For today’s profit-driven criminals, there’s major money in malware. Malware allows them to package exploits and exfiltration functionality together, making it easier for them to compromise a large number of users quickly and efficiently, before signature-based protections are updated or key indicators of compromise (IOCs) are recognized by the security community.
But just as malware authors have learned to modify file signatures to evade detection by antivirus engines, there are some indications that there is a new shift in behavior that may be taking place to avoid detection by increasingly sophisticated defenses.
Compromise: Easy as “CVE” & “RDP”
In early September, InfoWorld writer Fahmid Rashid reported on what may be a growing trend towards increased malware-less intrusions. Exploiting known software vulnerabilities, weak user authentication schemes, or default passwords to compromise a machine are techniques as old as hacking itself. But this article and others provide anecdotal evidence that attackers are increasingly returning to their “roots” and using legitimate administrator tools on compromised machines to pivot through target networks, compromise additional endpoints and ultimately exfiltrate data.
Basic mistakes (such as default user accounts or misconfigured servers) can be exploited to obtain administrator (or “root”) access and carry out further attacks. As a recent Cisco Security blog post about the “SYNful Knock” malware outlines, attackers are increasingly looking for ways to obtain administrator credentials that will allow them to conduct ongoing attacks against target companies. These credentials could also easily be used to wipe data, change network settings or access data from compromised systems.
Once an attacker has compromised an endpoint, there are a laundry list of methods that can be used to exfiltrate data, but perhaps none are as notorious as RDP, or the Remote Desktop Protocol. RDP comes bundled with most versions of the Windows operating system and provides configurable remote access for users. Over the years, it has gained a well-earned reputation as one of the most commonly-used tools for both remotely exploiting and exfiltrating data from a target. A simple web search for “RDP” and “exfiltration” reveals dozens of infosec conference talks and how-to articles on using RDP for this purpose. When RDP isn’t available on a target machine, IRC, FTP and HTTP are all options in an attacker’s arsenal, as well. File synching services such as Dropbox are another option for attackers and are more likely to be found on target machines as cloud applications become increasingly ubiquitous in the enterprise.
Countermeasures: Start with the Basics
This revival of old school hacking techniques also reflects the fundamental security challenge of differentiating between “good” and “bad” behavior. At its core, malware is software that reduces or circumvents a system’s security, often by exploiting the legitimate services, libraries, and processes of a target operating system. Cisco’s Talos research team recently pointed out in a blog post that sometimes there can be an extensive gray area between truly malicious malware and software that exhibits malware-like behavior.
The simple ability to install new software or connect to a remote machine, for instance, is something that can be easily turned to an attacker’s advantage, and in the end it doesn’t matter if this ability is achieved by dropping an implant on a target machine or by exploiting a web application vulnerability and then escalating user privileges.
The basic countermeasures for denying hackers the ability to exploit weak authentication or known vulnerabilities haven’t changed much from a decade ago: patch often, use two-factor authentication, train your employees to recognize phishing and monitor your networks for anomalous behavior. But in an age of “branded” vulnerabilities and overhyped attack campaigns, it’s worth noting that the methods of compromising targeted networks continue to evolve and evade detection by infosec analysts and engineers.