SeriousSam points out the serious gap in privilege escalation defense.
A recently discovered Windows vulnerability allows anyone who gains system entry to obtain full local admin rights, bypass OS security controls and access sensitive resources. The privilege escalation flaw — a.k.a. SeriousSam or HiveNightmare — affects all versions of Windows 10 going back to version 1809, as well as the not yet released Windows 11.
Tracked under CVE-2021-36934, no patch is available to date, although Microsoft issued a workaround within a day of the news breaking. It’s a temporary solution, however, as the fix can impact data backup and restore operations.
We’ll go with the SeriousSam naming for no reason other than the appealing alliteration. The flaw lets any user access multiple registry hive files, including the Security Accounts Manager (SAM) database, by exploiting overly permissive Access Control Lists (ACLs). Access to the SAM database ought to be restricted to authorized admins as it contains the hashed passwords for all system users. An attacker can then use a tool like Mimikatz to process the hashes and extract the passwords. From there they can escalate to a privileged account with full admin rights and control.
SeriousSam is only the latest in a long string of privilege escalation vulnerabilities. Earlier this year, Microsoft disclosed a privilege escalation flaw — in its Defender security software no less—that remained hidden for 12 years.
Privilege escalation attacks fall into two categories:
Horizontal escalation — An attacker that has managed to get user access expands their privileges by gaining access to resources belonging to another, similar-level user.
Vertical escalation — Also called privilege elevation, this is when an attacker that has gained access to a user account, application, or system moves from a lower level of access privilege to a higher one. SeriousSam is a classic vertical escalation vulnerability.
An attack may combine both techniques, moving horizontally until they come to a resource that can be exploited vertically or vice versa. Privilege escalation forms the jumping off point for many attacks, making strong privilege escalation defense essential. The Colonial Pipeline attack is a glaring example: after the initial password breach, attackers gained administrative privileged access to deploy the ransomware.
In the case of SeriousSam, after gaining admin access an attacker could install ransomware or other malware, execute malicious commands, or move laterally through the network to other workstations or servers that use the same local admin credentials.
Privileged access management (PAM) controls and monitors user access to systems, functions and data depending on their authorization level. PAM follows the principle of least-privilege and applies not only to human users, but machines and applications. It’s a critical strategy for protecting an organization against the risks from credential theft and privilege misuse. With comprehensive PAM in place, if a device or account is breached, then damage can be limited, tracked and contained.
For privilege escalation defense against vulnerabilities like SeriousSam, however, PAM falls short. Once attackers gain access to the machine, they can move to privileged access, even if authorization levels for the initial compromised account are limited. At that point, it’s a cakewalk for bad actors to steal additional credentials, further elevate privileges and traverse the network until they reach their target.
The strongest defense against privilege escalation vulnerabilities like SeriousSam is to make sure attackers can’t gain access in the first place. If they can’t compromise an initial user, then they can’t exploit a privilege escalation vulnerability.
This means ensuring that all accounts, not just privileged ones, employ strong authentication. Most organizations today are aware of the risks from weak passwords, password reuse, and leaked credentials. Traditional multi-factor authentication (MFA) provides better protection than a single password but it also can be bypassed through phishing, fake push notifications, SIM-swapping and other common attack methods. It also tends to provoke user frustration and slows productivity.
Passwordless MFA, on the other hand, brings stronger security than traditional MFA and friction-free login for the user. With True Passwordless MFA, it becomes much more difficult for attackers to exploit a flaw like SeriousSam since there are no passwords or shared secrets to compromise.
Incorporating passwordless MFA into your PAM strategy closes an urgent security gap. HYPR works with leading Privileged Access Management providers to strengthen identity security using our FIDO-certified passwordless solution.
Organizations don’t need PAM to benefit from passwordless MFA as a privilege escalation defense. HYPR removes the burden of complex authentication from IT teams and users, handling the process seamlessly and securely from end to end. To learn how HYPR helps organizations around the globe protect against SeriousSam and other credential-based attacks, talk to our experts.