How Service Desk Exploits Put Your Organization at Risk

IT support service desks are the unsung heroes of the modern organization. They resolve technical issues, recover files, reset forgotten passwords, and keep employees productive. However, the fact that IT support technicians can hold broad privileged access, reset credentials, override security blocks, and access critical systems make service desks exploits a key tactic for threat actors.

If attackers compromise the service desk, they can potentially undermine security for the entire organization. Such attacks occur every day and have devastating consequences. From nation-state espionage to ransomware gangs, the service desk is on the front lines of the identity security battleground, as threat attackers seek new ways to log in rather than hack in.

Service desks are designed to help, not hinder. However, the way this assistance is operationalized creates inherent risks that attract attackers.

Social Engineering at Scale

Through a combination of basic online research and vishing (voice phising), or potentially even AI deepfakes, attackers can all-to-easily impersonate employees, contractors, or executives. The goal? To convince service desk employees to enroll attacker-controlled devices for multi-factor authentication (MFA), reset credentials, or bypass security controls.

This social engineering allows the attacker to easily compromise a target identity, especially in cases where they have already compromised a password, but were previously thwarted by MFA. The service desk becomes the attacker’s “MFA fix”.

Because identity verification processes often rely on basic or easily obtainable information, they pose minimal protection against a determined attack. Attackers will instead gather necessary information from public sources, previous data breaches, or simply call an employee and ask.

Dial #9 for an outside line: Internal service desk phone numbers are often not published externally. However, attackers will call a public support number, claim to be an employee who has dialed the wrong number, and ask to be transferred to actual service desk. This provides them with access, and, in some cases, makes the call appear to originate from within the organization, therefore reducing any suspicion.

Exploiting Remote Access and Standing Privileges

In some cases, compromising the identity of a single service desk employee could be akin to compromising every identity in the entire organization. With widespread standing privileges and access to almost all systems, a service desk identity is a highly-prized target. When virtual private networks (VPNs) are used for access, that one compromised identity might be able to access the entire network remotely with privileged access to systems.

Given the (usually) high ticket volume and constant need to log into different systems, it’s all too easy for a phishing attack to sneak through. This is especially true with the rise of AiTM (Adversary-in-the-Middle) attacks, where highly realistic phishing pages are placed between the victim and a legitimate service. Such attacks not only expose the victim’s credentials to the attacker, but also session tokens, allowing the attacker to bypass MFA and access systems.

Furthermore, some organizations rely on shared third-party service desks, resulting in exponential risk where one compromised identity could impact multiple client organizations.

Fake It Till You Break It: Impersonating the Service Desk

If an attacker wants to call an employee and get them to run commands, install a persistent backdoor on their laptop, or just give you information, then impersonating the service desk is a near-perfect ruse.

Attack Script Example: “Hey it’s Bob in IT. We’ve seen some strange activity from your laptop… I need you to run this tool so I can clear it up and prevent your account from being locked.”

While many organizations have robust endpoint detection and response (EDR) solutions deployed to detect malicious code, attackers will often evade detection by using legitimate remote access and management tools. These tools provide attackers with a stealthy mechanism to access the system and files remotely, as well as exploit the user’s privileges to create additional local accounts, or move laterally across the network.

When it comes to applying the principle of Least Privilege, the service desk flies under the radar because they are expected to have high levels of privilege. This necessary access, however, creates risks and blind spots:

• Pervasive Standing Privilege: Service desk identities may retain full privilege and access 24/7, not just for those brief durations when it’s needed to resolve a ticket. This ongoing, high-level access significantly increases the risk window. Furthermore, this access can open paths to other accounts in the organization through credential resets, further expanding the blast radius, depending on the standing privilege of the target user.

• Credential Creep: In the race to save time and speed up ticket resolution, shared accounts and simple credentials may be used. This introduces challenges in auditing who is doing what, as these accounts can be used by anyone at any time, with no control or accountability.

• Lack of Privilege Visibility: With so many siloed systems, it’s difficult for security teams to track levels of privilege and access. This challenge is compounded by hidden privileged pathways; for example, a service desk identity might not be a global administrator, but they may possess specific permissions needed to add themselves or others to a high-privilege group, thereby enabling easy elevation.

Several key mitigation strategies can be applied to reduce the risks associated with service desk attack vectors:

• Implement Least Privilege, Least Impact: Eliminate standing privilege across the organization. The fewer standing privileges any user holds, the smaller the blast radius will be if their identity is compromised, whether via the service desk or any other means. In an age where it is easier for an attacker to log in than hack in, this principle applies equally to cloud and on-prem systems.

• Secure Remote Access: Stop using VPNs. Integrate a VPN-less remote support solution within your PAM strategy to broker sessions and record activity. This solution should include the management and injection of privileged credentials, so they are only available at the point of need and are never exposed directly to the service technician.

• Achieve Holistic Identity Visibility with True Privilege™ Mapping: Gain visibility over where direct and indirect privileges exist. This allows security teams to make more informed decisions about the organization’s risk profile risk and avoid undermining security investments, such as by allowing the existence of unmanaged shadow accounts and unknown access paths.

• Strengthen Identity Verification: Move beyond static, easily guessed questions. Include dynamic verification steps, such as displaying physical ID, and use phishing-resistant MFA (e.g., FIDO2), especially on service desks and privileged accounts.

• Monitor Paths to Privilege for Abuse: When a user with a high level of privilege has an MFA factor added or a credential reset, security teams need to know about it immediately. Modern Identity security products combine graph technology with advanced threat detection to help organizations prioritize responses to the highest risk identity events.

Service desks are frequently the weakest security link —and attackers know it. The combination of social engineering with privileged access makes the service desk a gateway for compromise.

It’s vital for organizations to factor in service desk security as a critical part of a broader Privileged Access Management (PAM) strategy. Identity is the key battleground in today’s security landscape. With that stated, the goal for defenders is clear: gain visibility into privilege escalation paths, eliminate standing privilege, and protect where privilege is used.

If you’d like to take the next step, BeyondTrust offers two ways to get started:

• Try BeyondTrust Remote Support for free to see how VPN-less, session-based remote access can reduce service desk risk while maintaining productivity.

• Request a complimentary Identity Security Risk Assessment to uncover hidden paths to privilege, over-entitled accounts, and service desk exposure across your environment.

Or, if you would like to talk to an expert on securing privileged access and Paths to Privilege™ for the service desk and your enterprise, contact us here: https://www.beyondtrust.com/contact