Security researchers have discovered that cybercriminals are building hidden tunnels in cyberspace to surreptitiously break into networks, steal valuable data and escape - completely undetected.
Despite spending billions of dollars on security, large enterprises remain vulnerable to cyberattacks, as evidenced by the numerous recent data breaches - the most shocking of which was the Equifax breach. However, security experts at Vectra said cybercriminals are still exhibiting the same attack behaviours in the wake of the Equifax breach as they were before the incident.
What are hidden tunnels?
In most cases, hidden tunnels are applications such as internal financial management services, cloud-based financial applications, third-party analytical tools and more.
Although these applications are used for legitimate purposes, they use hidden tunnels that allow them to bypass security protocols that would otherwise limit their functionality. Hackers use hidden tunnels for just the same reason - to circumvent security measures, thereby gaining a foothold in a targeted network.
“The high volume of traffic from web-based enterprise applications creates a perfect opportunity to hide command-and-control, data exfiltration and other attacker communications from network security tools,” Vectra researchers wrote in a report.
While numerous hackers use SSL/TLS techniques, the most successful hackers create their own encryption schemes. This allows them to effectively evade detection, especially given how difficult it can be to identify custom encryption.
Hidden tunnels are also difficult to detect because any communications are hidden beneath multiple layers of connections, all of which use commonly allowed protocols.
“Compared to the combined industry average, there are fewer overall command-and-control behaviors in financial services. However, Vectra Cognito detected significantly more hidden tunnels per 10,000 devices in financial services than all other industries combined,” Vectra researchers added.
Hidden tunnels can act as a well-concealed means by which to exfiltrate data. In other words, once hackers identify valuable assets to steal, the focus of the attack automatically shifts to gathering the assets and smuggling them out undetected. In this stage of the attack, hidden tunnels can provide attackers the ability to control the transmission of massive amounts data from the network and into the wild.
“Financial services showed higher than normal rates of hidden tunnels, which are nearly impossible to detect using signatures, reputation lists, sandboxes and anomaly detection systems,” Vectra researchers concluded. “Because hidden tunnels carry traffic from legitimate financial services applications, anomaly detection systems struggle to discern normal traffic from attacker communications that are concealed among them.”