Lateral Movement – The Cause, Techniques and Protection
The term “Lateral Movement” has been around for a little over four years and was in the news when ransomware like WannaCry and APT’s like APT28 and APT29 used lateral movement techniques. Most often an attacker may not have direct access to a machine or resource on the internal network, which the attacker considers a prized trophy. The prized trophy may be the domain controller, a machine hosting confidential information, or the attacker may have planned to get access to all internal machines to have them added to a botnet. In such a situation, the attacker would aim for a weak link in the target network which the attacker can infiltrate. This weak link may be an unsuspecting user, an unpatched computer, an exposed Wi-Fi etc. Once the attacker has control over this weak link, the attacker would then use that access to identify other resources on the internal network and try to infiltrate them until the objective of attacking the network is accomplished. The methods employed by the attacker to identify resources on the internal network, gather information or credentials from an infiltrated host and use the gathered information to gain control of other resource on the internal network, are called “Lateral Movement Techniques”. The discussion in this blog is centred around Windows OS. However, any OS environment can be affected by the techniques discussed below.
In the malware samples that were studied recently, especially APT28 and APT29, some of the techniques described below were employed for moving within the internal network. The steps need not be in the exact order as shown below and the attacker or malware may use just a few.
- Infiltrate – In this stage, the attacker gains access to one or more machines in the internal network. This could be via:
- Spear phishing, where the attacker entices employees via an email to visit malicious/compromised websites or open infected documents. This was seen in the case of ATP28 where users received a malicious Microsoft document which was a carrier for an embedded malware dropper.
- Drive by download, where an internal user unwittingly visits a malicious/compromised website. A compromised website which the user visits may have hidden malicious HTML (a hidden iframe) that would get the browser to send a request to a page on a server where an exploit kit is hosted. The exploit kit would stealthily probe the browser for vulnerabilities or vulnerable plugins and run an exploit which would set the stage for further malware download.
- Direct attack against a vulnerable service. This was seen with the WannaCry ransomware. Once it infected a machine, it loaded a second stage malware that scanned the internal network for Windows machines vulnerable to CVE-2017-0147 which was exploited by the EternalBlue code leaked out by the “Shadow Brokers” hacker group.
- Reconnaissance – Once the infiltration stage is complete, it may so happen that the infiltrated machine was not the final objective of the attack. In this stage, the attacker can employ tools already existing on the system like the “net.exe” command or upload tools like “NetSess.exe”, “smbat”, scanners etc. Nmap and Metasploit comes with built in scripts that helps collect useful information from internal hosts. The attacker typically tries to find answers to following questions
- What other machines exists on the network
- What active SMB sessions are running
- Who all are the members of which all groups in the domain
- Which host/user or session could be valuable for the next round of attack
The successful outcome of this stage is that the attacker has identified other machines, sessions, user accounts etc on the internal network.
- Credential harvesting – When a user logs into a Windows machine, the user password is hashed and is cached in the LSASS process memory. Using tools like Mimikatz, an attacker can extract these cached credentials from the LSASS memory. If this were a machine on which a domain administrator had logged in, the attacker would now have access to the cached credentials. Even if the extracted credential is the hashed password, the attacker could still use this hashed password in a technique called “Pass the hash” attack to execute commands on another machine posing as the domain administrator. This is afforded by an inherent weakness in the NTLM authentication used by the SMB protocol which is the language Windows machines use to talk to one another. A more serious scenario is when the attacker has been able to harvest the NTLM password hash for the “krbtgt” account of a domain controller giving the attacker the ability to create Kerberos TGT at will. This is also known as the “Golden Ticket Attack”. The Mimikatz tool also has a module that patches the LSASS process, so the attacker can authenticate as any user, while the affected users continue as normal using their usual credentials. This is known as the “Skeleton Key Attack”.
- Code execution – An attacker on the internal network could affect other machines on the network in the following ways
- Using harvested credential with tools like “PsExec” for remote code execution, the “at.exe” command to schedule remote tasks or get read/write access to protected shares.
- Direct attack on services running on internal machines. This was the approach used by the WannaCry malware which used the EternalBlue exploit to infiltrate internal hosts.
- ATP28 used a interesting approach where along with using the Eternalblue exploit it also used the “Responder” tool to host fake SMB service and harvest user credentials from machines trying to access the fake service.
- In most attacks when this stage is successful the infiltrated machine would have a “Command and Control” channel setup with an attacker-controlled machine on the internet via which additional malware would be downloaded and commands for further actions would be received. These channels may also act as a medium for exfiltrating data.
- Persistence – Attackers and malware prefer to remain hidden, survive a reboot and be active. Some interesting malware samples that used persistence in novel ways are mentioned below.
- Poweliks employed registry tricks to hide its code within the registry and achieve persistence.
- Kovter employed registry tricks similar to Poweliks
- APT29 used the WMI store to have its code stored and persist.
This blog provided a very high-level view of what “Lateral Movement” is and some of the prominent techniques employed by attackers and malware. Threat actors have increasingly started using these techniques, especially the Windows WMI, to gain and maintain access to machines. In future blogs, we will be studying some techniques like pass-the-hash and skeleton key attack in detail and understand how tools like Mimikatz harvest credentials, how WMI attacks work and dissect malware samples that employ these techniques. This will help provide a deeper understanding of how threat actors work today and how to protect your internal network.
Versa FlexVNF via its IPS and AV engines provides protection from these threats. The AV engine detects the malware binaries that employ these lateral movement techniques. The IPS engine provides additional protection by inspecting network traffic and identifying WannaCry network activity and network activities typically seen with tools like Responder. Versa Networks also supports the detection of lateral movement techniques in a Windows environment. The security engine can detect network activity that’s indicative of psexec, pass-the-hash, remote service launch, task scheduling and more.