Privilege Elevation Exploits Used in Over 50% Of Insider Attacks

Cyber Security Threat Summary:
A report published by Crowdstrike researchers indicates that insider threats are escalating, with Crowdstrike’s report indicating a surge in unauthorized actions using privilege escalation flaws. Approximately 55% of these threats leverage privilege scalation exploits, while 45% stem from downloading risky tools or misusing them. Motivations for insiders include financial incentives, grudges or conflicts with supervisors. The financial impact of these insider threats is staggering, averaging $648,000 for malicious and $485,00 for non-malicious incidents, potentially higher in 2023.

Critical to these attacks is gaining administrative privileges through flaws like CVE-2017-0213, CVE-2022l-0847 (DirtyPipe), CVE-2021-4034 (PwnKit), and others. These vulnerabilities, even listed in CISA’s Known Exploited Vulnerabilities Catalog, enable unauthorized software installs, log wiping, or diagnostic actions with elevated privileges. Even patched systems remain vulnerable through DLL Hijacking, insecure permissions, or Bring Your Own Vulnerable Driver attacks. Crowdstrike has seen multiple cases of exploitation of CVE-2017-0213 impacting a retail firm in Europe, where an employee downloaded an exploit via WhatsApp to install uTorrent and play games. Another case concerns a terminated employee of a media entity in the U.S.

Security Officer Comments:
However, nearly half of the insider incidents recorded by Crowdstrike concern unintentional mishaps like exploit testing getting out of control, executing offensive security tools without appropriate protection measures, and by downloading unvetted code. An example researchers detailed was security professionals testing exploits and exploit kits directly on a production workstation rather than through a virtual machine that is segmented from the rest of the network. Introducing these flaws into corporate networks can increase the overall security risk by providing threat actors who already have a foothold in the network with additional vectors for exploitation.

Suggested Correction(s):

  • Implement access controls: Ensure that only authorized users have access to sensitive systems and data, and limit access to only the resources that are necessary for an individual's job duties.
  • Conduct background checks: Perform thorough background checks on employees, contractors, and other insiders who will have access to sensitive systems and data.
  • Implement security training: Provide security awareness training to all employees, contractors, and other insiders to help them understand the importance of security and how to identify and prevent potential threats.
  • Monitor system and network activity: Regularly monitor systems and networks for unusual or suspicious activity, and alert appropriate personnel when potential threats are detected.
  • Implement incident response plans: Develop and implement incident response plans to ensure that appropriate steps are taken in the event of a security breach or other incident.
  • Review and update policies and procedures: Regularly review and update policies and procedures related to security and insider threats, and ensure that all employees, contractors, and other insiders are aware of and follow these policies and procedures.
  • Use multi-factor authentication: Implement multi-factor authentication to help ensure that only authorized users are able to access sensitive systems and data.
By implementing these best practices, organizations can significantly reduce the risk of insider threats and protect themselves from potential harm.