New wave of cyber attacks using little or no malware

A rising tide of threat actors is launching attacks against organisations that use little or no malware and instead try to turn the target’s own security tools against them, Dell has warned.

Hackers have taken to a cyber intrusion tactic that Dell has called “living off the land”, which involves using the target’s own system credentials and software administration tools to breach and move freely through the network.

In an advisory notice, the company revealed that nearly all intrusions from the last year responded by its SecureWorks incident response team used this kind of attack.

In such attacks, malware is either not used or used so sparingly as to leave few traces behind for investigators and security professionals.

This means traditional security solution tools focused on blocking malware and infrastructure from known threat actors are unable to protect against living off the land attacks, Dell warned, stating that it is vital for companies handling confidential or sensitive data to be aware of this new threat.

In one recent example, hackers compromised the network credentials of an employee of a manufacturing company, used these to log into a company’s remote access system and used it to access internal corporate resources. The attackers also used the company’s endpoint management platform to move laterally through the network and steal specific intellectual property.

Another incident involved attackers stealing hundreds of credit and debit card numbers from an organisation’s point of sale terminals. The attackers compromised an employee’s network credentials for its Citrix server, used that access to capture the domain administrator’s credentials and used these to perform reconnaissance of the network.

The attackers then compromised the company’s centralised security management server, which was used to deploy and manage antivirus software for all endpoints including POS terminals. This access was used to push malware tools to the terminals, which in turn was used to capture all credit and debit card data entered into the terminals.

While antivirus software did eventually detect the malware, the attackers had used their access to the security management server to whitelist the program, allowing it to continue to operate unimpeded.

A final incident detailed by Dell involved attackers breaching a pharmaceutical manufacturer using no malware at all. The attackers used social engineering and the target’s own system administration tools to break into the company’s network and connect to systems using the remote desktop protocol. Confidential files were then stolen using the company’s own FTP system.

Dell said these incidents highlight the need to regularly monitor even the most trusted of key systems for signs of malicious activity. To ward off such attacks, Dell recommends that companies mandate the use of two-factor authentication for all remote access systems and for all employees and business partners.

The company also recommends the removal of local administrator rights for users, the segmentation of sensitive data on the network and regular audits of privileged user account activity.

Companies should also consider implementing an endpoint security system focused on analysing network activity for malicious behaviour by monitoring process creations, thread injection events, network connection data and DNS activity.

As well as proactive steps, Dell stressed the importance of responding to successful attacks by plugging the vulnerability.

“The Incident Response Team has seen case after case where victim organisations did not shut off the threat group’s original entry point or other similar entry points and the threat actors simply reentered the target’s environment and began wreaking havoc all over again,” Dell said.

“A target must ensure that they shut off all points of entry prior to kicking out the intruders; otherwise, resources put towards eviction are wasted.”

Image courtesy of Intel Free Press under CC