Network-assessment

As if the threatscape couldn’t hold any more danger, IT teams must now add their favorite network administration tools as possible backdoor entry points for hackers.

Hackers have found a way to abuse LDAP, Kerberos, and NTLM, take over WMI and DCE/RPC, two popular network admin tools, to get admin privileges. After an initial infection sets in, they’ll use the post-exploitation tool Mimikatz to steal admin rights and then implant lateral-moving malware in the system. The version of Mimikatz hackers use has been beefed up with functionalities from stolen NSA tools.

When hackers install ransomware, the infections elude traditional antiviruses because of the admin rights involved. This is a new methodology that sidesteps the use of zero-day malware as a delivery mechanism. So far security researchers

Hackers Now Use Their Own Admin Tools Against Company Networks

As if the threatscape couldn’t hold any more danger, IT teams must now add their favorite network administration tools as possible backdoor entry points for hackers.

How the Strike Happens

Hackers have found a way to abuse LDAP, Kerberos, and NTLM, take over WMI and DCE/RPC, two popular network admin tools, to get admin privileges. After an initial infection sets in, they’ll use the post-exploitation tool Mimikatz to steal admin rights and then implant lateral-moving malware in the system. The version of Mimikatz hackers use has been beefed up with functionalities from stolen NSA tools.

When hackers install ransomware, the infections elude traditional antiviruses because of the admin rights involved. This is a new methodology that sidesteps the use of zero-day malware as a delivery mechanism. So far security researchers found two waves of attack both occurring in the aftermath of 2017’s NotPetya attacks. The first attack is involves a re-infection of machines implanted with the NotPetya malware. The second one is a smaller attack researchers dubbed as BadRabbit.

What Companies Can Do Against These Threats

What seemed to be an ironclad system has become yet another attack vector for hackers. In order to protect your company’s system, you and your IT team should start monitoring authentication traffic and restrict the use of LDAP, Kerberos, and NTLM protocols to authorized parties.

Aside from this, IT teams should also be properly armed with the power to monitor, dissect, and apply policies on authentication traffic. This will allow your IT team to block the use of unnecessary tools like Mimikatz or other malicious tools on your network.

When your IT team is able to monitor authentication logs and traffic over time, they gain an idea who is using these tools and for what purposes. This makes it harder for hackers to use insiders or exploit insider risk. Your team will be able to minimize these risks, make sure their tools are in the right hands, and lastly, your teams will be thoroughly familiar with your network environment to the point that hackers cannot easily hide their activities in your network.

Hackers are continually surprising networks with newer and newer ways to penetrate and infect systems. Give your IT team the power to be vigilant on all layers. Getting eyes on those logs will give your system an added security layer.

Post a comment