Back to Security Basics: Stolen Privileged Windows Credentials Lead to Breaches
Going back to security basics, here’s a simple concept to consider: Stolen user credentials directly result in many a data breach. Especially if those credentials are privileged, meaning the user has greater operating system permissions than a standard account, according to a recent report from Cyberark.
The report, Analyzing Real-World Exposure to Windows Credential Theft Attacks, covers the many capabilities an attacker has, once they’ve stolen the username and password for a privileged account:
- Gain complete control over the host(s)
- Steal all sensitive data on these host(s)
- Install malware
- Disable or reconfigure security controls
Basically, they can do a lot, including causing irreparable damage to your company’s Windows environment - all with a username and password. A few noteworthy breaches that hinged on stolen passwords include:
- Office of Personnel Management (OPM) - A stolen contractor’s password led to the breach of 4.2 million records on government employees.
- JPMorgan Chase - Malicious hackers stole the login credentials for a JPMorgan employee, and gained access to a network server that wasn’t protected by two-factor authentication, after an upgrade. As a result, hackers accessed 83 million households and small businesses’ banking account information.
- Anthem, Inc. - The second largest healthcare insurer exposed the health data of 80 million people after a malicious hacker stole the company’s system administrator’s login information.
Again, going back to security basics - how can attackers steal credentials? In a few different ways:
- Social engineering - By posing as a credible source, like an IT admin, a criminal could convince their victim to reveal their username and password over the phone.
- Phishing - Again, a form of social engineering, a phishing email might include a link to a spoofed (fake) Microsoft login page, and users may be fooled into typing their credentials in, which attackers can steal.
- Keystroke loggers - A malicious hacker may send a user an email attachment with malware. Once opened, it can download and execute a keylogger that records and sends user credentials back to the hacker.
- Password hashes - Instead of stealing complete passwords, password hashes can be stolen after they’re left in memory, used once a host is restarted, according to Cyberark. These hashes can be used in a pass-the-hash attack, or over-pass-the-hash, which involves hashes used in a Kerberos-enabled network for authentication to Windows hosts. Check out a TechEd presentation on Pass-the-Hash: How Attackers Spread and How to Stop Them.
According to Cyberark’s report, 88 percent of scanned networks were medium (10-50 percent of hosts are high risk) or high-exposure networks (over 50 percent of hosts are high risk), meaning they’re susceptible to being compromised via stolen privileged credentials.
The report also found that compromised servers pose a bigger threat to other Windows hosts than compromised workstations, unsurprisingly.
How can you lower risks associated with stolen privileged accounts?
- The report suggests using privileged local accounts instead of domain accounts, preventing an attacker from gaining access to other hosts in the domain
- Use an automated tool that changes the password after every use on a privileged account (known as one-time passwords), limiting the time an attacker can access the host if credentials are stolen
- Deploy two-factor authentication that requires the use of another device (mobile phone or USB device) in order to verify a privileged user’s identity
As Dana Epp, Microsoft MVP of Enterprise Security stated in Credential Theft and How to Secure Credentials, using a primary domain Administrator account to log onto everything in a Windows domain is considered bad practice and should be frowned upon:
That account has far too many privileges, and poor use of the account exposes you to great risk. It becomes trivial for an attacker to elevate and take control of the domain when there is credential residue from any account that exists in the Domain Admins group… but when you use the primary administrator “500” account you take it to the next level. Why? Because after you have control of that account you can lock out pretty much everyone. It is difficult for a member of the Domain Admins group to seize control of the primary domain Administrator account; the same is not true the other way around.
Learn more about protecting your Microsoft services and logins with Duo’s two-factor authentication.