The Significance of PwnKit to Insider Threats

This blog was originally published by Alert Logic here.

Written by Josh Davies, Alert Logic.

Alert Logic has been covering and tracking PwnKit since its initial discovery, and we’ve developed the appropriate detection and coverage to both determine exposure and identify compromises.

PwnKit allows attackers to convert the toehold they may have gained on a network into a real foothold by ensuring their malicious program or command is executed with the highest system privileges available.

As discussed previously, the chaining of attacks that takes place with PwnKit elevates initial access to full control of a vulnerable machine, at which point the bad actor can carry out their objectives or use the machine as a springboard to move further into the network.

With this being a two-stage attack, it gives organizations some time to address their vulnerable systems – before any full compromise. However, the focus is typically around external threats, with less attention given to the possibility of an insider threat, where actors would typically already possess physical or authorized access to machines. Such an insider is positioned perfectly to launch the PwnKit exploit.

However, the nature of the PwnKit vulnerability does not lend itself to every type of insider threat, so it’s important to understand where it runs the risk of being abused.

Narrowing Down PwnKit Insider Threats

1. Consider the operating system

The PwnKit exploit works on most Linux OS versions, but not Windows. It’s uncommon for standard users to be working off a Linux distro, so you can discount any generic disgruntled employee who’s limited to their laptop or desktop. Linux is more commonly used on the server, rather than client side. Therefore, the insider would need access to a Linux server, narrowing our insider threat to IT admins, dev-ops, and engineers.

So, we’ve narrowed it down to an IT power user. We can categorize this further into the malicious power user and the negligent power user.

2. Is the threat negligent or malicious?

The negligent power user would be one who inadvertently invites an attacker to take control of a standard user where they can use the PwnKit exploit. This could be done through poor SSH configuration hygiene, password policies, or failing to delete lapsed users.

The malicious IT power user is one who would actively look for a way to convert their legitimate access into illegitimate gains.

Profiling malicious users

Profiling a malicious insider begs the question: how could a privilege escalation exploit be beneficial to those who already have elevated privileges?

User accounts exist for two primary reasons:

1. Assign individuals privileges they need to fulfill their tasks; and
2. Attribute actions to a known individual.

It is best practice that even admin users have individual admin accounts, rather than sharing a single privileged account. This allows organizations to enact the security principle of least privilege and record audit trails of actions per user, creating accountability. Admin users know that actions they take can be traced back to them, meaning only a fool would carry out overtly malicious actions on their own account.

PwnKit presents these users with another avenue for executing privileged commands, removing the direct link between themselves and the action.

For example, an admin could create an extra standard user account and then use the PwnKit exploit to carry out malicious actions with said account.

The account could even be sold on the Darkweb to give initial access to the highest bidder who can capitalize on the PwnKit exploit to carry out their objectives. Such an opportunity is ripe for Ransomware-as-a-Service (RaaS) groups.

Furthermore, if an organization has applied the principle of least privilege and limited the escalation privileges of users, the PwnKit exploit presents an opportunity for said user to give their account any privileges they like.

Detecting suspicious activity that may appear standard

Creating a standard user is not a malicious action on its own, and this activity can easily pass as legitimate admin activity. That is why it’s essential to:

1. Continuously audit administrative activity and ensure it is logged in a centralized platform
2. Perform regular reviews and/or advanced analytics on administrative activity to identify actions which fall outside of an established norm

Detect Across the Kill Chain

In addition to a log review process, it is crucial to have detections across the kill chain. While attractive to focus on detecting initial access attempts, this insider threat example demonstrates how difficult it can be to identify initial access in every scenario.

Therefore, you must have advanced detections in place that are able to identify post-compromise activity, like the PwnKit priv-esc exploit, and others such as lateral movement or fileless attacks.

About the Author

Josh Davies is a Product Manager at Alert Logic. Formerly a Security Analyst and Solutions Architect, Josh has tremendous experience working with mid-market and enterprise organizations; conducting incident response and threat hunting activities as an analyst before working with organizations to identify appropriate security solutions for challenges across cloud, on-premises and hybrid environments.