21
May 2015

PuTTY Problems: Solving Threats with Privileged User Management

Andy Harris

This week, Symantec warned firms of a malicious version of PuTTY – a popular open source tool frequently used by IT administrators. It’s thought the trojan’s authors distributed the malware in a deliberate attempt to harvest highly prized privileged account credentials, which could then be used to devastating effect in targeted attacks. This is not the first time such a threat has reared its head and it won’t be the last.

So perhaps it’s time IT leaders used this opportunity to reassess authentication systems for their staff and seek out new privileged user management tools to neutralise such threats altogether.

What happened?

PuTTY is a popular open source SSH/Telnet/Serial console client used by system and database administrators and developers as a means to connect securely to remote servers. As such, the data sent via the tool through SSH connections is considered highly sought-after, especially the user’s log-in credentials. The attackers behind the malicious version of PuTTY hosted the trojan on an unofficial site, reached if users made the mistake of searching for the tool rather than visiting the official download page. Altering an open source program to steal information in this way isn’t particularly new, and in fact this same malicious version of PuTTY has been seen before in the wild, way back in late 2013.

Why is it dangerous?

However, the reappearance of this malicious version of PuTTY chimes with another development in the threat landscape which we’ve noted with increasing concern at Osirium: the targeting of IT administrators by hackers involved in advanced, persistent targeted attacks. The rationale is very simple: compromise privileged account credentials and you have a great chance of gaining the highest level of network access possible – giving you complete control over a system. From there it’s just one small step to finding the data you’re looking for – whether it’s sensitive IP, customer information or in the case of last year’s Sally Beauty attack, the ability to download PoS malware to every single store. Compromising an admin account rather than that of a regular member of staff makes for a quicker and easier attack, as the hackers don’t need to escalate privileges to reach the database they’re looking for. And there’s more chance of going undetected, as IT employees’ accounts tend to allow for activity which would otherwise set internal alarm bells ringing, such as bulk downloads.

Many organisations are labouring under the assumption that their IT department is too “tech savvy” to fall for such attacks. But there are literally scores of different ways for attackers to grab their passwords. Spear phishing attempts are now well understood, but can you be sure your IT admins are able to spot an email made to appear authentic thanks to weeks of careful planning and reconnaissance? Even this malicious version of PuTTY stands a good chance of success because it is usually whitelisted by security filters. In short, IT leaders must consider their department as a major target for advanced attackers and take appropriate steps to mitigate that risk.

Time to mitigate

So what’s the best way to deal with this particularly nasty piece of malware? Here is a brief checklist, but I’d suggest the final point on privileged user management is the only one that can really lock down risk going forward.

  • Look at size of the file – the trojan version of PuTTY is significantly bigger
  • Check the “about software” information
  • Always download software tools from the official developer’s page
  • Consider privileged user management systems which don’t require IT admins to remember/enter passwords for access to key servers/assets. Hiding this stage of the log-in process from the user mitigates a wide area of risk, making intrusions at this level much harder for targeted attackers.