Securing service accounts is a notoriously difficult task. One of the main reasons for this difficulty is that service accounts are often forgotten about and left unsupervised. Resulting in no one tracking their use or validating that they aren’t compromised and used by malicious actors.
Additionally, having limited to zero visibility into these accounts is a key challenge when it comes to securing service accounts. The lack of visibility into service accounts also makes them an attractive target for threat actors. These accounts can be used to gain unauthorized access to sensitive data, systems, and resources and in many cases move laterally across an organization’s environment. The consequences of a successful attack on a service account can be severe, including data theft, system compromise, and even complete network takeovers.
In this post, we’ll explore the specific attack techniques threat actors utilize when targeting service accounts and will highlight a few well-known data breaches where service accounts were compromised and helped attackers move laterally.
Table Of Contents
Threat actors implement different techniques to compromise and use service accounts. Let’s take a closer look at the most commonly used identity-based attack methods used and how specifically they take aim at service accounts.
A brute force attack is the most common method used by threat actors, where attempts are made to guess a password or encryption key by trying all possible combinations of characters until the correct one is found. This method is particularly effective against weak or easily guessable passwords. Threat actors commonly use automated tools to rapidly try different passwords until they find one that works.
Threat actors will often use brute-force attacks to compromise service accounts that have weak passwords or no password policies, sometimes also attempting to bypass the security measures in place to protect against these types of attacks.
A Kerberoasting attack is a type of attack that targets the Kerberos authentication protocol to obtain the password hash of a user’s Active Directory with Service Principal Name (SPN) values — such as service accounts.
The threat actor first identifies the targeted users that have SPNs associated with them. They then request a Kerberos service ticket for a specific SPN associated with a user account. The service ticket is encrypted using the user’s hash. Next, the threat actor is then able to obtain the hhash itself via offline cracking and reproduce the original plaintext password.
Service accounts are often targeted as they often have SPNs associated with them, which can then be used to request service tickets for other user accounts.
In a pass-the-hash attack, the threat actor can use a password hash to perform an NTLM authentication to other systems or services on the network without needing to know the actual password.
To carry out a pass-the-hash attack, the threat actor first obtains the service account’s password hash by either extracting it from a compromised endpoint’s memory or by intercepting the service account’s authentication traffic.
Notorious Cyber Attacks That Used Compromised Service Accounts
In recent years, there have been several high-profile data breaches where service accounts were successfully compromised by threat actors. These attacks are clear examples of how threat actors target and use comprised service accounts to move laterally. By understanding these cases, we can gain a better appreciation of the risks associated with unsecured service accounts and the measures organizations can take to mitigate risks.
The SolarWinds attack was a supply chain attack in December 2020. Threat actors compromised the SolarWinds Orion IT management platform build process and inserted a malicious backdoor into the codebase. This backdoor was then distributed to numerous organizations via legitimate software updates. Once installed on the target networks, the backdoor provided the threat actors with persistent access to the target systems, allowing them to exfiltrate data and move laterally within the networks.
How Service Accounts Were Involved
Service accounts played a crucial role in the SolarWinds attack. Compromised service accounts were used by the threat actors to move laterally through the targeted networks and access their resources. The threat actors targeted service accounts with high-level privileges, which allowed them to gain access to critical systems and data.
Once the threat actors gained access to the SolarWinds Orion IT management platform, they were able to obtain the credentials for several service accounts of SolarWinds. Once these accounts were compromised, the threat actors used the SolarWinds service accounts to move laterally through the network until reaching the ADFS server.
The data breach of the United States Office of Personnel Management (OPM) was discovered in June 2015. This was a classic example of a state-sponsored cyber-espionage operation by the Chinese advanced persistent threat (APT). The OPM breach was facilitated by several technical and architectural gaps in the agency’s IT infrastructure where threat actors were able to gain access to OPM’s systems using stolen credentials belonging to a third-party contractor who had privileged access to their network.
How Service Accounts Were Involved
The attackers initially gained access to the OPM network through a spear-phishing email, which allowed them to obtain the credentials of several OPM contractors. Once inside the network, the threat actors used the compromised credentials to gain access to several service accounts, including the KeyPoint Government Solutions (KGS) contractor’s service account. This account had high-level privileges and was used to manage and administer critical OPM systems.
The threat actors used the KGS contractor’s service account to move laterally through the network and access sensitive data, including the background investigation records of millions of current and former federal employees. The threat actors were able to exfiltrate this data over several months, during which time they remained undetected. They also used the service accounts to create backdoors on the network, which allowed them to maintain access to the network even after the initial breach had been detected.
Disclosed in 2018, the Marriott attack was one of the largest data breaches on record. Threat actors gained access to the company’s systems through a third-party vendor who had access to Marriott’s reservations database. Once inside the network, they were able to move laterally and escalate privileges in Marriott’s Active Directory infrastructure. After gaining access the threat actors installed malware, which was used to steal data over several years. The breach went undetected for months, giving the threat actors ample time to steal large amounts of data.
How Service Accounts Were Involved
Threat actors were able to obtain the credentials of two privileged service accounts with domain-level admin access. They deployed a pass-the-hash attack where the threat actors used the password hashes then used to compromise service accounts with high-level privileges to access Marriott’s Starwood reservation system, which contained the sensitive personal and financial information of millions of guests.
These service accounts had access to sensitive systems and data across the Marriott network, and their compromise allowed the attackers to move laterally through the network and escalate their privileges over an extended period of time, without being detected by Marriott’s security controls.
The Common Thread: Service Account Compromise
In each of these cases, threat actors were able to gain unauthorized access to sensitive systems or data by using compromised service accounts to move laterally across their victim’s network. These breaches highlight the importance of properly managing and securing service accounts to prevent unauthorized access and reduce the risk of breaches.
Now that we’ve discussed attack methods used by threat actors when targeting service accounts and highlighted high-profile breaches where service accounts were involved, our next post will show how Silverfort helps organizations discover, monitor, and protect service accounts by providing full visibility, risk analysis, and adaptive access policies without the need for password rotation.