Security experts have warned of a resurgence in Kerberoasting attacks as cyber crime groups evolve to be more effective in targeting businesses. Researchers at CrowdStrike recorded a 583% increase in Kerberoasting over the last 12 months – a worrying trend since the attacks can be used in parallel with ransomware to cause maximum damage.
Kerberoasting is an attack method in which adversaries compromise the Kerberos authentication protocols used on Windows devices to provide access to IT environments based on service principal names (SPNs). This avenue of attack is not new – it has been around since 2014.
But weaknesses in the complex infrastructure operated by many businesses today including legacy and cloud technology are making it increasingly attractive to adversaries.
Adding to this, Kerberoasting can be very lucrative to attackers, because successful compromise provides them with access to a company’s entire IT infrastructure. So what is Kerberoasting, why are these attacks difficult to detect and prevent, and what can firms do to protect themselves?
What is Kerberoasting?
The Kerberos authentication protocol was first developed at the Massachusetts Institute of Technology (MIT) in the 1980s. Designed to allow users and services to prove their identities without sending plain text passwords over the network, the protocol was later adopted as the default authentication mechanism for operating systems.
Attacks on the protocol followed, with the concept of Kerberoasting introduced by security researcher Tim Medin in 2014. During the same year, the first known Kerberoasting attacks targeted government agencies and financial institutions.
Since then, it’s been used by adversaries across various sectors. It has been part of espionage campaigns and recently, Kerberoasting was reportedly utilized by the Russian government in supply chain attacks, says Chris Vaughan, VP technical account management at Tanium.
He cites the example FIN7 – a Russian threat group linked to Kerberoasting attacks targeting organizations in industries including healthcare, finance, and retail. “They have also been known to use Kerberoasting in conjunction with other attacks, such as ransomware and data exfiltration,” Vaughan adds.
Create a risk-aware culture that enables proactive risk management.
DOWNLOAD NOW
Adversaries use Kerberoasting attacks to gain control of a network's service accounts. Tim Rawlins, senior advisor at NCC Group explains how attacks play out: “The hacker interacts with a domain controller's ticket-granting server service using an authenticated account. They request service tickets associated with SPNs linked to vulnerable accounts. The service tickets contain encrypted data, and the attackers crack this offline to reveal the plain text password.”
Attackers target service accounts that use Kerberos to look out for weak or easily guessable passwords that can be cracked quickly, says Kevin Curran, IEEE senior member and professor of cyber security at Ulster University. “These accounts are often used to run services within the network, such as database servers and web applications.”
Kerberoasting attacks stand out for their ability to operate without generating any noticeable alerts or conspicuous activities within the network, making compromise challenging to detect and prevent. Detecting Kerberoasting can be difficult firstly because requesting a ticket is a legitimate operation, says Rawlins. “Skilled attackers can evade detection by spacing out their requests and making them appear non-malicious.”
Kerberoasting attacks can be dangerous within internal infrastructures, as they provide an opportunity for malicious users to perform privilege escalation, says Jasmine Gillard, infrastructure and cloud consultant at penetration testing company Pentest People. She says a publicly facing Kerberos port can be “exceptionally dangerous, potentially leading to the compromise of internal systems and data”.
She explains how she’s encountered this issue during a penetration testing engagement. “I compromised a user account and found that the organization had a public-facing Kerberos service. I performed the Kerberoasting attack and was able to successfully retrieve a hashed password for a service account, which was successfully cracked using offline tools, providing me with the clear text password and my start to privilege escalation, eventually leading to the domain administrator.”
This example highlights the “catastrophes that can ensue” if firms use weak passwords and misconfigured services, says Gillard, who adds attacks are often chained together.
What is the impact of Kerberoasting attacks?
Kerberoasting attacks will have a growing impact as adversaries use technology to become more efficient. A recent development involves using cloud-based tools for executing Kerberoasting attacks. “These tools streamline the process, eliminating the need for specialized knowledge or skills,” says Vaughan.
The trend towards automation is also becoming prominent among attackers executing Kerberoasting attacks. “This automated approach allows them to target a vast number of accounts with speed and efficiency,” Vaughan warns.
At the same time, Kerberoasting attacks are frequently intertwined with other strategies, most of which prey on weak password protection. “Brute forcing the password algorithm, for example, involves an attacker trying a set of common credentials,” says Vaughan. “Kerberoasting aids in identifying accounts with poor passwords, which can subsequently be exploited by brute force cracking.”
It's a growing risk, and experts agree that to tackle Kerberoasting attacks, it’s important to know how to detect and prevent them. As part of this, a multi-layered security strategy is critical, says Rawlins. “The root cause is weak passwords, so enforce robust policies for both service and user accounts, ensuring the use of complex credentials.”
Firms should also look out for the hallmarks of an attack. While Curran concedes that the signs of a Kerberoasting attack are not always obvious, he points to indicators including unusual service ticket requests, failed login or unauthorized access attempts, and unusual network traffic patterns.
Taking this into account, businesses can track unusually high ticket request volumes and recognize specific request patterns associated with known hacking tools such as Rubeus, says Rawlins. “The use of honeypot accounts – which trigger an alarm if used to request tickets – and monitoring ticket requests from unexpected user accounts can be useful to detect Kerberoasting,” he adds.
At the same time, companies can defend themselves from Kerberoasting by adopting encryption for network traffic to help prevent attackers from intercepting it, says Curran. It’s also important to educate your workforce about the risks associated with Kerberoasting attacks. “This includes instilling awareness about the importance of strong passwords for service accounts, adopting a zero-trust approach to protecting endpoints,” says Vaughan. “You should prohibit password sharing and promote caution when encountering emails from unknown sources.”
