Cybersecurity teams are increasingly taxed with keeping up to the threat actors exploiting digital security vulnerabilities. These vulnerabilities are growing exponentially. IBM’s X-Force researchers detected 30% of its entire documented vulnerability catalogue in the last three years alone, with 1,440 vulnerabilities on average per organization in 2018. This expansion is largely due to organizations’ larger digital footprints and new technologies like IoT expanding attack surfaces.
Adversaries are developing more advanced attack techniques every day, whether they’re lone-wolf hackers or global teams coordinating a large-scale breach or cyberwarfare campaign.
RSAC, one of the world’s biggest cybersecurity conferences, hosts a recurring keynote discussion about the five most dangerous new cyber attacks in the US and how to counter them. While industry reports by organizations like IBM offer broad insight into cyber threat landscape trends, this talk gives industries a narrower window into new strategies directly from experts on the attack frontlines.
In advance of RSAC 2020 in San Francisco, we’re investigating some of the latest cyber attack types addressed by cybersecurity experts and RSAC speakers Ed Skoudis, Heather Mahalik, and Johannes Ullrich. What are these attack strategies, and how can organizations better stay up-to-date on current threats?
Cyber Attack Techniques to Watch in 2020
At RSAC 2019, Skoudis, Mahalik, and Ullrich identified DNSpionage, domain fronting, BMC hardware flaws, leveraging a lack of DNS over HTTPS, and individualized cloud service attacks as dangerous new attack techniques. The panel revisited these topics at a follow-up webcast in November, hinting at some emerging threats for 2020’s discussion.
Flickr user publicly exposing their own personal data (insurance policy #, full name and address)—discovered using Echosec
Some attack vulnerabilities—specifically targeted breaches leveraged by inadvertent personal data exposure on social media—have not changed much since RSAC 2019, according to Mahalik. Below are five newer threat vectors that organizations are likely to see in the next year and hear about at this year’s RSAC.
1. Command-and-Control Tools
After an attacker has compromised an organization, they use a command-and-control (C2) server to install additional software and malicious code on the targeted computer. This enables attackers to gain and maintain control of one or more computers in an organization’s network—also known as “post-exploitation.” From there, they can steal data or disrupt the network through shutdowns or DDoS attacks.
The go-to tool used by red team and adverse hackers for C2, Empire, was discontinued in July 2019. This precipitated multiple C2 tool developments that Skoudis calls “the golden age of post-exploitation.” Dozens of these tools and their features can be viewed on The C2 Matrix. Command-and-control methods are expected to evolve quickly over the coming months.
Command-and-control tool offered on Dread, the dark web’s equivalent of Reddit, as discovered in Beacon.
2. Living off the Land Binaries and Scripts (LolBaS)
When attackers direct malware to a targeted system, it can be susceptible to detection. One way to hide the presence or origin of malware is by using LolBaS (aka. LolBin) techniques. These use existing capabilities of the target’s operating system in the cyber attack, making it easier for malware to hide behind what appears to be regular system operations.
This attack type is dangerous not only because it minimizes the chance of detection, but also because it enables attackers to create an attack “narrative” so that the target system appears to be functioning normally to security analysts—like an analyst-targeted form of social engineering.
A Russian dark web hacking forum post linking to LolBaS methods, as discovered (and translated) in Beacon.
3. Wire-Embedded Malware
Skoudis also identified the evolution of the “rubber ducky” tactic of years past as an emerging threat. The rubber ducky is a USB drive that devices recognize as a virtual keyboard, injecting malicious code onto any device it is plugged into.
Recently, attackers have been infecting USB dongles with malicious code in the wire itself to infect devices in a similar way. One example of this technique is known as the “USB Ninja.” This strategy points to potential supply chain attacks, which Skoudis describes as a “big area to keep an eye on.”
User requesting USB malware software on a deep web hacking forum—as discovered in Beacon
4. Checkm8 and Checkra1n
Imagine losing your iPhone. As long as it’s locked or encrypted, you can rest assured that your data is safe—right?
According to Mahalik, an iPhone chip vulnerability called Checkm8 is present up to the iPhone 11 Pro. Adversaries can download an exploit called Checkra1n to jailbreak that vulnerability in any lost or stolen iPhone, even if it’s locked. Because the vulnerability is on the chip itself, it can’t easily be recalled and patched by Apple.
If you think about the volume of information held within an iPhone—email and banking app logins, photos, and other personal data—detecting and defending against these targeted mobile exploits are critical for individual data security.
I2P User posting Checkra1n update—as discovered in Beacon
5. DNS Over HTTPS Malware
HTTPS is widely used as a secure communication method over a computer network. In a nutshell, DNS is how computers request and find the IP address associated with domain names you enter in a browser (read more about HTTPS and DNS here). However, DNS requests, which include your IP address and the domain name you’re requesting, can be intercepted. Bad actors can track and sell that information, or respond to your request with an IP address for a spoofed site under their control.
DNS over HTTPS (DoH) essentially encrypts the contents of a DNS request using HTTPS so that this information can’t be exploited. Chrome, Firefox, and some operating systems are moving towards DoH. However, DoH is also increasingly leveraged by adversaries to encrypt malware DNS requests. Ullrich identified PsiXBot (used for sextortion and malspam), and GodLua (installs crypto miners on IoT devices) as relevant malware using DoH.
Dark web discussion forum user requesting PsiXBot software—as discovered in Beacon
Not every organization has the budget for dedicated cybersecurity experts and analysts who can keep their teams up-to-date with new attack techniques—but there are still ways smaller organizations can access current threat data to inform and adapt their security processes. Established security teams can also benefit from additional tools that expand and contextualize their threat data feeds.
Read Industry Reports
IBM, Deloitte, Verizon, and a variety of cybersecurity-focused companies regularly publish free industry reports summarizing current attack strategies and statistics. These reports are useful for assessing what threats are likely targeting your vertical, what to expect in the near future, and how you can better defend against threat actors.
Listen to StormCasts
Johannes Ullrich runs the SANS Internet Storm Centre, which hosts a short daily podcast summarizing active attacks from the previous day. The StormCast is helpful for dialing in on specific, highly up-to-date tactics to watch out for.
Investigate Online Threat Intelligence
Adversaries often use anonymized areas of the internet like the dark web to discuss and advertise current cyberattack techniques and tools. Quickly accessing these unindexed sources, such as forums, marketplaces, and paste sites, is an effective way of finding threats as they are planned and executed.
The Echosec Systems platform enables security teams and threat analysts to quickly search these sources for threats specific to their organization or vertical. Searches are supported by AI classifiers and advanced filters (such as date published) to narrow in on relevant current risks. This information helps organizations stay informed to avoid vulnerabilities and learn how to prevent cyber attacks.
Digital attack surfaces are rapidly expanding, cyberattack attempts are increasing, and threat techniques and tools are rapidly evolving every day. Keeping track of this data and translating it to effective defense strategies is an overwhelming task, even for expert cybersecurity teams equipped with specialized tools.
Threat intelligence tools are necessary to give security teams faster access to relevant data from the source—such as current cyberattack strategy discussions and tools for sale on the dark web. The sooner organizations can detect new threats to cybersecurity, the better they can adapt their security processes to minimize the costs, service disruptions, and reputation damage associated with successful attacks.
How is your organization detecting current cyber threats?
Contact us to see if you’re missing out on any critical sources.