How hackers ‘chain vulnerabilities’ in business networks

By Paul Cragg
Paul Cragg, CTO at NormCyber, explains the hacking technique of chaining vulnerabilities and how businesses can reduce the risk of falling foul of it

Imagine a way that hackers can gain domain admin access to a network, which doesn’t involve having to steal or decode passwords. Sounds like something out of a spy novel, an impossible feat, surely? Except it is possible, and precisely what chaining vulnerabilities can do for the modern-day hacker.

Every CISO’s nightmare

Ransomware attacks can pose a threat at any time of day, leaving businesses scrambling to limit the damage after the crime has already occurred. CISOs dread getting that call in the middle of the night to tell them a breach has been detected, especially if ransomware is involved. Such an attack effectively means access to their systems is cut off until they pay up tens of thousands of pounds. Once they come to terms with the gravity of the situation, the first question they will ask themselves is: how could this happen to us? 

Ethical hackers conduct numerous penetration tests (pen tests) every year, giving them first-hand experience in hackers’ tactics, techniques and procedures evolved to now enable them to exploit ‘medium-rated’ – so, not quite severe – vulnerabilities in order to access otherwise password-protected materials. 

They also see companies coming up to the same set of vulnerabilities and technical misconfigurations that were identified at previous pen tests. Leaving such issues unresolved can prove costly, because if a typical pen tester can identify this recurring list of weak spots in a network, so too can a regular hacker. All they then need to do is ‘chain’ these together and you’ve got a perfect storm!

Domain Access rights - top of the hacker’s list

Medium-rated vulnerabilities are shiny puzzle-pieces for cyber criminals, and when pieced together correctly, they can reveal the credentials of IT managers and system administrators – the personnel with the most wide-ranging access rights. 

Unlocking Domain Admin rights rank highest on hackers’ wish lists when sifting through the data from their exploits, as these will allow them to edit information in Active Directory, which is the core database used for managing permissions and access to network resources. Once this grand prize has been won, it takes next to no time at all for hackers to compromise an entire network and render companies’ impeccable password security useless. So, how does chaining vulnerabilities work in practice? 

How hackers chain vulnerabilities

Most attacks often start with a simple phishing exercise, where an employee is sent correspondence from the hacker aimed at planting malicious files on the company’s systems. In this example, the user – who may only have restricted or low-level network access – is unaware of the danger this poses and proceeds to download the files. Once downloaded, these files alone cannot grant the hacker access the whole network, but they do allow them to get a basic vantage point of the company.

At this point, a hacker will look into what communication protocols they can exploit. If there are any flaws in how devices and users on the network share information with each other, they’ve struck gold. 

A hacker may go straight to searching to see whether the Link-Local Multicast Name Resolution (LLMNR) – the protocol responsible for helping systems find address names from other devices on the network – is in operation. If this is so, the hacker will proceed to attempt to find users on the network whose security signatures (SMB signings) are set to false, meaning that they have not enabled the feature that verifies the origin and authenticity of information sent to them. 

This is considered a medium-level vulnerability and one of the most overlooked, which hackers add to their chain. With both requirements met, the hacker will start their attack in earnest.

Once the weakest links are chained, it’s full steam ahead

It all begins with ‘DNS poisoning’, whereby the hacker forces LLMNR authentication of their own device in order to gain wider access to the network. It’s called DNS poisoning, because the Domain Name System (DNS) – which is the database that maps computers, services and resources on a network – gets infiltrated and contaminated with false information. This creates an unnoticeable but dangerous breakdown in communication on the network, which can be exploited particularly effectively against users whose security signatures are not up to scratch. 

This process may not yield great results at first, but once high-level users crop up on the hacker’s radar, it becomes gradually easier for them to gain access to crucial databases, such as those containing usernames and passwords.

If just one of these usernames contain the keyword ‘admin’, the hacker only needs to bypass password authentication through a method called pass-the-hash, and they have gained Domain Access rights. At this point, they have the power to compromise databases, create new admin accounts to sink their hooks into the network even further, or even exfiltrate data and deploy ransomware.

Although these network vulnerabilities are medium-rated, they must not be underestimated and should be remediated immediately once identified during pen testing. The example above may sound technical, but is relatively simple for a hacker to execute. Indeed, at the hands of an experienced hacker, all it takes is an hour or two for these long-standing unresolved issues to be chained and exploited. 

Breaking the attack chain

Cyber criminals are always looking for gaps in companies’ cyber defences, so it’s imperative that pen testing takes place to identify vulnerabilities, and crucially, that CISOs then act on the intelligence gathered to plug security holes in their systems. 

Up-to-date technology stacks, rigorous security processes and cyber-aware employees are the key pillars to any effective cyber security and data protection strategy. Ethical hacking attempts provide essential information for all three aspects, and – when acted upon – can help the C-suite sleep easy at night.


Featured Articles

How secure is sensitive data stored in the cloud?

A Cloud Security Alliance (CSA) survey has found 67% of organisations store sensitive data in public cloud environments, but how secure is it?

CYBER LIVE LONDON: Day 2 highlights of the hybrid tech show

We take a look at highlights of the different stages at the Tech Live London show, including insights from Claroty, SalesForce and Oracle

TECH LIVE LONDON: An overview of the hybrid technology show

We take a look at the first day of Tech Live London with insights from technology leaders from companies such as IBM, Microsoft and Vodafone

Does a cashless society mean higher risk of fraud?

Cyber Security

5 minutes with Gary Brickhouse, CISO of GuidePoint Security

Cyber Security

CTO at Passbolt explains the importance of password managers

Application Security