Privilege Escalation Explained: Types, Cases, And Prevention

Privilege Escalation Explained: Types, Cases, And Prevention

Apr 24, 2022 / Kron

Rapidly advancing technology brings with it many security-related issues such as Privilege Escalation along with positive developments. In fact, Privilege Escalation, a somewhat complex cybersecurity term, is defined as network attacks used to gain unauthorized access to systems within the security perimeter. While the right technology applications pave the way for high efficiency in every way, the vulnerabilities of the applications can become open targets for cybercriminals.

Internal or external threats that try to gain higher rights in the system through cyber-attacks take advantage of insufficient security controls in software and aim to control communications on the target system and increase its control via Privilege Escalation.

What is Privilege Escalation?

The term Privilege Escalation, which has come up frequently recently, refers to a cyber threat situation that involves an effort to illegally gain access to rights on a user's influence. With Privilege Escalation, a user who does not have the necessary privileges can view a design flaw, error, or configuration error in the operating system or application and gain unauthorized access to sensitive information. Through Privilege Escalation, which has an important place in the cyber attack chain, a cyber attacker can perform actions such as running the server or operating system with different commands, allowing malicious software to infiltrate the network, breaching sensitive data, accessing the sources of the system or taking over the system completely.

As a multi-stage attack that has the potential to seriously damage your server applications and operating system, Privilege Escalation is very dangerous to your organization's operation and reputation. Privilege Escalation, which allows intruders to perform operations such as executing codes on the system, should be considered as an information security issue in itself. A suspected Privilege Escalation attempt on the system may imply unauthorized access to confidential, sensitive and personal data within the system in question.

Types of Privilege Escalation

There are two types of privilege escalation process, which starts with a cyber attacker gaining access to a low-level account by exploiting a vulnerability on a system that he scouts. The attacker uses either Horizontal Privilege Escalation or Vertical Privilege Escalation method to increase his dominance over the system. The attacker, who infiltrates the system by using the vulnerability in horizontal privilege escalation, is trying to access user accounts with similar privileged access. In vertical privilege escalation, the threat actor tries to gain access to the accounts with higher privileged access management on the system that it infiltrates with a low-level account.

  • Horizontal Privilege Escalation: Horizontal privilege escalation means that the attack manages to access similar accounts or transaction data and functions at the access level of the user who initiated the cyber attack. However, the attacker is not trying to increase the active privileges or access level of the account he is threatening. The attacker simply exploits the legitimate user privileges that have been granted, thereby expanding the privilege domain, for example, bypassing the authentication step on an e-commerce site and gaining access to a user's account. In conclusion, the threat exploits user accounts with relatively low levels of access security on systems with weak security policies.
  • Vertical Privilege Escalation: In vertical privilege escalation, the attacker logging into the system from a low-authority point continues to elevate his privileges until he reaches the targeted user or process level. Authorization levels on a system are usually designed to allow a user with a privilege level to access higher-level sources. In the vertical escalation method, the attacker first gains root-level access and then can perform many actions, from getting credential information to stealing sensitive data, from downloading ransomware to deleting data. The attacker can delete information such as access logs and activity data, making it difficult to discover traces of data breaches and thus, traces of vertical privilege escalation. This makes it harder to take action to recover, and cyber-attackers gain time to inject malware into the system or network before users even realize occurrence of the attack.

How Does Privilege Escalation Work?

Exploiting the vulnerabilities such as configuration faults, software bugs, and incorrect access controls, the privilege escalation represents one layer of the chain of cyber-attacks to gain unauthorized access to data not allowed in the user account of the attacker. The threat risks in privilege escalation can be many sensitive points such as Web Application Servers and Application Programming Interfaces within a network or system.

Each local session, interactive session or remote access session within the system represents some kind of authorized access. Authorized access types cover all access options in the system, from privileges that allow only a local login to administrator or root privileges and system control. A standard user has limited access privileges to databases, sensitive files and other sources on the system.  In some cases, although users have high access privileges to sources, they may not be aware of their privileges because they do not perform tasks that require more access than their authority. A cyber attacker accessing the account of such a user can infiltrate the system by abusing the privileges of the user and increase the privileges of the user by scouting during the time they spend in the system.

Privilege Escalation Attacks and Attack Methods

Cyber attackers, who gain a place in the system, begin to advance on the system by increasing their authority horizontally or vertically according to their targets. Once the initial infiltration is achieved, the attackers first observe the system to explore, and wait for the right opportunity to reach their targets. Attackers carry out their actions on one hand, and they clean their activities on the system to make them difficult to detect, on the other hand. To this end, attackers hide their activities by masking their source IP addresses or deleting the records of the credentials they use. When a threat is detected in the system, the threat risk in the system can be tracked or the access session can be paused or terminated.

The second step in the chain of cyber attacks usually involves privilege escalation from the originally compromised account to an administrator, root or a higher-privilege account. If the first account to be hacked is an administrator or root account, the threat can more easily reach its targets.

Privilege escalation attack, which hackers infiltrating the system perform through the accounts they have gained or try to gain access, typically consists of five steps as follows:

  1. Finding the vulnerability
  2. Creating the relevant privilege escalation
  3. Use of exploits in the system
  4. Checking whether the system has been successfully hacked
  5. Obtaining additional privileges

On the other hand, attackers who are after security vulnerabilities or company employees that they can exploit may seek privilege escalation by using the following methods:

  • Using credentials: Single factor credentials such as username and password are used to authenticate the user. The cyber attacker, who obtains the credentials, also has direct access to sensitive data and systems, and primarily aims to gain access to a system administrator account. The cyber attacker, who has the credentials and access rights of the system administrator, can move laterally in the system without casting doubt.
  • Vulnerabilities and exploits in the system: Vulnerabilities can be defined as errors in design, code, configuration or implementation that allow malicious activities to occur. Vulnerabilities in the system can occur at many points, from the operating system to the protocols between sources, from web applications to infrastructure. Having a security vulnerability in the system does not mean that a privilege escalation will be successful, but that there is a risk of privilege escalation.

The exploit, which can gain privileges, generate codes and continue to function undetected, works not only depending on the vulnerability but also on the privileges of the account on which the exploit is executed. Exploits can only operate within the limits of the source they have hacked. These operations cannot be continued unless there is a security vulnerability in the system caused by the fix. When the user or the vulnerable application has low privileges or vertical privilege escalation is not possible, the capabilities of the exploit are restricted or the exploit may fail.

  • Misconfiguration: Misconfiguration is another form of exploitable vulnerability, and it is defined as flaws that do not require additional software but require a change that reduces the risk of exploitation.  Reduction factors usually refer to changes made to the settings or supported features.

The most common configuration issues effective for privilege escalation include user accounts with weak default security settings. Activities such as passwords used for administrator and root accounts created in the initial configuration, and continuing insecure access after initial setup are examples of weak security settings. If these vulnerabilities are serious enough, the cyber attacker can easily gain access to the system and have administrator or root privileges.

  • Malware: Malware, which refers to a class of unwanted software designed for a source such as spyware, virus, adware, ransomware, aims to perform actions such as data theft, surveillance, control and command. As a cybercrime tool, malware can be installed at the source through combinations of vulnerabilities and exploits, legal setups, vulnerabilities in the supply chain, and social engineering through internet attacks or phishing.
  • Social engineering: Social engineering attacks are based on the psychological manipulation of people by methods such as e-mail, text message, and capturing their information. A well-prepared text can easily convince the user and the cyber attacker can access user information. Social engineering takes advantage of people's personality traits such as reliability, purity, sincerity, and curiosity.

How to Prevent Privilege Escalation Attacks?

Since privilege escalation attacks can start in many forms and progress through endless scenarios, it is necessary to apply many defense strategies to ensure protection against such attacks. Implementing authorized access security controls along with an identity centralized approach can be effective to ward off attacks and prevent progress of an attack.

  • Take full management of the identity lifecycle, including the provisioning and deprovisioning of identities, to ensure that no account is left that can be hijacked by attackers.
  • Use a password management solution to consistently use strong credential practices for people and machines within the system.
  • With the Least privilege application, restrict the administrator rights of the users and reduce the user privileges to the minimum required.
  • As cyber attacks can be carried out both horizontally and vertically, monitor and manage remote access security regularly.
  • Manage vulnerabilities by continuously identifying and resolving vulnerabilities such as patching, misconfiguration.
  • Monitor and manage all authorized sessions to quickly detect an illegal horizontal or vertical privilege escalation attempt.

Data breaches resulting from privilege escalation of credentials can cause serious problems in a system and network applications, as explained above. Although it becomes more and more difficult to protect a system against cyber attacks and ever-increasing privilege escalation attempts, Privileged Access Management (PAM) systems developed to prevent both internal and external threats provide a great advantage in terms of end-to-end data and access security.

Single Connect, our Privileged Access Management product that we have developed for institutions that want to demonstrate their claim in today's rapidly digitalizing business world with their secure systems too, detects all malicious activities that may result in privilege escalation, and protects your privileged accounts and access to your critical digital assets.

Using Single Connect, you can control privileged sessions, authenticate users with Two-Factor Authentication (2FA), which requires simultaneous geo-location and time verification against the danger of privilege escalation, increase your cyber security in accordance with the Zero Trust method, or record the movements on the system through the Database Access Manager & Dynamic Data Masking, and mask your data via the dynamic masking method. In this way, you can secure your digital assets against either your company employees or third-party access. As another protection mechanism, the Dynamic Password Controller, which also has a password vault feature, allows you to subject the passwords requested during access to important databases to various confirmation mechanisms, and manage passwords securely by eliminating password sharing.

Please do not hesitate to contact us for further information about the Single Connect PAM suite, which is scalable with its advanced modules.

Other Blogs