Fortra’s Alert Logic has tracked PwnKit since its initial discovery, and developed the appropriate detection and coverage to both determine exposure and identify compromises.
PwnKit allows attackers to convert the toehold they may have gained on a network into a real foothold by ensuring their malicious program or command is executed with the highest system privileges available. The chaining of attacks that takes place with PwnKit elevates initial access to full control of a vulnerable machine, at which point the bad actor can carry out their objectives or use the machine as a springboard to move further into the network.
With this being a two-stage attack, it gives organizations some time to address their vulnerable systems – before full compromise. However, the focus is typically around external threats, with less attention given to the possibility of an insider threat, where actors would typically already possess physical or authorized access to machines. Such an insider has perfect access to launch the PwnKit exploit.
However, the nature of the PwnKit vulnerability does not lend itself to every type of insider threat, so it’s important to understand where it runs the risk of being abused.
Narrowing Down PwnKit Insider Threats
1. Consider the operating system
The PwnKit exploit works on most Linux OS versions, but not Windows. It’s uncommon for standard users to be working off a Linux distro, so you can discount any generic disgruntled employee who’s limited to their laptop or desktop. Linux is more commonly used on the server, rather than client side. Therefore, the insider would need access to a Linux server, narrowing our insider threat to IT admins, dev-ops, and engineers.
So, we’ve narrowed it down to an IT power user. We can categorize this further into the malicious power user and the negligent power user.
2. Is the threat negligent or malicious?
The negligent power user would be one who inadvertently invites an attacker to take control of a standard user where they can use the PwnKit exploit. This can occur due to inadequate SSH configuration, weak password policies, or not removing inactive user accounts.
The malicious IT power user would actively look for a way to convert their legitimate access into illegitimate gains.
Profiling malicious users
Profiling a malicious insider begs the question: how could a privilege escalation exploit be beneficial to those who already have elevated privileges?
User accounts exist for two primary reasons:
1. Assign individuals privileges they need to fulfill their tasks; and
2. Attribute actions to a known individual.
It’s best practice for each admin user to have their own individual admin account rather than sharing a single privileged account. This approach supports the security principle of least privilege and enables organizations to maintain audit trails for each user’s actions, enhancing accountability. Knowing that their actions are traceable discourages admins from engaging in malicious behavior. Despite its benefits, this practice is still not widely adopted by many organizations.
PwnKit presents these users with another avenue for executing privileged commands, removing the direct link between themselves and the action.
For example, an admin could create an extra standard user account and then use the PwnKit exploit to carry out malicious actions with said account.
The account could even be sold on the Dark Web to give initial access to the highest bidder who can capitalize on the PwnKit exploit to carry out their objectives. Such an opportunity is ripe for Ransomware-as-a-Service (RaaS) groups.
Furthermore, if an organization has applied the principle of least privilege and limited the escalation privileges of users, the PwnKit exploit presents an opportunity for said user to give their account any privileges they like.
Detecting suspicious activity that may appear standard
Creating a standard user is not a malicious action on its own, and this activity can easily pass as legitimate admin activity. That is why it’s essential to:
1. Continuously audit administrative activity and ensure it is logged in a centralized platform
2. Perform regular reviews and/or advanced analytics on administrative activity to identify actions which fall outside of an established norm
At Fortra’s Alert Logic, we collate administrative activity from each organization we partner with to provide a set of predefined reports, documenting the last 24 hours of certain grouped activity. This includes accounts created/modified as well as privileged Linux commands, available here.
We also apply advanced machine learning analytics across the reports to identify actions that fall outside of an established norm. This allows us to alert on activity related to the insider threat opportunity PwnKit presents, such as accounts being created with abnormal policies or outside of usual activity hours. More information on how our log review machine learning engine works can be found here.
By aggregating all administrative activity — whether from a public cloud, data center, or satellite office — IT professionals gain a centralized location for reviewing all admin activities. Furthermore, intelligent analytics pinpoint specific incidents that warrant closer scrutiny.
The log review process is essential for identifying lower fidelity indicators of compromise, as attackers (or in this case, an actual admin) often try to mimic and hide amongst legitimate admin activity. Early identification of suspicious events limits the potential impact that could occur if it progressed.
Detect Across the Kill Chain
Alongside a thorough log review process, it’s essential to implement detections across the entire kill chain. Although detecting initial access attempts is important, this example of an insider threat highlights the challenges of identifying initial access in every case.
Therefore, you must have advanced detections in place that are able to identify post-compromise activity, like the PwnKit priv-esc exploit, and others such as lateral movement or fileless attacks.
