabilities affecting computers on an internal network. In February 2010, as part of the scheduled Microsoft updates, an interesting vulnerability (CVE-2010-0231) surfaced. The vulnerability can be used to perform replay attacks against the Windows NTLMv1 (NT LAN Manager) authentication protocol to gain access to the Server Message Block (SMB) service on the target system. SMB is often enabled in organizational environments as a part of Windows File and Printer Sharing service; therefore, this vulnerability is an ideal choice for leveraging attacks against other network resources once one computer in the network is compromised.

The vulnerability exists because the challenge-response authentication protocol used by SMB, which causes a server to generate duplicate 8-byte challenge nonces, allows an attacker to perform replay attacks. In addition, the NTLM protocol may disclose information that allows the attacker to predict the state of the pseudo-random number generator (PRNG) used to generate challenges. Successful attacks facilitate attacker access to the SMB in the context of an authorized user. If the targeted user is an administrator, this attack may ultimately result in an attacker gaining administrative privileges.

A functional attack requires the attacker to convince a user to connect to an attacker-established SMB server; overall, this vulnerability is not too difficult to exploit. An attacker could entice a victim to follow a link to a malicious site or carry out man-in-the-middle attacks from an internal network by redirecting a victim to a malicious site. The researchers responsible for discovering this issue have also released a set of Ruby scripts that can be used to automate the exploitation process. The Symantec DeepSight team successfully tested this issue against a computer running Windows Server 2003 SP2.

The exploitation process of the proof-of-concept scripts is as follows:

1. A vulnerable computer is identified by a script that repeatedly sends 'SMB Negotiate Protocol Request' packets to the computer. The computer is deemed vulnerable when duplicates challenges are found.

2. A script is then used to send multiple 'SMB Negotiate Protocol Request' packets to the vulnerable computer and record the 8-byte challenges obtained from the computer.  The script is also used to establish an SMB server for the attacker.

3. A website that contains multiple links to the attacker’s SMB server is established. These requests are processed by a user’s browser when a site is visited. A vulnerable user must be enticed to visit the malicious site or be redirected using a man-in-the-middle attack.

4. When a user visits the site, the SMB requests are sent to the attacker’s SMB server. The attacker’s server sends the previously recorded challenges to the user and gathers the user’s responses.

5. The attacker then connects to the target computer and responds using one of the responses collected from the user in an associated challenge.

A security vulnerability such as this, along with the availability of exploit code, highlights the importance of securing internal networks against attacks. Though high-profile vulnerabilities often seen in the wild facilitate initial intrusions into a network, attackers can also make use of various tools and vulnerabilities in post-exploitation attacks and be rewarded with access to sensitive information and resources.

Some mitigation strategies to defend, detect, and respond to attacks against internal networks include:

•    Employment of network segmentation through the use of network firewalls, VLANs, or logical methods.
•    Deployment of IDS/IPS sensors inside network boundaries.
•    Ingress and egress filtering of network traffic.
•    Collection and analysis of logs from various sources such as IDS/IPS, firewalls, servers, operating system events, and applications.
•    Security patch management and hardening of systems and servers on internal networks in a manner similar to externally facing systems.
•    User account audit and control, including access limitations and prevention of unauthorized actions such as installation of arbitrary applications.
•    Enforcement of strong password policies.
•    Deployment of desktop and endpoint antivirus and security applications.
•    Auditing and controlling VPN/guest access.
•    Deployment of Network Access Control (NAC) solutions to unify security technologies, enforce security policies, and access control.