Virtualization Technology News and Information
New Hacker Methods for Swiping Privileged Credentials, and How The Security Community is Responding

Written by Tyler Reese, product manager at One Identity

Security researchers are carefully watching efforts by hackers to obtain access to privileged accounts. Privileged credentials are among the most sought after, since they give the hacker virtually unlimited access to enterprise systems. Security vendors are not sitting idle watching these developments; they are developing new methods to counter hacker efforts and aid in the protection of enterprise assets.

One method of gaining privileged access is "privilege escalation," which is broadly defined as different techniques leveraged by hackers to obtain higher levels of permission and ultimately privileged accounts when breaching a company's system or network.

An emerging technique for privilege escalation is "valid accounts," exemplified when someone uses an already stolen privileged account in a targeted attack. Hackers may gather the credentials of a specific user or service account using the so-called Credential Access technique, or steal credentials earlier in their reconnaissance process through social engineering. It is believed that this method is used by BRONZE UNION a.k.a Threat Group-3390,  a Chinese cyberespionage group targeting aerospace, government, defense, technology, energy, and manufacturing sectors.

As seen in Secureworks' study (, BRONZE UNION frequently gathers privileged accounts in their operations. In one case, they used Wrapikatz to retrieve various passwords and Windows credentials from memory. They also used access provided by extensive web shell deployment to harvest account credentials. Furthermore, they leveraged the Kekeo credential abuse tool to exploit CVE-2014-6324, a vulnerability in Microsoft's implementation of the Kerberos network authentication protocol. Exploitation of this vulnerability allows an attacker to escalate privileges on the affected system.

As a further example, according to a FireEye report (, FIN10, a financially motivated threat group, has targeted organizations in North America since at least 2013, using stolen data exfiltrated from victims to extort organizations. According to the FireEye study: "FIN10 routinely leverages Windows Remote Desktop Protocol (RDP) to access systems within the environment. More specifically, attacker(s) leveraged RDP to authenticate internal systems that were configured to allow ingress RDP connections from systems residing outside organizational firewall perimeters. Similarly, we have observed FIN10, in at least two instances, using a single-factor protected VPN to connect remotely to victim networks after stealing credentials."

Behavioral kinetics is among the emerging effective methods to combat hacker attempts to exploit privileged account credentials. Let's assume the privileged credential is already stolen and a cyberspy is aiming to initiate an RDP or SSH connection from the compromised client to a highly valuable asset. The bad actor behind the mouse and keyboard doesn't use the computer the same way as the legitimate user he's trying to impersonate. He types different commands with a different typing style; he moves the mouse with his left hand instead of the usual right. These characteristics or behavioral kinetics are unique and can be used as a biometry to pinpoint that the user is unwelcomed, and therefore should be blocked from access.

A best practice for organizations is to monitor behavioral kinetics of authorized privileged users. This information will serve as a baseline for detection in the unlikely event of Credential Access. Studies have shown that such efforts can detect risks -- such as unrecognized typing styles-- in a minute or less. The preparation phase of targeted attacks can take months, meanwhile exploitation takes only minutes. If security teams can identify potentially malicious activities in the preparation phase, by using behavioral kinetics combined with privileged password vaulting and session audit and control, they can successfully terminate targeted attacks before they cause damage.


About the Author

With more than 15 years in the IT software industry, Tyler Reese is extremely familiar with the rapidly evolving IAM challenges that businesses face. Currently, he is a product manager for the Privilege Account Management portfolio where his responsibilities include evaluating market trends and competition, setting the direction for the product line - and ultimately, meeting the needs of end-users His professional experience ranges from consulting for One Identity's largest PAM customers to being a systems architect of a large company.

Published Thursday, October 18, 2018 7:41 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2018>