Author: Geoffrey Mattson, CEO, Xage Security
In our increasingly digital world, companies managing information technology (IT) and operational technology (OT) systems must scrutinize their cybersecurity strategies closely. As cyber techniques evolve and threat actors exploit vulnerabilities (often targeting privileges and credentials), privilege escalation has emerged as a critical and pervasive threat.
These attacks are notoriously difficult to detect, underscoring the need for companies to be proactive and vigilant about cyber risks associated with this type of vulnerability. With the stakes higher than ever, understanding the complexities of privilege escalation is crucial for staying ahead in the relentless battle against cybercrime.
Attack Techniques Coming To The Surface
Privilege escalation is a sophisticated attack tactic that exploits vulnerabilities like system bugs, misconfiguration, stolen accounts or weak access controls to gain unauthorized higher-level access within a system.
These attacks can take multiple forms, each strategically designed to exploit specific weaknesses, elevate user privileges and compromise overall system security. They often occur in concert with lateral movement, in which an attacker uses one compromised system or account to gain access to other accounts or create brand-new accounts with similar or greater privileges.
The emergence of new privilege escalation vulnerabilities highlights a critical area of concern for cybersecurity. In the second half of 2024, CISA added new privilege escalation vulnerabilities in Windows, Linux, Android and other widely used software to its Known Exploited Vulnerabilities catalog.
During June’s “Patch Tuesday,” Microsoft addressed 49 vulnerabilities, with a staggering 49% classified as privilege escalation vulnerabilities. This trend continued in August when Microsoft disclosed updates for 85 vulnerabilities, with privilege escalation making up 37%—far surpassing any other individual vulnerability type.
The vast and growing number of privileged escalation-related vulnerabilities and attacks proves the urgent need for effective remediation measures. While lateral movement is a common tactic associated with these attacks, there are dozens of other techniques and procedures listed in the MITRE ATT&CK Framework that companies should be aware of, including:
Vertical Privilege Escalation
Vertical privilege escalation involves gaining higher access levels within a single system, often seeking root or administrative privileges. Attackers achieve this by exploiting software flaws, misconfigurations or weak permissions. For instance, in June 2024, a VMware ESXI vulnerability allowed attackers to gain full administrative access simply by creating a user group called “ESX Admins” and adding a user to it.
Living Off The Land
Living off the land (LOTL) refers to attackers using existing legitimate tools within a system to carry out their activities instead of deploying malicious software. This tactic helps them blend in and evade detection by exploiting built-in tools. For example, attackers might use administrative tools or scripts to escalate privileges, move laterally or exfiltrate data, making their actions difficult to distinguish from normal operations.
Pass-The-Hash Attacks
Pass-the-hash attacks involve using hashed password data to gain unauthorized access to systems rather than the plaintext password. This method is effective in environments where authentication does not require plaintext, enabling attackers to impersonate users. With these techniques, attackers can move laterally or change privilege levels to escalate access.
Real-Life Privilege Escalation Attacks
Managing privileged credentials has become challenging in today’s IT and OT critical infrastructure environments, where modern systems intersect with legacy assets and operations span remote sites. This fragmented landscape often leads to privileged credentials being neglected or inadequately secured, leaving critical assets vulnerable.
Some of the most significant hacks in history highlight the critical importance of privilege escalation in large-scale and high-impact cyberattacks.
The Stuxnet worm was a sophisticated cyber weapon designed in 2010 to sabotage Iran’s nuclear program. It exploited multiple zero-day vulnerabilities to escalate privileges and manipulate Siemens PLCs controlling uranium centrifuges. By altering centrifuge speeds, Stuxnet damaged numerous units while masking its actions, demonstrating the potential for cyber tools to inflict real-world damage.
The attack involving SolarWinds in 2020 included hackers taking advantage of a vulnerable software update and embedding malicious code, affecting thousands of customers, including U.S. government agencies. SecurityWeek noted the attackers “leveraged a piece of malware named Raindrop for lateral movement and deploying additional payloads.” This underscored severe supply chain security risks and the threat that state-sponsored cyber adversaries pose, particularly linked to Russian actors.
Attackers involved in the 2023 MGM Resorts hack used social engineering and multifactor authentication (MFA) evasion to gain initial access, targeting the administrative users of the company’s identity provider. They eventually escalated to global administrator privileges within the cloud infrastructure, leading to estimated costs of around $100 million.
Privileged Access Management Strategies Fight Back
To ensure threat actors can no longer target security weaknesses within systems, companies must implement a privileged access management (PAM) strategy—but one that prioritizes protection first for the entire enterprise, including cloud and operational environments (OT, IoT and IIoT).
The traditional PAM approach of only protecting privileged accounts is an incomplete approach to stopping breaches in the current threat landscape. Privilege escalation techniques have made every human and non-human entity in an enterprise a risk vector.
Modern PAM strategies should include a baseline of proactive protection for the entire enterprise, with the ability to implement further protective measures for privileged accounts. Organizations must mitigate account risks while preventing lateral movement within their networks, ensuring that even compromised identities cannot escalate privileges to cause significant damage. A strong strategy enforces strict adherence to the principle of least privilege, granting users access only to the resources necessary for their roles.
A successful strategy should enable continuous access audits, implement MFA and use advanced session management. Additionally, it must include comprehensive logging and real-time alerts, facilitating rapid responses to suspicious activities. By ensuring that only verified users gain access to privileged accounts based on their roles, PAM becomes a critical safeguard for sensitive systems.
In essence, a strategically implemented, modern PAM strategy is key to maintaining a secure environment and defending against rising privilege escalation attacks. This approach is not just advantageous but essential—providing robust protection to safeguard sensitive systems and uphold operational integrity.
Originally published on Forbes