In this multi-part post, we will argue the growing trend of these attacks and emphasize the importance of detecting aimed cyberattacks early stage. Next post will highlight some interesting techniques to empower you in preventing these

In this part, we want to focus on aimed attacks, in which case a cybercriminal intentionally targets its strength to compromise certain systems or organizations. These so called APTs (Advanced Persistence Threats) have long been associated with specialized teams setting out these delicate attacks, driven by government and/or military. The idea of a state-backed attack - often called nation-state attacks – aiming at primarily military complexes of diplomatic data to gather specific competitive intel is somewhat out-of-date. Sometimes a nation-state attack is simply put in motion to disrupt organizations or geographic districts. We will focus on this kind of advanced attacks, which will – as we foresee – grow in numbers coming time.

Advanced

It is true that real sophistication needs time, dedication and stamina; factors most likely to be expected with specialized nation-state hackers. On the other hand, cybercriminals are strengthening their weaponry with freely available sophisticated techniques. Like the powerful NSA exploits disclosed online by Shadow Brokers, resulting in the use of the EternalBlue and EternalRed exploits and resulting in a wide spread of ransomware and crypto mining attacks. Even after all necessary patches became available, these days hundreds of thousands of computers are unpatched and vulnerable. Last years, attackers heavily invested in automating attacks using a wide range of known exploitable vulnerabilities, in their attempt to rapidly attack targets and evade internal security measures or protections at the network and endpoint level. This use of automation has taken on myriad forms, from exploit kits that trap browsers and weaponized Office document files to malicious spam email that thoroughly obfuscates the threat it poses to victims and their technology. [2]

This combination forms a dangerous cocktail and we may expect the average cybercriminal to advance their attack techniques even more coming years.

US Director of National Intelligence Daniel R.Coats recently said: “The potential for surprise in the cyber realm will increase in the next year and beyond as billions more digital devices are connected—with relatively little built-in security—and both nation states and malign actors become more emboldened and better equipped in the use of increasingly widespread cyber toolkits.” [1]

So, it is clear how the cyberattacks may advance over time in order to penetrate into organizations.

But considering this all, we must pay attention to traditional criminology and ask ourselves which commonalities both nation-state hackers and the broader hacker scene have; what is their common motive. We think the answer is the potential to act disruptive.

While large-scale cyber-attacks like ransomware expanded in scope and popularity last year, this form of disruption in order to steal and extort has a fairly low risk/reward ratio.

So, even the average hacker is gradually realizing that there are better ways to accomplish its’ goals with lesser risks.

And here persistence comes to play.

Persistence

One of the first steps after penetrating a network may be ensuring some or more systems stay accessible to the hacker. In this phase, flying under the radar is top priority of the attacker. Typically, the attacker tries to utilize some ‘features’ the network and applied software may expose. Oftentimes - after gathering some credentials - very common technologies, like WMI, may be used to distribute malicious software throughout the network or to specific machines.
Even when you correctly maintain your network and steer it safe through clever security procedures, simple mistakes may lead to data being sent to false recipients. Also, devices may get lost and valuable information may leak to a cybercriminal. Or the cybercriminal simply sharpens his attack through social hacking.

Ultimately the attacker may penetrate the network though and will continue moving further into the network, searching for even better credentials or critical business data.

Lateral movement and - distribution; Why detecting lateral movement stays of utter importance

We like to focus to common techniques the attacker often utilizes during its’ attacks. One very common technique is called Lateral movement.

In fact, 80% of a sophisticated attack involves moving laterally through the network from system to system. The lateral movement phase is the point where the attacker is most vulnerable to detection. They are operating semi-blind on a foreign network, seeking out targets of value and try to gather better credentials to set out the lateral movement actions even more successful.

The attacker is typically using built-in capabilities of the operating system and legitimate remote administration tools to move around the network. This prevents anti-malware and endpoint detection systems from flagging their activity as it looks perfectly normal.
It’s thus clear that the defense should have best-in-class lateral movement detection capabilities.

In 2018, there was a clear use of the EternalBlue vulnerability. First WannaCry ransomware heavily used EternalBlue to spread fast throughout the computer network, like a worm. Lateron, also so-called cryptojacker made use of this same vulnerability to spread fast and misuse hardware to mine coins for the attacker. This type of malware had a characteristic to spread as fast as possible, infecting all computers along its path. This worm-alike form used lateral distribution as its’ strategy.

But, as we already said, we more and more see very clever thought through attacks where the cyber attacker aims at the crown jewels of the organization and may have very nifty tactics to extort an organization with very dangerous threats. Neglecting the demands brought forward by the cybercriminal eventually, may feel like the deathblow to your company. And the matter of fact is, that the attacker may have ‘obtained’ very business critical data at that stage. So, prevention is key!

Conclusion

As a home user, you should consider using a bulletproof anti-exploit solution with a strong reputation. Another additional measure would be to use an alternative DNS server, which offers filtering of malware domains like Quad9, Cloudflare, OpenDNS or equal services. We would be happy to advise you. Just drop us a mail or use our web form.

As a business, we would like to get in touch and give you some valuable tips to strengthen your current security measures and possibly enrich them utilizing proven strategies. For actual implementations, we work together with renowned partners in the Netherlands and could just give you a tip or direction – if appropriate.

Next post, we will dive into the actual techniques used and how to protect yourself and your organization agains these aimed attacks.

At your service!

Cheers,
Marieke

[1] https://www.intelligence.senate.gov/sites/default/files/documents/os-dcoats-021318.PDF

[2] https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-2019-threat-report.pdf

1 Comment

• Arron said 4 years ago

  Hi there! Such a wonderful article, thank you!