A recent report from CyberArk shows that corporate Windows networks are most of the times improperly configured and end up exposing credentials for critical, privileged user accounts.
The report analyzed the presence of vulnerabilities and structural problems that related to credentials theft attacks, an infosec term that describes the act of stealing a user's password or password hash, and then using this information to log in as the user and steal sensitive data from the target PC.
These attack types can quickly escalate if the hacker manages to steal credentials for privileged accounts, like network administrators, or for users who have network-wide access. These kinds of attacks are highly efficient and were used in the wild against companies like Target in 2013, and Home Depot in 2014.
One or two machines can compromise the entire network
According to CyberArk's data, gathered by analyzing over 50 Windows-based corporate networks, in over 88% of the cases, the security researchers found "highly threatening machines" in the network's structure. These are computers that hold information, which, if hacked, can compromise the entire network, allowing attackers to access most, if not all company computers, using only the hacked (privileged) account.
But don't think that actual user accounts are the danger alone in these cases. Windows computers also provide privileged service accounts, used by various of the operating system's functions. These, just like regular user accounts, are just as susceptible to attacks as the others.
"We’ve seen similar credential theft methods as the basis for major attacks across a number of organization," said Andrey Dulkin, director of cyber innovation at CyberArk Labs. "Identifying these machines and securing the associated privileged credentials against theft and exploitation is a critical step in securing against advanced cyber attacks."
The full “Analyzing Real-World Exposure to Windows Credential Theft Attacks” report is available on CyberArk's website. The report also analyzes various credential abuse methods (Pass-the-Hash, Overpass-the-Hash, Kerberos attacks) and the effectiveness of different mitigation strategies.
110 Reykjavik, Iceland