Many a CIO has warned employees about malicious links in e-mail that potentially give hackers an entry into corporate networks. Increasingly, sophisticated cyber attacks are using so-called privileged accounts, typically used by system and database administrators. Powerful cyberweapons like Flame and Stuxnet rely on these accounts to gain power within a network and access intellectual property, source code and other confidential information.
About 64% of IT managers believe that the majority of recent security attacks involved the exploitation of so-called privileged accounts used by administrators, according to a survey released Tuesday. Privileged accounts are essentially back doors that come from the manufacturer and can be found in every laptop, server, and network device. They exist to help the IT department manage the network. Other examples include the Windows administrator account and the UNIX root account.
“It’s a way for people, either on the inside or the outside, to be the most powerful user,” said Udi Mokady, founder and CEO of Cyber-Ark Software, the company that sponsored the survey. “In an enterprise with 10,000 people, there are about 30,000 to 40,000 privileged accounts in various devices,” he said. The security firm works with large corporations such as BT, Barclay’s and Williams Energy.
“Anything that involves serious intellectual property will be contained in highly secure systems and privileged accounts are the only way hackers can get in,” said Avivah Litan, vice president and distinguished analyst at Gartner, adding that this technique is often used in corporate espionage.
It’s not clear whether hackers used privileged accounts in the attack on payment processor Global Payments that exposed 1.5 million credit card accounts. Just yesterday, the company said that the attack, which was first announced in March, may have been broader than first thought and could have contained personal information of some merchants.
Litan points to the highly sophisticated attack on RSA, the security division of EMC, that was revealed in March 2011 as an example of hackers using privileged accounts. In the RSA attack, an employee opened a file called “2011 recruitment plan” that was attached to an e-mail message. The attacker had specifically sent that same file to just a few employees at RSA. Once the employee opened the file, it injected malicious code onto her PC.
RSA outlined exactly how the attack happened in a blog post called “Anatomy of an Attack.” The attackers then moved laterally inside the network looking for a path to the information they wanted. They performed privilege escalation on non-administrative users and then moved on to gain access to the accounts of server administrators.
An example of this privilege escalation happened at another U.S. company where an assistant who was interested in astrology clicked on a malicious link. She didn’t realize that malicious code had been placed on her computer, but when it began to run slowly, she contacted an IT administrator who tried to find the problem. He typed an admin login and a password into her computer, which the hackers then stole, gaining administrative credentials, said Ed Savage, a cybersecurity expert at PA Consulting.
Sophisticated cyberweapons are adept at using privileged accounts. Stuxnet, for example, used a vulnerability in Microsoft software that manages sending jobs to the printer to gain more privileges in the system and propagate across the network. Microsoft issued a security warning for this problem in September 2010. Flame, a cyberweapon discovered in May by researchers at Kaspersky Labs, takes advantage of other Microsoft vulnerabilities to escalate privileges. Microsoft has also warned users of this issue. On Monday Kaspersky researchers announced that Flame and Stuxnet originally shared some source code, which means the two efforts were likely related at some point before being further developed separately.
There are ways to digitally lock down administrator accounts and manage access to them using privileged identity management software from companies such as Cyber-Ark, Lieberman and Quest. About 20% of companies have these accounts under control, says Cyber-Ark’s Mokady.