Understanding Hackers’ Data Exfiltration Techniques

Data exfiltration, also referred to as data exportation, data extrusion, or data theft, has a detrimental effect on the business operations of an enterprise. It may cost a company millions in recovery and liability damages, or worst, push them to declare bankruptcy.

The number of data breaches is skyrocketing every year, breaking the record of the previous year’s breach by bigger margins.

• Data over 4.1 billion records were compromised in 3,813 breaches till June 30 this year, with both figures seeing a jump of over 50 percent as compared to the last year’s data.
• Only eight breaches contributed to exposure of 3.2 billion records.
• Three breaches this year made it to the list of the ten largest breaches of all time.

Hackers’ approach and strategies

The hackers’ exfiltration methods for stealing data include transferring the data over their command and control (C&C) channel or an alternate channel and may also involve putting size limits on the transmission.

Hackers typically gain unauthorized access to data by establishing a secure shell (SSH) protocol between the compromised host and their server. As soon as the connection is made, the hackers next instruct the compromised host to share the specified data to their server. The time taken to transmit the data depends on the size of the file to be transferred, the uplink speed, and the system capabilities of both the hosts. Once the data is received, hackers move the stolen data from the server (where it was received) in order to ensure its integrity. Some hackers also prefer to take the server offline for operational security reasons.

Further, there are various types of exfiltration techniques that hackers deploy for successful data breaches. Now, these techniques usually follow one of the below approaches to penetrate the targeted system’s network, and are also used in most of the APT attacks:

• Backdoors: Hackers take to backdoors (covert method of bypassing standard authentication or encryption in a computer) to detect or install themselves as part of an exploit. Backdoors have built-in upload and download functions, similar to as observed in Remote Access Trojans (RATs). It uses ports like 80 and 443 (for HTTP or HTTPS) and port 53 (for DNS) to hide traffic. Hackers effectively bypass the connection restriction every time they use HTTP to transmit data. There are sometimes instances where they manually download the .ZIP file containing all the collected data.
• File Transfer Protocol (FTP): FTP is a standard network protocol used to transfer files between a client and a server. To exfiltrate data over FTP, hackers enter into an externally accessible FTP server of the organization’s network from a compromised host. A network infrastructure lacking firewall rules that prevent outbound connections can enable hackers to connect back to their system easily. Hackers can also attempt to configure the FTP server with write-only permissions (also called a “blind drop” server). It authorizes anonymous uploads but prohibits all other actions such as retrieving files and listing directory contents, allowing hackers to avoid using credentials altogether.
• Web applications: Hackers may access their choice of browsers on the organization’s network without anyone noticing. It won’t raise any suspicion to even IT administrators because connecting to web pages outside the network isn’t out of the ordinary.
• Windows Management Instrumentation (WMI): It can be used to monitor the files opened by the targeted employees or users. As such, cybercriminals can easily determine and gather these files and transfer data to their server.

Several other ways to extract target data include:

• Forwarding rule in Microsoft Outlook that enables hackers to receive copies of the emails that the target users are receiving. This helps them draft a targeted phishing email to carry out social engineering attack, or, in some cases, get their hands onto the confidential documents right away.
• Hackers also use legitimate tools for gathering a list of file types and documents from where they think the critical data might be residing. To prevent de-duplication while transferring the data, they put a timestamp.
• Gaining access to peripheral devices is another common tactic. Attackers often target various connected devices including microphones, webcams, security cams, etc, to record audio and video to monitor the targeted users’ activities.