The key ingredient in recent malware attacks
Lateral movement is one of the key reasons cyberattacks have become significantly more damaging over the last few years. Yet few organizations are aware of how this technique is being used by cybercriminals. In this piece, I’ll explain the concept behind lateral movement, and provide some tips on how organizations can protect against it.
About the author
Damien Benazet is Technical Account Management Director at Tanium.
Lateral movement technique has been key to the success of many high-profile attacks, including the WannaCry and NotPetya malware variants that struck organizations worldwide in 2017. Nearly all cyberattacks involve a form of lateral movement, a tactic which sees attackers installing ransomware on as many computers as possible, or searching for any valuable data on the corporate network, such as credit card information stored on servers
In some attacks, lateral movement is a slow, cautious and stealthy process managed by a remote human fraudster. In other attacks, it’s a lightning-fast traversal of endpoints automated by malware that takes advantage of lax administrative permissions or unpatched vulnerabilities. The main principle of lateral movement is to gain access privileges on a target’s computer. Within most organizations, there are typically a few main types of profile, each holding different access rights. Typically, guest profiles have access to a limited number of applications, user profiles are authorized the use of their individual workstation, and administrator profiles have a full set of rights: use, installation, modification and deletion of applications and settings.
Once a hacker has managed to access to a machine on the company network, their goal is to find connection identifiers – also known as credentials – that will give them superior rights in order to perform more malicious operations. The first step in this ‘lateral movement’ is often to use a small spyware called a “credential dumper,” which collects the other credentials present on the machine. It will then check if one of the recovered credentials has more important access rights than those already in its possession.
These login credentials are often stored in the…