Elevation of privilege flaws are the most common vulnerability leveraged by corporate insiders when conducting unauthorized activities on networks, whether for malicious purposes or by downloading risky tools in a dangerous manner.
A report by Crowdstrike based on data gathered between January 2021 and April 2023 shows that insider threats are on the rise and that using privilege escalation flaws is a significant component of unauthorized activity.
According to the report, 55% of insider threats logged by the company rely on privilege escalation exploits, while the remaining 45% unwittingly introduce risks by downloading or misusing offensive tools.
CrowdStrike also categorizes incidents as insider threats when they are not malicious attacks against a company, such as using exploits to install software or perform security testing.
In these cases, though they are not used to attack the company, they are commonly utilized in a risky manner, potentially introducing threats or malware to the network that threat actors could abuse.
Crowdstrike has found that attacks launched from within targeted organizations cost an average of $648,000 for malicious and $485,000 for non-malicious incidents.
Besides the significant financial cost of insider threats, Crowdstrike highlights the indirect repercussions of brand and reputation damages.
Crowdstrike explains that utilizing privilege escalation vulnerabilities to gain administrative privileges is critical to many insider attacks, as in most cases, rogue insiders start with low-level access to their network environments.
The above flaws are already listed in CISA's Known Exploited Vulnerabilities Catalog as they have been historically used in attacks by threat actors.
Even if a system has been patched for these flaws, insiders can gain elevated privileges through other means, such as DLL hijacking flaws in apps running with elevated privileges, insecure file system permissions or service configurations, or Bring Your Own Vulnerable Driver attacks.
Crowdstrike has seen multiple cases of exploitation of CVE-2017-0213 impacting a retail firm in Europe, where an employee downloaded an exploit via WhatsApp to install uTorrent and play games.
While almost all of these insider threat incidents would not be considered malicious attacks, they introduce risk by modifying how a device should run or by potentially running malicious or insecure programs on the network.
Nearly half of the insider incidents recorded by Crowdstrike concern unintentional mishaps like exploit testing getting out of control, executing offensive security tools without appropriate protection measures, and by downloading unvetted code.
CrowdStrike says some incidents were caused by security professionals testing exploits and exploit kits directly on a production workstation rather than through a virtual machine that is segmented from the rest of the network.
Introducing these flaws into corporate networks can increase the overall security risk by providing threat actors who already have a foothold in the network with additional vectors for exploitation.
Even more important, it is not uncommon for threat actors to create fake proof-of-concept exploits or security tools that install malware on devices.
In May, threat actors distributed fake Windows proof-of-concept exploits that infected devices with the Cobalt Strike backdoor.
In another attack, Rapid7 discovered that threat actors were distributing fake PoCs for zero-day exploits that installed Windows and Linux malware.
In both scenarios, installing the fake exploit on a workstation would allow initial access to a corporate network, which could lead to cyber espionage, data theft, or ransomware attacks.
RCE exploit for Wyze Cam v3 publicly released, patch now.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 08 Dec 2023 17:20:20 +0000