Along with positive developments, the rapidly advancing technology brings with it many security-related issues, such as Privilege Escalation. In fact, Privilege Escalation, a somewhat complex cybersecurity term, is defined as network attacks used to gain unauthorized access to systems within the security perimeter. While the right technology applications pave the way for high efficiency in every way, the vulnerabilities of the applications can become open targets for cybercriminals.
Internal or external threats that try to gain higher rights in the system through cyber attacks take advantage of insufficient security controls in software, and aim to control communications on the target system and increase its control via Privilege Escalation.
What is Privilege Escalation?
The term Privilege Escalation, which has come up frequently in recent times, refers to a cyber threat situation that involves an effort to illegally gain access to rights within a user's influence range. With Privilege Escalation, a user who does not have the necessary privileges can identify a design flaw, error, or configuration error in the operating system or application, and gain unauthorized access to sensitive information. Through Privilege Escalation, which has an important place in the cyber attack chain, a cyber attacker can perform actions such as running the server or operating system with different commands, allowing malicious software to infiltrate the network, breaching sensitive data, accessing the sources of the system, or taking over the system completely.
As a multi-stage attack that has the potential to seriously damage your server applications and operating system, Privilege Escalation is very dangerous to your organization's operation and reputation. Privilege Escalation allows intruders to perform operations such as executing codes on the system and should be considered as an information security issue in itself. A suspected Privilege Escalation attempt may imply unauthorized access to confidential, sensitive, and personal data within the system in question.
Types of Privilege Escalation
There are two types of privilege escalation processes, which start with a cyber attacker gaining access to a low-level account by exploiting a vulnerability on a system that he surveyed. The attacker uses either the Horizontal Privilege Escalation or Vertical Privilege Escalation method to increase his dominance over the system. When using horizontal privilege escalation to explore the identified vulnerability, the attacker tries to access user accounts with similar privileged access. In a vertical privilege escalation scenario, the threat actor infiltrates the system through a low-level account and tries to gain access to accounts with higher access privileges.
Horizontal Privilege Escalation: the attacker manages to access similar accounts or transaction data and functions at the access level of the compromised user account used to initiated the cyber attack. However, the attacker is not trying to increase the active privileges or access level of the account he is using to infiltrate the network. Instead, the attacker simply exploits the legitimate user privileges that have been granted, thereby expanding the privilege domain, for example, bypassing the authentication step on an e-commerce site and gaining access to a user's account. In short, the threat exploits user accounts with relatively low levels of access security on systems with weak security policies.
Vertical Privilege Escalation: The attacker loggs in to the system through a low-authority access point and continues to elevate his privileges until he reaches the targeted user or process level. Authorization levels on a system are usually designed to allow a user with a certain privilege level to access higher-level sources. With the vertical escalation method, the attacker first gains root-level access and then can perform multiple actions, from getting credential information to stealing sensitive data, from downloading ransomware to deleting data. The attacker can delete information such as access logs and activity data, making it difficult to discover any indication of data breaches and thus, evidence of vertical privilege escalation. This makes it harder to take mitigating actions, giving cyber-attackers plenty of time to inject malware into the system or network before users even realize an attack has occurred.
How Does Privilege Escalation Work?
Exploiting vulnerabilities such as configuration faults, software bugs, and incorrect access controls, privilege escalation represents one layer in the activity chain of a cyber-attack to gain unauthorized access to data the compromised user account is not allowed to access. Privilege escalation targets sensitive access points such as Web Application Servers and Application Programming Interfaces within a network or system.
Each local, interactive, or remote access session within the system represents some kind of authorized access. Authorized access types cover all access options in the system, from privileges that allow only a local login to an administrator, or root privileges and system control. A standard user has limited access privileges to databases, sensitive files, and other resources in the system. In some cases, although users have high access privileges, they may not be aware of them because they do not perform tasks that require more access than what their role demands. A cyber attacker accessing the account of such a user can infiltrate the system, abusing and increasing the user’s privileges by scouting during the time they spend in the system.
Privilege Escalation Attacks and Attack Methods
Cyber attackers who gain access to a system, begin to infiltrate by increasing their authority horizontally or vertically, according to their targets. Once the initial intrusion is completed, the attackers first observe the system to gain intelligence and wait for the right opportunity to reach their targets. Attackers carry out their actions, all the while eliminating any trace of their activities in the system to make them difficult to detect. They do this by masking their source IP addresses or deleting the records of the credentials they use. When a threat is detected, it can be tracked, or the access session can be paused or terminated.
The second step in the activity chain of cyber attacks usually involves privilege escalation from the originally compromised account to an administrator, root, or higher-privilege account. If the first account to be hacked is an administrator or root account, the threat can more easily reach its targets.
A privilege escalation attack, which hackers infiltrating the system execute using account credentials they have acquired or try to gain access to, typically consists of five steps as follows:
Finding the vulnerability
Creating the relevant privilege escalation
Use of exploits in the system
Checking whether the system has been successfully hacked
Obtaining additional privileges
On the other hand, attackers who are after security vulnerabilities or company employees they can exploit may apply privilege escalation by using the following methods:
Using credentials: Single factor credentials such as username and password are used to authenticate the user. The cyber attacker, who obtains the credentials, also has direct access to sensitive data and systems, and primarily aims to gain access to a system administrator account. Once the administrator credentials and access rights are secured, the cyber attacker can move laterally in the system without causing suspicion.
Vulnerabilities and exploits in the system: Vulnerabilities can be defined as errors in design, code, configuration, or implementation that allow malicious activities to occur. Vulnerabilities in the system can occur at many levels, from the operating system to the protocols between sources, from web applications to infrastructure. Having a security vulnerability in the system does not mean that a privilege escalation will be successful, but instead that there is a risk of privilege escalation.
The exploit, which can gain privileges, generate codes, and continue to function undetected, works not only depending on the vulnerability but also on the privileges of the account on which the exploit is executed. Exploits can only operate within the limits of the source they have hacked. These operations cannot be continued unless there is a security vulnerability in the system. When the user or the vulnerable application has low privileges or vertical privilege escalation is not possible, the capabilities of the exploit are restricted or the exploit may fail.
Misconfiguration: Misconfiguration is another form of exploitable vulnerability, and it is defined as flaws that do not require additional software but require a change that reduces the risk of exploitation. Reduction factors usually refer to changes made to the settings or supported features.
The most common configuration issues effective for privilege escalation include user accounts with weak default security settings. Passwords used for administrator and root accounts created in the initial configuration, and continuing insecure access after initial setup are examples of weak security settings. If these vulnerabilities are serious enough, the cyber attacker can easily gain access to the system and have administrator or root privileges.
Malware: Malware, which refers to a class of unwanted software designed for a source, such as spyware, virus, adware, or ransomware, aims to perform actions such as data theft, surveillance, control, and command. As a cybercrime tool, malware can be installed at the source through combinations of vulnerabilities and exploits, legal setups, vulnerabilities in the supply chain, and social engineering through internet attacks or phishing.
Social engineering: Social engineering attacks are based on the psychological manipulation of people by methods such as e-mail or text message, with the goal of capturing their information. A well-prepared text can easily convince the user and the cyber attacker can access user information. Social engineering takes advantage of people's personality traits such as reliability, innocence, sincerity, and curiosity.
How to Prevent Privilege Escalation Attacks?
Since privilege escalation attacks can start in many forms and progress through endless scenarios, it is necessary to apply multiple defense strategies to ensure protection against such attacks. Implementing authorized access security controls along with an identity centralized approach can be effective to ward off attacks and prevent the progress of an attack.
Take on full management of the identity lifecycle, including the provisioning and deprovisioning of identities, to ensure that no account can be hijacked by attackers.
Use a password management solution to consistently use strong credential practices for people and machines within the system.
Applying the Least Privilege principle, restrict the administrator rights of the users and reduce user privileges to the minimum required.
As cyber attacks can be carried out both horizontally and vertically, monitor and manage remote access security regularly.
Manage vulnerabilities by continuously identifying and resolving vulnerabilities such as patching, misconfiguration.
Monitor and manage all authorized sessions to quickly detect an illegal horizontal or vertical privilege escalation attempt.
Data breaches resulting from privilege escalation can cause serious problems in a system and network applications. Although it becomes more and more difficult to protect a system against cyber attacks and the ever-increasing privilege escalation attempts, Privileged Access Management (PAM) solutions developed to prevent both internal and external threats provide a great advantage in terms of end-to-end data and access security.
Single Connect, our Privileged Access Management solution, protects your privileged accounts and access to your critical digital assets, detects malicious activities that may result in privilege escalation attacks, and was developed for organizations that want to secure their presence in today's increasingly digitalized business world by securing their information technology systems.
Using Single Connect, you can control privileged sessions, authenticate users with Two-Factor Authentication (2FA), and increase your cyber security in accordance with the Zero Trust method. Single Connect’s Database Access Manager allows you to record activities in the system, and protect your data with dynamic data masking. This way you can secure your digital assets, protecting them against employee or third-party access. As another protection mechanism, the Dynamic Password Controller, with its password vault feature, runs the credentials required to access important databases through various confirmation mechanisms, and manages passwords securely by eliminating password sharing.
Please do not hesitate to contact us for further information about our Single Connect PAM product family, a scalable solution with advanced security modules.