Blog

The growing popularity of targeted attacks and how to fend them off; detecting lateral movement – Part 2

Wed, 08 May 2019 20:04:00 GMT

In our previous post, we made clear how the current threat landscape is changing. From a situation where frequent hit-and-run mass malware seems to do the most harm, we expect more targeted attacks to show up during coming years. After penetrating into the network, the first aim of the cybercriminal is to gather access to multiple systems to gain some redundancy in case some systems become unaccessible later on. Or, tries to execute additional tools, access specific information or files or access to additional credentials.

However, before an attacker gains power it has to overcome various barriers.

Computer scientists at Lockheed-Martin corporation presented a model to concretize the various phases a cyberattacker has to run through before ultimately succeeding. The so-called Cyber Kill Chain.

Although an attacker may overleap a phase, the layered model gives a perfect opportunity to build up confidence detecting the various attacks passing by. The idea is, that these phases are involved in a cyber attack:

1 - Initial Reconnaissance: In this phase, reseach is done to identify vulnerabilities and weak spots
2 - Weaponization: Here, the attacker tailors a dedicated piece of malware, possibly exploiting multiple vulnerabilities
3 - Delivery: making sure the specilized weapon is available at the right place / spot (via e-mail attachments, websites or USB drives)
4 - Exploitation: trigger the malware to become active, starting an attack utilizing packed intel or expoiting various systems' vulnerabilities
5 - Installation: foot on the ground; installing backdoors / ways to connect to the target network comfortably and unnoticed
6 - Command and Control: At this stage, backdoors are in place an C2 traffic is clearly applicable; attack is imminent.
7 - Actions on target: Attacker takes action to meet his objective(s), such as data exfiltration, data destruction, or encryption for ransom.

In phase 3 - 5, we have the best chance detect some devaint behaviour on our network indicating an attack is in the making.

In fact, detecting the lateral movement attack phase represents the single most important differentiator between a simple attack or a sophisticated targeted and strategic attack.

We will now present some steps you may want to set up to detect lateral movement, which enables you to take action.

A. Know default behaviour and utililized techniques of your network administrator (team)

Don’t fool yourself, but be sure an attacker has done its’ homework preparing an APT and knows very well which default tools are active and used by the network administrators. These are the tools, techniques and services ideally used by the hacker to stay under the radar. Two things are key here:

A1. Know which logging is available and see if you can dump these various logs to a convenient location, from where you can work with this data.

A2. Know what behaviour is expected. You can automate behavioural detection (AI) or can manually create a list of this.

Ultimately, here you want to detect deviations on this default behaviour.

B. Use login logs as a pre-attack indicator

You should analyze login information from differen locations (AD sites) and have a method to cross reference these data. If, for example, you encounter a typical credential failing login over multiple systems and/or sites, you are on to something. If you encounter failing logins during non-working hours you have another indication. So, search for methods to analyze this data – automated or manually – since it really is a strong indication of the pre-attack, lateral movement, phase.

C. Analyze login information on authentication frequency

This point has some overlap with point B. You should not only know which credentials are used, but an even better indication is the frequency in which a certain credential set is used throughout the network. When lateral movement occurs, an attacker is in search of jewels and already has valid access. However, he/she does not have that much credentials in this phase. So, the attacker will have to reuse the same valid credential(s) frequently when moving laterally through the network.

Find that characteristic and you gained another strong indicator!

D. Know your file servers’ activity

Here, again, we want to analyze the utilization of File Servers. Hackers do often persist confidential data (encrypted and hidden) to a file server before transferring these jewels to their own C2 server. File servers are also often target for ransomware attacks or may simply harbor some of the jewels the attacker is fighting for. This results in deviance behaviour on the file server(s).
So again, focus on log aggregation and analyze them heavily!

Windows systems generally have hidden network shares that are accessible to (network) administrators and provide the ability for remote file copy and other administrative functions; take measures to log access to especially these locations - C$, ADMIN$ and IPC$. Windows has special GPO’s to log these access moments, but you need to invest in tooling / time to aggregate these logs.

After an attacker succeeds in transferring binaries (malware) to a certain computer, most times remote execution methods are utilized short after to activate the (stealthy?) malware.

Don’t underestimate the value of SMB logging and analysis; they could be a very very strong indicator / detector. First take measure to gather all logs to a comfortable place, then invest time and build knowledge to interpret and aggregate these logs.

Shared files on these network shares

An attacker may taint files and executables (content) on a network share. Since a multitude of users will execute or open these files, a file infected or tainted to run malicious script / code / macros will have a large impact. Since the attacker wants to stay stealthy, he has to carefully plan this kind of tricks. So, frequently scan your files on your fileserver and keep track on anomalies.

E. Command and Control activity detection

Certainly, you may have some great tools in place like firewalls doing protocol inspections. Downside of these appliances is – however they give a big plus to your overall security set – they are often behind on threat intel. This latter is certainly the case when you face an APT. Here, your effort to analyse DNS logs may give you strong hints. Try to detect non-human hostnames / domainnames; the ones randomly generated may be of interest.

F. Port scanning

You have to be aware of port scanning activity within your network. True, some legit applications may do a scan or may be classified as a port scanning application. However these applications may have a static behaviour and only scan for certain ports or ranges. A port scan set out by a cybercriminal and its’ tools will – if noticed – probably always differ from known behaviour!

Make sure you analyze this utilizing

G. Exploiting vulnerabilities

Most of the time, an attacker needs to gather knowledge about systems exposing known vulnerable services. The attacker utilizes network service scanning software or home brewn methods and software to discover these unpatched services. An attacker may also search for patch history in which case a safe assumption can be done on which systems and services to exploit.

So, it is of uttermost importance to patch all software continuously. Then, invest time in knowing which techniques attacker use during this phase and build intel about the traces these may leave, enabling you to monitor and detect this kind of traffic.

H. Keep an eye on RDP

Lately, many attacks ‘simply’ encompass the use of RDP to take over a certain system, drop malicious code and executing it. The attacker may also just enable legit features to have the ability to control the computer more stealthy. Know your group policies, track for anomalies.

With this summation, we hope to give you some inspiration on the various attack vectors and techniques involved with a stealty lateral movement attacks. We deliberately avoided giving advice on various commercially available (open source) tools en software suites. But, of course we like to give you advice on these software. We can also advice on several free / value for money solutions. Just send us an e-mail. We will deliver.

Greetings from the CyberTense team.

Regards and keep up,

Marieke

The growing popularity of targeted attacks and how to fend them off – Part 1

Thu, 21 Feb 2019 10:40:00 GMT

In this multi-part post, we will argue the growing trend of these attacks and emphasize the importance of detecting aimed cyberattacks early stage. Next post will highlight some interesting techniques to empower you in preventing these

In this part, we want to focus on aimed attacks, in which case a cybercriminal intentionally targets its strength to compromise certain systems or organizations. These so called APTs (Advanced Persistence Threats) have long been associated with specialized teams setting out these delicate attacks, driven by government and/or military. The idea of a state-backed attack - often called nation-state attacks – aiming at primarily military complexes of diplomatic data to gather specific competitive intel is somewhat out-of-date. Sometimes a nation-state attack is simply put in motion to disrupt organizations or geographic districts. We will focus on this kind of advanced attacks, which will – as we foresee – grow in numbers coming time.

Advanced

It is true that real sophistication needs time, dedication and stamina; factors most likely to be expected with specialized nation-state hackers. On the other hand, cybercriminals are strengthening their weaponry with freely available sophisticated techniques. Like the powerful NSA exploits disclosed online by Shadow Brokers, resulting in the use of the EternalBlue and EternalRed exploits and resulting in a wide spread of ransomware and crypto mining attacks. Even after all necessary patches became available, these days hundreds of thousands of computers are unpatched and vulnerable. Last years, attackers heavily invested in automating attacks using a wide range of known exploitable vulnerabilities, in their attempt to rapidly attack targets and evade internal security measures or protections at the network and endpoint level. This use of automation has taken on myriad forms, from exploit kits that trap browsers and weaponized Office document files to malicious spam email that thoroughly obfuscates the threat it poses to victims and their technology. [2]

This combination forms a dangerous cocktail and we may expect the average cybercriminal to advance their attack techniques even more coming years.

US Director of National Intelligence Daniel R.Coats recently said: “The potential for surprise in the cyber realm will increase in the next year and beyond as billions more digital devices are connected—with relatively little built-in security—and both nation states and malign actors become more emboldened and better equipped in the use of increasingly widespread cyber toolkits.” [1]

So, it is clear how the cyberattacks may advance over time in order to penetrate into organizations.

But considering this all, we must pay attention to traditional criminology and ask ourselves which commonalities both nation-state hackers and the broader hacker scene have; what is their common motive. We think the answer is the potential to act disruptive.

While large-scale cyber-attacks like ransomware expanded in scope and popularity last year, this form of disruption in order to steal and extort has a fairly low risk/reward ratio.

So, even the average hacker is gradually realizing that there are better ways to accomplish its’ goals with lesser risks.

And here persistence comes to play.

Persistence

One of the first steps after penetrating a network may be ensuring some or more systems stay accessible to the hacker. In this phase, flying under the radar is top priority of the attacker. Typically, the attacker tries to utilize some ‘features’ the network and applied software may expose. Oftentimes - after gathering some credentials - very common technologies, like WMI, may be used to distribute malicious software throughout the network or to specific machines.
Even when you correctly maintain your network and steer it safe through clever security procedures, simple mistakes may lead to data being sent to false recipients. Also, devices may get lost and valuable information may leak to a cybercriminal. Or the cybercriminal simply sharpens his attack through social hacking.

Ultimately the attacker may penetrate the network though and will continue moving further into the network, searching for even better credentials or critical business data.

Lateral movement and - distribution; Why detecting lateral movement stays of utter importance

We like to focus to common techniques the attacker often utilizes during its’ attacks. One very common technique is called Lateral movement.

In fact, 80% of a sophisticated attack involves moving laterally through the network from system to system. The lateral movement phase is the point where the attacker is most vulnerable to detection. They are operating semi-blind on a foreign network, seeking out targets of value and try to gather better credentials to set out the lateral movement actions even more successful.

The attacker is typically using built-in capabilities of the operating system and legitimate remote administration tools to move around the network. This prevents anti-malware and endpoint detection systems from flagging their activity as it looks perfectly normal.
It’s thus clear that the defense should have best-in-class lateral movement detection capabilities.

In 2018, there was a clear use of the EternalBlue vulnerability. First WannaCry ransomware heavily used EternalBlue to spread fast throughout the computer network, like a worm. Lateron, also so-called cryptojacker made use of this same vulnerability to spread fast and misuse hardware to mine coins for the attacker. This type of malware had a characteristic to spread as fast as possible, infecting all computers along its path. This worm-alike form used lateral distribution as its’ strategy.

But, as we already said, we more and more see very clever thought through attacks where the cyber attacker aims at the crown jewels of the organization and may have very nifty tactics to extort an organization with very dangerous threats. Neglecting the demands brought forward by the cybercriminal eventually, may feel like the deathblow to your company. And the matter of fact is, that the attacker may have ‘obtained’ very business critical data at that stage. So, prevention is key!

Conclusion

As a home user, you should consider using a bulletproof anti-exploit solution with a strong reputation. Another additional measure would be to use an alternative DNS server, which offers filtering of malware domains like Quad9, Cloudflare, OpenDNS or equal services. We would be happy to advise you. Just drop us a mail or use our web form.

As a business, we would like to get in touch and give you some valuable tips to strengthen your current security measures and possibly enrich them utilizing proven strategies. For actual implementations, we work together with renowned partners in the Netherlands and could just give you a tip or direction – if appropriate.

Next post, we will dive into the actual techniques used and how to protect yourself and your organization agains these aimed attacks.

At your service!

Cheers,
Marieke

[1] https://www.intelligence.senate.gov/sites/default/files/documents/os-dcoats-021318.PDF

[2] https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-2019-threat-report.pdf

What are keyloggers? Why are they a threat to us?

Sun, 16 Dec 2018 21:04:00 GMT

Keyloggers are a type of malware designed to monitor all the keystrokes you make. Actually, they are one of the oldest forms of threats within our modern computer era. Whether they are put to work on a legitime way or they got deployed to your computer illegally, you want to get rid of them in any case. Physical keyloggers are impossible to detect by software, only uncommon changes in detected (keyboard) hardware are, which is an approach some vendors dodgy embed in their solutions. We can help you choosing the right solution, but we will target software keyloggers in this article.

Our personal information is at risk when confronted with a keylogger. In fact, any individual or organisation that accesses, inputs or stores private information is at risk. They are ideal tools for industrial espionage or for accessing confidential data and can damage relationships, financial standing, and reputation as a result.

More than meets the eye

Even seemingly innocent information can be used as jumping-off point for bigger targeted attacks in the hands of a cybercriminal with perseverance. Eventually they will gather the information needed to start off their big hack / attack.

With that in mind, the detection alone has great value; you / your company may be victim of a long, well thought trough cyber attack.

Furthermore, when you got infected by keylogging malware, you maybe victim to other malicious programs since keyloggers are often packed with other malware as an option to capture your personal information.

But how can keyloggers end up on our machines without our notion? Traditionally, keyloggers have been pieces of software, which can be installed on a computer through a virus or as spyware. A common approach nowadays is the use of spear phish attacks, where a user gets tricked into clicking a weblink which will eventually redirect them to a server analyzing the vulnerabilities on the users’ application, like a unpatched or out-of-date webbrowser.

Staying under the radar

A keylogger is one of the malicious types of malware trying to stay under the radar; nearly every keylogger has special techniques to keep stealthy. Keyloggers are present at either kernel- or user-level. Since user-level keyloggers mostly hook one of the Windows API functions to determine which key is pressed, they are fairly easy to detect. Kernel-level keyloggers focus on monitoring system calls. The latter family of keyloggers are more difficult to detect, but lately more sophisticated variants are to be found, like GPU enabled keyloggers.

Since most detection engines primarily support analysis of x86 code and mainly focus on main memory and CPU, the idea for malware to co-exist on (also) the GPU gains a lot of attention to malware engineers in their pursuit of staying stealthy.

How to protect / react?

When you already assume being fallen victim to malicious software, you will need the right tools to assist you cleaning up your computer. We can assist and direct you the right way.

If, however, you want to take preventive measures, we advise you to start off with usage of a strong anti-exploit solution. This, combined with an adequate anti-virus engine, may prove a perfect fit.

Please contact us via the support form to let us advise you. Have a nice day.