Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Sophisticated Assaults. Show all posts

Living-Off-the-Land (LOTL) Attacks: Here's Everything You Need to Know

 

In the unrelenting fight of cybersecurity, cyberattacks continue to become more elusive and sophisticated. Among these, threat actors who use Living Off the Land (LOTL) strategies have emerged as strong adversaries, exploiting legitimate system features and functionalities to stealthily compromise networks. 

As defenders deal with this stealthy threat, a new study from the Cybersecurity and Infrastructure Security Agency (CISA) sheds light on the tactics, methods, and procedures (TTPs) used by attackers and provides critical insights into recognising and combating LOTL attacks. LOTL attacks use pre-existing software and legitimate system tools to carry out malicious actions, allowing attackers to go undetected amid the chaos of network traffic. 

Rather than creating proprietary malware or tools, attackers take advantage of built-in programmes such as PowerShell, which has been accessible on all Windows operating systems since November 2006. 

Benefits of leveraging existing tools in cyber attacks 

The appeal of employing existing technologies stems from their widespread availability and familiarity inside enterprise environments. These tools enable simple access to both local and domain-based setups, allowing attackers to automate administrative activities and execute commands with ease. By using these tools, attackers avoid the time-consuming process of developing, testing, and distributing specialised tools, saving both time and resources. 

Furthermore, the intrinsic complexity of developing and distributing tooling across numerous operating systems and environments presents a significant challenge for cybercriminals. By leveraging existing tools, attackers avoid the need to address compatibility issues, dependencies, and potential detection systems. This method significantly lowers the chance of discovery because built-in tools blend smoothly into regular system activity, making it difficult for defenders to distinguish between authorised and malicious use. 

Prevention tips

It is impossible to overestimate the importance of mitigating LOTL tactics in light of the latest Volt Typhoon study published by CISA. Defenders need to be proactive and alert as cyber attackers continue to hone their strategies and identify vulnerabilities in organisational defences. 

Organisations can fortify their defences and mitigate the risks posed by LOTL attacks by utilising the insights in the research and implementing a defence-in-depth security strategy. Here's how organisations can successfully defend against LOTL attacks. 

Visibility is critical: relying just on preventative technology is insufficient to combat attackers that use authorised tools. Visibility into all operations throughout the entire infrastructure is required to detect and mitigate such risks. 

Identifying authorised users: Determine who should be utilising tools that can be used to launch LOTL attacks, such as scripting languages or administrative tools. 

Enable comprehensive logging: Use granular logging to monitor LOTL tool usage. For example, enabling enhanced logging for PowerShell scripting yields useful information.

Be Wary Because Cybercriminals Are Getting More Ingenious

 

In the media, misinformation is regularly discussed, primarily in relation to politics and is often used interchangeably with fake news. Even though these are major problems, a greater and more direct threat is frequently disregarded: how cybercriminals utilise false information to steal from businesses and people. 

The dictionary defines disinformation as "false or inaccurate information, especially that which is deliberately intended to deceive." But when mixed with a lot of exact and genuine information, particularly information that only a select few are aware of, misinformation can be highly persuasive and deceitful. Criminals can use real information stolen through cyberattacks, along with a little bit of deception, to have a significant financial impact on both businesses and people. 

Using wire transfers for profit 

Most of us have heard of fraud schemes that target credit card information. Most of the time, erroneous credit card charges may be disputed or reversed, preventing you from eventually losing any money. However, there is a significant distinction with wire transfers: they are frequently immediate and irreversible. In other words, if a wire transfer is used, the money is lost, especially if the fraud is not found right away. This functionality has been used by cybercriminals in a number of ways. 

One example is when crooks get access to a company's computer systems and spend time reading emails and understanding internal procedures. The fraudsters discover who is authorised to provide wire transfer orders to the financial office and what the procedures are. They then pose as these officials one by one for several days, issuing wire transfer orders, some for more than $500,000, to the criminal's accounts. When one organisation the author spoke with realised this costly problem, protocols were put in place to require proof that such wire transfers were indeed requested by authorised individuals. This entailed connecting directly with the authorised individual over the phone and checking the transaction's details. 

Unfortunately, such sensible processes are frequently implemented only after a crime has already occurred. Wire fraud can cost individuals as well as organisations money. Executive home buyers are popular demographics. A critical step in most home buying transactions is the wire transfer of a substantial sum of money to a title or escrow company, which holds the funds until the title to the property is transferred to the new owner, and then — and only then — the escrow company transfers those funds to the home seller. 

Criminals take advantage of these circumstances by following a multi-step process. First, they gain access to the computer systems of the real estate agent, attorney, or title agent. They could spend weeks or even months researching impending closings, company procedures, and minutiae such as wire transfer instructions samples. Because last-minute issues can occur, property purchasers are frequently advised to make the wire transfer a day or two in advance. 

Since the title corporation generally gives the instructions one day ahead of time, cyber thieves will send the instructions two days ahead of time. Because they are based on the real instructions, these instructions look to be from the title firm, but the destination information has been changed. They have buried a small amount of false information among a large amount of accurate material. This method has been used to steal hundreds of millions of dollars in a single year. According to FBI data, more than 13,000 people were actually the victims of wire fraud in the real estate and rental industry in 2020, resulting in losses of more than $213 million, a 380% rise from 2017. 

After making numerous anxious calls, you finally learn that your money was taken, leaving you penniless and homeless. There are a number of actions that both individuals and businesses can take to lower the risk of cybercrime with wire transfers. Before sending money, you should always call the person who is supposed to receive it to confirm the wire transfer instructions. The criminals may have included a fake phone number in the instructions you received, so make sure you can confirm that you are actually speaking to the right person. To do this, always check the correct number in advance using an official website or by speaking directly to a known source who can confirm the correct information. 

A scenario where you sold your old house and utilised the proceeds, along with your savings, to purchase a newer, better house in a different city is possible. The day after you move into your new home, you might be halfway to the new city in your automobile when your real estate agent calls to inquire about the status of your down payment. 

Stealing paychecks 

Many businesses offer systems that enable employees to update and retain their personal data, including their home address, phone number, and banking information for direct deposit of their paychecks on a monthly basis. Some highly paid employees' accounts were compromised by criminals, who changed the bank information the day before the payment was scheduled to be made. So that nothing would be observed as being out of the ordinary, they updated the bank details back to normal the following day. They carried on with this plan for a few months before an executive realised the scheduled monthly payments had not reached his bank after receiving a notification of insufficient funds on a cheque. This shows how crucial it is to monitor your bank account frequently enough to spot odd or fraudulent behaviour, especially to make sure that expected deposits are being made. 

Boss scam 

The typical hoax, in which the CEO of the business requests that the CFO deliver money somewhere, is one that most of us have heard of. You could think that since you aren't a CEO, these frauds don't apply to you, but that isn't the case. One variation of this scam, which is particularly prevalent on college campuses, involves staff members receiving what looks to be an email from a higher ups, usually the department head. One example of a narrative presented to a staff person is, "I just realised that I am going to my nephew's birthday party tonight and I'm in meetings all day, so I won't have time to get a gift. 

Could you please do me the courtesy of purchasing a $100 gift card and emailing me the numbers on the back? One victim bemoaned, "It was not just coming from one of my colleagues; it came in the name of my department chair." Eight out of ten faculty members in one department fell for the con, according to a story I've heard. It is crucial to confirm once more that your supervisor is the true sender of the communication. 

Bottom line

All of this is to say that while fake news and other forms of disinformation are a problem, having a lot of reliable data combined with even a small amount of misinformation can have catastrophic results. These are but a few current instances. As mentioned, there are steps that can be taken to prevent such crimes, or at the very least significantly lower their frequency, but they must be implemented before the crime occurs. 

However, keep in mind that cybercriminals are extraordinarily inventive and frequently equipped with a wealth of personal data. It is crucial to stay informed about new schemes, to exercise caution, and to build your defences because more dangerous plots could be on our way.

SideWinder Launched Nearly 1000 Assaults in Two Years

 

The South Asian APT organization SideWinder has been on a tear for the past two years gone, launching nearly 1,000 raids and deploying increasingly sophisticated assault techniques. 

Earlier this week, Noushin Shaba, a senior security researcher at Kaspersky shared her findings at the Black Hat Asia conference regarding SideWinders’ attacking methodologies. The APT group primarily targets military and law enforcement agencies in Pakistan, Bangladesh, and other South Asian countries.

SideWinder has been active since at least 2012 and primarily targets military and law enforcement agencies in Pakistan, Bangladesh, and other South Asian countries. In recent years, they have also targeted departments of Foreign Affairs, Scientific and Defence organizations, Aviation, IT industry, and Legal firms. Some of their newly registered domains and spear-phishing documents indicate this threat actor is expanding the geography of its targets to other countries and regions. 

SideWinder has become one of the planet's most prolific hacking groups by expanding the geography of its targets to other countries and regions. However, the reason behind its expansion remains unknown. 

Last year, the group deployed new obfuscation techniques for the JavaScript it drops into .RTF files, .LNK files, and Open Office documents. Kaspersky has observed unique encryption keys deployed across over 1,000 malware samples sourced from the group.

Threat actors even ran two versions of its obfuscation techniques over several months, and appear to have shifted from an older and less stealthy version to its current malware. SideWinder also exchanges domains regularly for its command-and-control servers as well as for its download servers. That's mostly to ensure that if a domain gets detected, it still has a way to get to its targets, Shabab explains. Spreading activity across different domains in the attacks is less likely to raise suspicion as well. 

In January 2020, Trend Micro researchers revealed that they had unearthed SideWinder exploiting a zero-day local privilege-escalation vulnerability (CVE-2019-2215) that affected hundreds of millions of Android users when it was first published. 

“I think what really makes them stand out among other APTs [advanced persistent threat] actors are the big toolkit they have with many different malware families, lots of new spear-phishing documents, and a very large infrastructure. I have not seen 1,000 attacks from a single APT from another group until further,” Shaba stated.