How to compromise governments network silently through abuse of trust. Governments rely on 3rd parties heavily for minor tasks like shipping, to major tasks like DB management. The trust between government network and those 3rd parties can be abused silently while using Shadow Admins and Delegation.
3. 3
“ This is crown jewels material… a gold mine for a foreign
intelligence service ”
“ … a treasure trove of information that is available to the
Chinese until the people represented by the information age
off. There’s no fixing it. ”
Joel Brenner, former NSA Senior Counsel
Michael Hayden, former Director of the CIA
4. 4
My Name Is…. My Name Is… My Name Is…
/> Lavi. Lazarovitz
/> Security Research @ CyberArk Labs
/> Research:
//> Authentication protocols
//> Privilege escalation + Persistency
//> Cloud security
/> Contributor to CyberArkLabs Github repo
/> Former pilot and intel. Officer for the IAF
5. 5
201520142012 2013
Timeline of the Attack
Initial foothold
July Mar
US-CERT
notified OPM
about a beach
“Big Bang”
Network map
exfiltration
“Big Bang”
Execution
Attackers
install key
loggers
20152014
May
Initial foothold
Apr 15
OPM detects
anomalous SSL
activity
Apr 17
US CERT
discovers risk to
PII
Apr 23
US CERT discovers
exfiltration that
occurred in Dec.
Apr 24
Attackers kicked
out
USIS breach
detected
Aug
KeyPoint breach
detected
Sept
KeyPoint
breached
Mar
Fingerprints
exfiltrated
July
PII exfiltration
Dec
Pivot to
Department Of Interior
9. 9
US CERT Recommendations
Trust Model
“ The zero trust model requires strictly enforced user controls to ensure limited
access for all users and assumes that all traffic traveling over an organization’s
network is threat traffic until authorized by the IT team.”
https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf
10. 10
generals are
always preparing for the last war rather than the next one.
ICIT, Handing Over the Keys to the Castle
http://icitech.org/wp-content/uploads/2015/07/ICIT-Brief-OPM-Breach2.pdf
12. 13
Permissions and ACLs - in Active Directory
SYSTEM
Enterprise Admins
Domain Admins
Authenticated Users
User1
User2
ACLAD Objects
Groups
Domain root
Containers
GPOs
FULL CONTROL
CREATE CHILD OBJECTS
DELETE CHILD OBJECTS
CHANGE PASSWORD
READ ONLY
READ ONLY
READ ONLY
CHANGE PASSWORD
16. 17
Kerberos Features
Allows a service to obtain a
service ticket on behalf of a
user to a different service.
Allows a service to obtain a
service ticket to itself in the
name of a different user.
18. 20
The Bottom Line
https://msdn.microsoft.com/en-us/library/cc246112.aspx
“ This gives any service allowed access to the S4U2proxy extension
a degree of power similar to that of the KDC itself. “
“ The S4U2proxy extension allows a service to obtain a service
ticket to a second service on behalf of a user. “
“ When combined with S4U2self, this allows the first service to
impersonate any user principal while accessing the second
service. “
21. 23
The Attack Vector
Hunt Accounts Trusted for Delegation
Impersonate Another User
Abuse the Allowed Service
22. 24
Trying To Constrain
Services validate a service ticket using
Secret-Key
Services associated with the
same account
Services with the
same password