Robert Page, lead penetration tester, Redscan
Robert Page, lead penetration tester, Redscan

System administrators are the gatekeepers of our corporate IT networks. From managing and maintaining assets through to overseeing access to critical systems, they have the power to control entire business networks. Owning to this high level of responsibility, Sysadmins, as they are known for short, are increasingly being targeted by hackers as a way to obtain the virtual keys to entire organisations.

What makes sysadmins a target of cyber-criminals?

It is a well-known fact that the UK IT industry is suffering from an ongoing skills shortage. This means that all-important sysadmins face severe time and resource pressures. In many organisations, a sysadmin is not only responsible for managing day-to-day IT functions but cyber-security as well. In the face of growing and increasingly sophisticated online threats, being expected to lead the protection of an organisation and its assets is a huge challenge. 

It can be easy to forget the fact that many sysadmins are not trained cyber-security experts so can, on occasion, overlook risks that dedicated professionals will highlight. Unfortunately, cyber-attackers are well aware of this and instead of targeting low level users as a way into a network they are now going straight for highly privileged sysadmin accounts.

Below are three common ways hackers are able to compromise sysadmins.

1. Installation of malicious macros on public file shares

One relatively easy, yet not widely publicised, tactic used by attackers upon entry to a network is remotely inserting malicious macros into public files, including those contained on company file shares. As attachments containing macros are normally blocked from incoming emails, many companies don't feel the need to prevent macros from being run from inside the organisation. This means that once attackers have bypassed traditional security systems, they are able to insert harmful macros on commonly used files such as networking diagrams and procedural documents. Once this is done, it's a waiting game until an unsuspecting sysadmin clicks on a compromised file and triggers the installation of malware that enables the user's account to be hijacked.

2. NTLM SSP authentication mechanism exploit

NTLM SSP is an authentication mechanism which attackers can leverage to their advantage by attaching it to web servers. When a sysadmin connects to the malicious web server, NTLM SSP prompts their web browser for authentication, triggering some browsers to automatically transmit encrypted versions of the user's credentials.

The same tactic can be used within a company's LAN by poisoning broadcast discovery protocols such as NetBIOS and LLMNR, and then attempting to force NTLM SSP authentication. Another variation of this attack, ‘Hot Potato', uses a similar technique to gain administrative access to a host which attackers only have user level credentials for.

The key mode of attack used here is man-in-the-middle (MITM), whereby an attacker is able to intercept communications between two parties. These parties could include people, computers or software components. This technique can be used to attack security and cryptographic protocols.

3. Gizmos

Perhaps the most exciting method hackers use to target sysadmins, is the use of James Bond-style gizmos. A LAN Turtle, Rubber Ducky, WiFI Pineapple and Raspberry Pi may sound like a list of innocent items, but in the wrong hands these are nefarious devices that can be used by criminals to gain access to an organisation's network in a matter of minutes

  • The LAN turtle looks like a typical office USB Ethernet adapter but when plugged into any computer (even if locked), will enable an attacker to remotely access a system, harvest credentials through MITM monitoring and conduct wider network surveillance. 
  • The USB Rubber Ducky is a keystroke injection tool that looks like a regular USB storage device but is actually a keyboard emulator. By purporting to be a Human Interface Device, the Rubber Ducky is accepted by most operating systems and is capable of delivering a malicious payload in just a few seconds. A Rubber Ducky, and other similar devices, allow attackers to enter thousands of words per minute - highly useful for instigating brute force attacks, injecting binaries and silently exfiltrating valuable company data. 
  • The WiFi Pineapple is a small box with a belt clip and wireless antenna that searches for wireless access points in the vicinity. When connected to a computer, the device finds an access point, imitates it and broadcasts a high power wireless signal so that all computers, laptops and phones in the area start routing their traffic through it. Once these devices are routing their internet connection through the Pineapple, hackers are able to monitor internet traffic to collect the credentials of sysadmins and send malicious files to identified devices. 
  • A Raspberry pi is a cheap, credit card-sized computer that can be plugged into any USB enabled device and controlled remotely to perform a wide range of monitoring and surveillance actions. Plugging a malicious Raspberry Pi into an office printer or other device that lacks port security can allow attackers to obtain a complete list of Active Directory credentials that have no security around them.

How can Sysadmins protect themselves from being compromised?

The high level of network access that system admins possess means that they will continue to be a growing target of cyber-criminals. Fortunately, there are a number of key steps that high-privileged individuals can take to protect themselves and reduce the overall security risk to their organisation.

Formal security training to raise awareness of latest threats is a good starting point. Limiting employee access permissions to only essential applications, devices and networks as well restricting physical access to key systems can also help to minimise security risk.

For any sysadmin worried about their respective organisation's cyber-security posture, fortunately there are many helpful security services to lean on to receive informed advice.  Attempting to improve security measures or remediate a breach without fully understanding the latest threats is inadvisable and could lead to greater damage being incurred. Dedicated security providers offering penetration testing and managed detection and incident response can provide a vital safeguard and help to ensure that sysadmins don't have to face the latest security threats alone.

Contributed by Robert Page, lead penetration tester, Redscan