In cybersecurity, “Pass the Hash” is a hacking technique that allows a malicious user to authenticate on several systems on the same network without directly knowing the victim’s credentials. You simply use the username and the obfuscated password, without the need to crack it. This now 20-year old cyber attack is still driving medium and large companies crazy. What do you need to know? Can it be prevented? It certainly is hard to kill.
BRIEF HISTORY
Before getting to the heart of the attack, it is useful to understand a little more about the history of Pass the Hash. The year 1997 is the year in which this attack was first carried out. In 2019, this hacking technique was made even more powerful by technological advancement. It is therefore twenty-two years since it was first discovered.
Yet the name is still the same, with slight variations (Pass The Ticket), but the system is still there, sometimes more powerful than before, because there are more computerised systems, everything is more technological and therefore in some respects vulnerable.
Today, small, medium and large enterprises use a centralised system that allows easy sharing of files, folders and users. Besides this, through a single identification system (Single Sign-On), it is possible to carry out a single authentication valid for several software systems or IT resources to which that user is enabled at corporate level.
All these “commodities” that every employee or company manager has at his or her disposal bring with them many security issues. One of them is the Pass the Hash (PTH). Using this hacking technique, it is possible to acquire the permissions of all users who have connected to the compromised machine and gradually use those permissions to move laterally by applying the same attack. If the machine is then able to retrieve the hash, generated by the login of a user of higher administrative rank, a new opportunity will appear to move vertically as well (Vertical Privilege Escalation or Escalation of Privilege, EoP), gaining more and more control. The main aim is to gain control of the central server which, in a Microsoft environment, under an Active Directory domain, is called the Domain Controller.
The largest and most notorious APT (Advanced Persistent Threat) campaigns use this technique of stealing and reusing credentials as a post-exploitation technique, i.e. after having taken possession of a computer system with local machine administrator permissions.
In the Microsoft Windows 10 and Windows Server 2016 environment, updated at the time of writing, the PTH attack is made even easier with the use of a free and continually updating software, Mimikatz, thanks to which it is possible to both steal and reuse credentials within one or more domains with Active Directory.
STATE OF THE ART
Right now, PTH is used by the worst (damage-wise) ransomware around. The basic ransomware encrypts all the files it finds on the victim’s computer. To decrypt them, you need to pay a large sum of money in Bitcoin (virtual cryptocurrency) to the cybercriminal, but there is no guarantee that they will give the decryption key and solve the problem. One of those analysed in particular is SDEN Ransomware, which not only encrypts all the files on a computer, but also, with the help of the PTH attack, spreads through the company network – if present – and encrypts every machine it comes across.
HOW TO DEFEND YOURSELF
As is usually the case, the expenditure in MD (Man Days) on defence is many times higher than the expenditure to prevent this type of attack. Defending oneself costs a lot more than attacking.
The only way to eradicate it completely would be not to use single sign-on. Of course, it is not easy to phase out such a system as it is very convenient and makes the management of users and network services simpler and faster. However, there are feasible solutions, which are very costly, but sometimes capable of preventing this and many other cyber attacks.
To avoid such attacks, experts recommend good IDS and IPS, Intrusion Detection System and Intrusion Prevention System respectively.
Using host-based (HIDS / HIPS) and network-based (NIDS, NIPS) systems, it is possible to monitor all abnormal behaviour in real time and receive notifications if any anomalies are detected with respect to regular conduct. The new IDS and IPS are already born with a system based on artificial intelligence capable of learning large amounts of data in a short time and understanding, often in advance of humans, where there is a real danger and where there is a false positive.
Thanks to the use of SIEM (Security Information and Event Management), it is possible to manage logs in such a way as to be able to trace the lateral movements made by cyber criminals and their Elevation of Privilege.