Advanced cyber attacks that make detection difficult

Many companies have encountered challenges due to the Covid-19 pandemic, people have changed their lives, work, and daily activities in a digitised world, and many companies have adopted remote working principles and changed their approaches to cybersecurity. 

The "pandemic" period will certainly go down in history as the COVID period.

We have seen the growth of complex and targeted ransomware attacks during the pandemic period .

Industry and service sectors, including local governments and healthcare organisations, have been heavily impacted by these attacks. 

Cybercriminals spent a great deal of time collecting intelligence data from their victims, which also increased ransomware attacks. 

Cyber threat actors often link ad-hoc techniques with standard attack techniques, evading defenses, lateral movement, and staying invisible and stealth inside attacked networks. 

This makes it increasingly difficult to detect them.

Cyber criminals are increasingly organised into groups structured as real companies and / or industries that aim to improve their " revenue " :  

In addition, with increased exposure of the most critical systems due to increased connectivity (5G, IoT systems, etc.) cybercriminals are increasing their attack opportunities:

• More companies are using unpatched and untested devices, which are easy targets; 
• Cloud and Internet-connected devices are much more prevalent. 
• Operational technology (OT) threats are still underutilized but will soon become a major business criticality.

Today it is difficult to assess the risk represented by each device!!!

Also not to be ignored is the fact that this period has seen an increase in the number of OT vulnerabilities reported by researchers that have been addressed by vendors with patches: But patches are often created only in the face of successful attacks or and that revealed the bugs present in the devices, so you can not approach OT security only by installing patches.

But back to us, as companies improve their cybersecurity and network architecture, attackers are evolving to new techniques to evade defenses , make lateral moves internally or by scaling administrator privileges.

Even segmented networks are now being evaded and bypassed by sophisticated attacks as this is a necessary condition for maintaining long-term persistent access to the victimised corporate network.

What to do to defend against or counter this evolution of cyber attacks? I would start with this phrase that accompanies me in all my cybersecurity activities.

It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.

But in order to be able to defend ourselves, it is necessary to be aware of how an attacker can strike our company:

From experience in the analysed attacks, peculiarities have been sketched that can be summarised in the following points:

1. In most cases, network infrastructure is accessed by exploiting vulnerable firewalls, exposed RDP services, and stolen credentials through phishing campaigns. Services are likely used to automatically detect vulnerable devices. 

2. Regarding accounts, attackers typically compromise multiple accounts during an attack because they need to gain access to domain administrator accounts. Alternatively, they hunt for specific administrator accounts that will give them access to sensitive data, backup systems, and security management consoles. Attackers often exploit tools such as Mimikatz to steal login credentials. Sometimes this program is left running while attackers deliberately knock out a service to force an administrator to log in and fix it, cashing in on his privileged credentials .

3. Attackers hide silently in the target infrastructure for days/weeks or even months. They take as long as it takes to analyze all the assets and prepare the attack to do as much damage as possible, and then demand the "correct" financial compensation.

4. While on the network, cyber criminals locate backups, data and business-critical applications using legitimate network scanners such as Advanced Port Scanner and Angry IP Scanner, which are difficultly to be blocked by security systems. They then collect the list of IPs and computer names, which they will easily associate since IT administrators usually purposely assign descriptive names to their servers. They try to verify all the information needed to understand the whole infrastructure and eventually identify "mis-configuration" in Active directory: solutions like Bloodhound (Bloodhound is an open source tool used for security analysis of Active Directory domains. The tool is inspired by Active Directory's graph theory and object permissions and highlights the "potential" for privilege escalation in Active Directory domains, thus uncovering hidden or complex attack paths that can compromise a network's cybersecurity) are used together with native functions and ad-hoc customizations for the chosen victim.

5. Attackers download and install backdoors that allow them to move freely to and from the network and install additional tools. They will likely create folders and directories to collect and store all stolen information for exfiltration. Most backdoors are classified as legitimate applications, so it is not complicated to bypass antimalware. An example is Anydesk, without forgetting Cobalt Strike (is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. ) that without a proper security solution can be identified. Legitimate traffic (FTP, Bitsadmn) can be used for malicious activities, but much more dangerous, if not identified, is traffic passing through anonymized proxies (TOR) which is usually a symptom of a remote command and control server.

6. Before encrypting data and disrupting operations, attackers attempt to exfiltrate hundreds of gigabytes of corporate data. This technique is used for double extortion, and the most valuable ones are often sold on the darkweb to other cybercriminals for use in future attacks.

7. In addition to servers and endopint's, attackers will attempt to encrypt, delete, reset or uninstall all backups. Unless the backups are stored offline, they are unlikely to be saved.

8. Attackers always try to disable the security solutions you use. Most AVs are easy to "turn off" or can be "escaped". Also in case of advanced solutions, there will be an attempt to access the security management console to disable the protection just before the actual attack starts. Also if the console is local and the attackers are in possession of credentials from an administration..... it will not be difficult to go in goal.

9. The attacker starts the data encryption process. This process can take hours, which is why it is usually started in the middle of the night, on a weekend or during a vacation. It is at this point that attackers come out of the woodwork.

10. Once encryption is complete, all endpoints and servers that were online at the time of the attack are inaccessible.

11. Even though the game seems closed, backdoors are still active and cybercriminals will continue to monitor the situation. It is therefore important to be aware that the attacker, even after carrying out the attack will still be present in the infrastructure maintaining the "persistence" useful to launch a second attack or to put pressure on the victims to get what the attacker wants: Bitcoint Bitcoint Bitcoint

12. After due time has elapsed, an excerpt of the theft will be posted online to make it clear that the threat is serious and add further pressure. 

But what needs to be done to counter these sophisticated attacks?

"The best of the best is not to win one hundred battles out of one hundred but to subdue the enemy without a fight

It is necessary to understand that ONE cyber-security platform that protects "from everything" and 100% has not been developed yet, so the best advice i can give is to rely only on approaches and frameworks of information security recognized as reliable and innovative and rely on companies or experts extremely competent in the field of cybersecurity. It is important to implement modern and overlapping solutions, in fact different layers of security, that make it difficult or almost impossible for an automated attack or a hacker to get to critical assets and strategic business data.

In summary it is necessary to consider  the set of few but smart solutions that work in synergy to defend your network and corporate data is the best choice for your cyber security.

Every long journey begins with a first step