Fortra’s Alert Logic has been covering and tracking PwnKit since its initial discovery, and we’ve developed the appropriate detection and coverage to both determine exposure and identify compromises.
PwnKit allows attackers to convert the toehold they may have gained on a network into a real foothold by ensuring their malicious program or command is executed with the highest system privileges available.
As discussed previously, the chaining of attacks that takes place with PwnKit elevates initial access to full control of a vulnerable machine, at which point the bad actor can carry out their objectives or use the machine as a springboard to move further into the network.
With this being a two-stage attack, it gives organizations some time to address their vulnerable systems – before any full compromise. However, the focus is typically around external threats, with less attention given to the possibility of an insider threat, where actors would typically already possess physical or authorized access to machines. Such an insider has perfect access to launch the PwnKit exploit.
However, the nature of the PwnKit vulnerability does not lend itself to every type of insider threat, so it’s important to understand where it runs the risk of being abused.
Narrowing Down PwnKit Insider Threats
1. Consider the operating system
The PwnKit exploit works on most Linux OS versions, but not Windows. It’s uncommon for standard users to be working off a Linux distro, so you can discount any generic disgruntled employee who’s limited to their laptop or desktop. Linux is more commonly used on the server, rather than client side. Therefore, the insider would need access to a Linux server, narrowing our insider threat to IT admins, dev-ops, and engineers.
So, we’ve narrowed it down to an IT power user. We can categorize this further into the malicious power user and the negligent power user.
2. Is the threat negligent or malicious?
The negligent power user would be one who inadvertently invites an attacker to take control of a standard user where they can use the PwnKit exploit. This could be done through poor SSH configuration hygiene, password policies, or failing to delete lapsed users.
The malicious IT power user is one who would actively look for a way to convert their legitimate access into illegitimate gains.
Profiling malicious users
Profiling a malicious insider begs the question: how could a privilege escalation exploit be beneficial to those who already have elevated privileges?
User accounts exist for two primary reasons:
- Assign individuals privileges they need to fulfill their tasks; and
- Attribute actions to a known individual.
It is best practice that even admin users have individual admin accounts, rather than sharing a single privileged account. This allows organizations to enact the security principle of least privilege and record audit trails of actions per user, creating accountability. Admin users know that actions they take can be traced back to them, meaning only a fool would carry out overtly malicious actions on their own account. Unfortunately, many organizations have not adopted this process.
PwnKit presents these users with another avenue for executing privileged commands, removing the direct link between themselves and the action.
For example, an admin could create an extra standard user account and then use the PwnKit exploit to carry out malicious actions with said account.
The account could even be sold on the Darkweb to give initial access to the highest bidder who can capitalize on the PwnKit exploit to carry out their objectives. Such an opportunity is ripe for Ransomware-as-a-Service (RaaS) groups.
Furthermore, if an organization has applied the principle of least privilege and limited the escalation privileges of users, the PwnKit exploit presents an opportunity for said user to give their account any privileges they like.
Detecting suspicious activity that may appear standard
Creating a standard user is not a malicious action on its own, and this activity can easily pass as legitimate admin activity. That is why it’s essential to:
- Continuously audit administrative activity and ensure it is logged in a centralized platform
- Perform regular reviews and/or advanced analytics on administrative activity to identify actions which fall outside of an established norm
Here at Alert Logic, we collate administrative activity from each organization we partner with to provide a set of predefined reports, documenting the last 24 hours of certain grouped activity. This includes accounts created/modified as well as privileged Linux commands. A full list of pre-defined reports is available here.
We also apply advanced machine learning analytics across the reports to identify actions that fall outside of an established norm. This allows us to alert on activity related to the insider threat opportunity PwnKit presents, such as accounts being created with abnormal policies or outside of usual activity hours. More information on how our log review machine learning engine works can be found here.
Simply collecting all this administrative activity, whether it occurred in a public cloud, data center, or satellite office, provides IT professionals with a single location to review all admin activity. Additionally, intelligent analytics direct you to individual occurrences which deserve special attention.
The log review process is essential for identifying lower fidelity indicators of compromise, as attackers (or in this case, an actual admin) often try to mimic and hide amongst legitimate admin activity. Early identification of suspicious events limits the potential impact that could occur if it progressed.
Detect Across the Kill Chain
In addition to a log review process, it is crucial to have detections across the kill chain. While attractive to focus on detecting initial access attempts, this insider threat example demonstrates how difficult it can be to identify initial access in every scenario.
Therefore, you must have advanced detections in place that are able to identify post-compromise activity, like the PwnKit priv-esc exploit, and others such as lateral movement or fileless attacks.
Alert Logic detects activity across the kill chain, and our analysts work with customers to create remediation plans and holistically eradicate compromises, as soon as possible.
