Researchers at XM Cyber have uncovered a new means of carrying out e-mail attacks without the user or cyber security teams knowing. Attackers convert the user's account into a tool to invade the network and cause ongoing damage.
XM Cyber, an APT (advanced penetration testing) simulation platform provider, refers to these as 'the first threats of a post-phishing world'.
Igal Gofman, head of security research for XM Cyber, says he is always looking for new ways to simulate advanced lateral movement, sophisticated Active Directory escalation, persistence, and exfiltration.
"A recent area of focus has been on defeating network and domain boundaries by moving laterally within the network, with a focus on pivoting from unsecured networks to isolated secure networks."
The team simulated how a skilled adversary can easily pivot a compromised network by abusing commonly used email applications. "Many email clients are built right into modern operating systems and can potentially help facilitate lateral movement," he explained.
Post exploitation techniques
The techniques he describes are considered as post-exploitation, which means the user account has been breached and the adversary has full control over the user's workstation.
"In many cases, adversaries use compromised account credentials to access employees' emails in order to change their bank account information, sometimes adding a malicious Outlook rule to prevent the user from receiving alerts regarding a deposit or withdraw change. There are many account breach vectors, including phishing and password spraying."
He says XM Cyber has seen adversaries abusing cloud synchronisation options to sync malicious metadata such as email rules back to the user's workstation. Other techniques that were recently discovered by Black Hills penetration testers involve syncing Outlook Web Add-Ins to the user workstations. Those attacks are relatively easy to initiate and can be performed from the cloud.
According to Gofman, by performing a phishing campaign, the attacker can gain system access to a user's workstation and can control the installed mail client and all related communication. Instead of targeting users outside the organisation by sending phishing emails or using cloud services to sync malicious metadata, the cyber criminal can control all communication.
Watering hole sites
He says in many instances, advanced threat actors establish an internal Command & Control (C2 server) that can be used as a jump server to the outside world. "The jump server can act as a middleware between the infected workstations and an external C2 server. The internal C2 server can also be used as a man-in-the-middle proxy or a watering hole site."
Watering hole attacks happen when the target is a particular group, region or organisation. The actors behind the attack take note of the Web sites used by the target, and infects one or more of them with malicious code. It is usually only a matter of time before a member of the target group is compromised.
In this way, attackers are able to manipulate all mail hyperlinks shared by the compromised workstations or users, to redirect the recipients to an internal watering hole Web site, bypassing many of the link detection and firewall application control mechanisms. "The C2 server initiates a browser exploit to get a system-level privilege. If this attack is performed outside of the corporate perimeter without an internal C2 server, the risk of being caught is much higher."
File Share Hooking
A less common attack technique used by adversaries is to move laterally within the network through a technique called File Share Hooking (FSH), says Gofman. "A network share is typically made accessible to other users by marking any folder or file as shared, or by changing the file system permissions or access rights in the properties of the folder. If the attackers have gained write access to a shared location, they can replace the legitimate file with a malicious one."
FSH techniques can also be used to pivot on an internal network using a compromised mail application. "Firstly, the adversaries must have the ability to weaponise a legitimate file. They could do this by focusing on widely used shared files by email platforms. There are multiple exploit options available online for free, including Office documents, PDF documents, and archive file vulnerabilities."
When a user's workstation is compromised, the attacker gains total control over email communications and can inject malicious code into legitimate office files, he explains. "These malicious files are now shared over a legitimate mail channel, which means that the adversaries use actual email correspondence instead of faking and acting on behalf of the user. The user would then reply or create a new email message using the malicious file. The mail recipient does not suspect that anything is wrong and opens the malicious file exploiting the responsible file application."
As collateral damage, cyber crooks could also dump the global address book of the company and conduct a targeted phishing campaign against high-value targets such as IT or executive management.
Another instance is instead of exploiting vulnerabilities in common files, a hacker could employ a far stealthier technique to leak credentials in the form of NTLM hashes to an internal C2 server. This is usually achieved by silently forcing a file application to authenticate against the C2 server using a specific protocol such as SMB. The adversary can use the C2 to relay the received authentication attempt to any network protocol supporting NTLM authentication. NTLM is the successor to the authentication protocol in Microsoft LAN Manager.
Microsoft has issued an optional security enhancement (Microsoft Advisory ADV170014) that provides businesses with the ability to disable NTLM SSO authentication as a method for public resources. However, this method is usually inefficient for internal resource communication, and in many cases will allow an internal network boundary bypass.
Gofman says all these examples he cited show how linking several existing techniques together can be combined into one or more complex attack flows to achieve lateral movement and pivoting inside a network.
XM Cyber researchers have demonstrated that this approach, together with scalable automation, is highly efficient and can be used to gain control over critical targets in real enterprise environments.
"The best way to protect against e-mail messaging attacks is to enable multi-layered mail protection," adds Gofman. "In most cases, spam, reputation or content filtering will not protect against advanced attacks. An effective email messaging defence mechanism must include some kind of malware sandboxing. All messages and attachments transported through the company mail server should be scanned for malware (viruses, spyware and anomalies). If malware is detected, the message should be quarantined or deleted."