Unraveling the Marriott Breach & Examining Credential Theft Attacks

Unraveling the Marriott Breach & Examining Credential Theft Attacks

BY: Tim Keeler, Founder & CEO at Remediant

What Happened

The recent Marriott breach involved the theft of employee credentials. Specifically, attackers obtained the login credentials for two franchise property employees which gave them access to a third party guest application used to deliver guest services. From there, attackers were able to harvest guest information needed to execute spear-phishing campaigns: Full contact details were exposed, including names, mailing addresses, email addresses and phone numbers as well as other personal data like company, gender and birthdays.

Key Observations

Based on known attacker patterns (as well as what transpired in the prior Marriott breach), the next step in the attack would be a convincing spear phishing campaign on the compromised guests. The goal of the campaign would be to gain access or deliver malware into a guest / victim’s business device. From there, attackers would use the access to create a backdoor into the victim’s company network by (1) finding the administrator accounts that have standing access to the victim’s workstation (e.g., IT admins, helpdesk) and (2) using Mimikatz to dump the password or password hash of those accounts to pivot into other systems on the company network that account might have access to.

Two key observations from this breach:

  • The intent behind the theft is more strategic: Guest data has not shown up on dark web sites indicating the theft is not a “smash and grab.” The intent is more strategic, much like the prior Marriott breach and the Office of Personnel Management (OPM) breach. In the OPM breach, the attackers were selective about what identities were stolen, with a focus on key government officials.
  • The application may not be the prize, but a means to administrator privileges on the OS: The initial stages of a spear phishing campaign indicate that the end goal is phishing into a Marriott guests company workstation. This MO is also readily apparent in the recent SFO airport breach (where employee web application credentials were stolen and used to authenticate to their windows machines). In addition, in the case of the recent Zoom breach, two flaws (UNC path injection, unvalidated installer execution) were leveraged by attackers to gain administrator or “root” level privileges within the Zoom user’s device (and subsequently, their company network).

While no entity has claimed responsibility, both observations are consistent with attack methods of known nation state hackers.

How Remediant could have helped?

Remediant could have helped in two ways:

  • Prevented the ultimate theft of administrator privileges: With Remediant in their environment, Marriott’s security team could have surfaced all the workstations and servers with standing administrator privileges and removed their access in bulk. This implies that even if attackers successfully stole credentials and authenticated, they would not have access. No access or administrator rights would render those credentials useless in carrying out an attack
  • Reduced the blast radius of the ongoing attack: One of Remediant’s key differentiators is the abiltiy to quickly configure policies and remove privileges across thousands of workstations and servers with a single action. During an ongoing attack where a threat actor is moving laterally, Remediant could have allowed Marriott to remove privileges across all their endpoints (at milliseconds per endpoint) thereby “boxing in” the attackers and limiting where they can move next.

Advice to organizations

Firms should “assume breach” when it comes to their employee credentials. This is especially true when your critical assets are of interest to nation state actors. The credential is low hanging fruit with 74% of breached organizations admitting the breach involved access to a privileged account. Instead, firms should shift their focus to authorization and reduce the value of those credentials to attackers. This can be done by removing the standing, always on privileges granted to workstations and granting them back on a just enough, just in time basis. This calls for a new model of administrator security called Zero Standing Privilege. Firms can achieve Zero Standing Privilege by first (1) understanding where administrator standing rights exist, (2) continuously monitoring the rights to see how they evolve and (3) removing those standing rights and only granting them back on a just in time, just enough basis. To learn more, please visit: https://www.remediant.com/blog/who-really-has-access-to-your-work-laptop

About the Author

Tim Keeler authorTim Keeler is the Founder and CEO of Remediant, a leading provider of Privilege Access Management (PAM) software. Earlier in his career, Tim worked at Genentech/Roche from 2000 to 2012 and was a leader on the Security Incident Response Team. After that, Tim provided enterprise security consulting for a variety of clients including UCSF, Genentech/Roche, Gilead Sciences and CardioDX. Follow him on Twitter and LinkedIn.

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.