Threat model: how and why we categorized hackers

or a long time, we have divided cybercriminals into two groups: amateurs and professionals. The first were bombed with affordable malware and indulged in petty hooliganism. The latter developed their own utilities, aiming at big business and government. The approach is clear and simple. The only problem is that the hackers themselves have already gone beyond this pattern. And since you need to know the enemy by sight, then we at JSOC decided to approach the division of hackers and define their tools, methods and goals from the other side. As a result, we got 5 levels of intruders. In this post, we tried to outline how, in our opinion, hacker tools and approaches to attacks have changed and what different types of attackers are capable of, depending on their qualifications. We hope you find it interesting.

Attackers are growing in skill and attacks are becoming more sophisticated. The 2010s passed, when hackers quickly came, took the most valuable things (usually money) and left (if they had time). Now they need to gain access to the victim's infrastructure, to its key nodes and stay there incognito as long as possible. At the same time, targeted attacks are increasing, and attackers are increasingly choosing their specialization: they attack companies of a certain scale from a certain sector of the economy - based on what potential they feel in themselves and what goals they pursue.

What's in a hacker's arsenal

IDP obfuscation

As we said earlier, the attackers' toolbox has become more sophisticated. They began to use obfuscation methods much more often when writing malware. That is, obfuscation of the source code of the malware, which does not affect its performance and functionality, but complicates its analysis during decompilation. This way you can bypass the sandboxes and antivirus on the hosts. 

See how many tiny functional blocks and transitions are there in the code? This web hides the main malware algorithms, which, in turn, makes it almost guaranteed to deliver and run malware on the victim's host.

Hiding C&C through TOR nodes

An interesting approach is the attackers' approach when using TOR nodes (distributed network nodes between which encrypted traffic is transmitted). If earlier they were used only to deliver encryption keys and the very encryption of the victim's infrastructure, today they hide behind them the real addresses of the malware control centers. This approach significantly reduces the effectiveness of classic feeds that contain information about command centers on the network (IP addresses, websites).

If we take into account that the TOR node is more than 10,000, then all you have to do is either monitor the use of TOR networks in the organization and block them along the way, or accept, because no feeds can ever protect computers from the malware control center.

Smart malware

Modern malware is getting smarter. For example, they have learned to identify what they are doing in virtualization or stand environments. They detect the first by checking running processes. If the malware finds running VMware or Hyper-V items, it automatically goes to sleep. And when it gets to the test bench, malware takes a screenshot of the desktop and passes it on to the attacker, who can already conclude whether the infected host will be useful for him or not. It turns out that hackers now require much less time and effort to find a valuable resource.

The malware is sewn into the most ordinary photo, which was located on the well-known, and most importantly, legitimate photo-sharing hosting imgur.com. You see a full-fledged steganography demonstrating how and from where the photo was downloaded to the host, how after that part of the photo was reborn into malware, which did all the dirty work on the infected host.

Available vulnerabilities

The share of critical vulnerabilities is growing every year. The speed of their operation is also growing. Earlier it was Shellshock and EternalBlue, which were discussed and operated for 1.5 - 2 years. Today, it is a Citrix Netscaler vulnerability (allowing access to a company's internal network from the Internet), which knocked down many companies in just six months. Since this solution is very often used both in state corporations and in commercial companies, many have suffered who were not patched in time.

Or another example. The critical vulnerability of Zerologon was discovered recently, and we have not yet observed real cases of cyberattacks using this tool, but, obviously, its exploitation is not far off. At the same time, almost immediately after identifying Zerologon, we found it in Kali Linux.

According to our statistics, closing a vulnerability in an organization takes from 1 month to several years. Moreover, 1 month is in the most progressive banking sector. In government agencies, the process can take several months, or even years. We have seen such dinosaurs as WannaCry or WannaMine in the infrastructures of government customers.

Legitimate utilities

Here, the attackers act on the principle of "hide in the most conspicuous place." For example, American information security researchers have launched a special platform (ceye.io). The resource allows you to test vulnerabilities (conduct test attacks on organizations) and collect summary information. And since this is an open project, both white and gray hackers could register on it. The purpose of the former is to detect a vulnerability and inform the owner of the resource about it, the purpose of the latter is to use the found vulnerabilities for personal gain. The attackers took advantage of this. After registration, they began to "merge" data about companies, first into their personal account on the portal, and then pumped out all the information from there. The organizations themselves saw leaks, but decided that since this is a research portal, then, for sure, someone is conducting a penetration test or something similar, and did not block the resource.

Another option is to use the Nirsoft utility and the Powershell environment, which are legitimate administrative tools. Nirsoft can collect passwords from all browsers on the host, and Powershell, in turn, allows you to discreetly collect internal user data. Recently, cybercriminals have also begun to pay attention to centralized infrastructure management through legitimate services. Capturing a Kaspersky server and connecting to any host through it is a classic, both a pentest and a real cyber attack. The most critical option: if the resources are not being monitored, seize a domain controller and sit quietly on it in the company of admins and do whatever you want.

RDP and everything that is not covered

And how much pain did the pandemic bring us (and their opportunities) !? Many organizations switched to remote control in a quick and simple way, that is, through the RDP sticking out. A similar story with web services for videoconferencing. As a rule, they are not patched and are vulnerable to attacks from outside.

Banal situational phishing remains effective. A letter with statistics on COVID-19? Of course open up! Download the vaccination checklist? Naturally! What can we say about more sophisticated attacks, when the attackers refer to the victim by their full name and change the "o" to "0" in the domain.

In 2020, two new vectors of attacks also appeared (of course, they have always been, but now they have “played with new colors”). These are attacks on remote users (for example, through compromising VPN data or hacking and infecting home devices) and attacks through direct hacking of a contractor or finding a vulnerable entry point into the client's infrastructure.

Attacker levels

All this speaks of the stratification of attackers' approaches to attacks on infrastructure. There used to be two groups of hackers for us. The first used basic tools known to all (for example, exploitation of classic web vulnerabilities, mass phishing mailings, etc.). The second understood how to bypass the information security system, was aimed at fast monetization, but still acted quite straightforwardly and according to the scheme familiar to herself. In fact, there was a third group - government groups, which were distinguished by very high qualifications, but we did not meet with them in our practice. Now we note a clearer stratification of the skills of attackers and distinguish 5 levels of their qualifications:

Intruder category

Typical goals

Intruder Opportunities

Automated systems

Hacking devices and infrastructures with a low level of protection for further resale or use in mass attacks

Automated scanning

Cyber Bully / Lone Enthusiast

Hooliganism, violation of the integrity of infrastructure

Official and Open Source Security Analysis Tools

Cybercriminal / Organized Groups

Priority monetization of the attack: encryption, mining, withdrawal of funds

Customized tools, available malware, available vulnerabilities, social engineering

Cyber mercenaries / Advanced factions

Focus on commissioned work, espionage in the interests of competitors, subsequent large-scale monetization, hacktivism, destructive actions

Self-developed tools, purchased 0-day vulnerabilities

Cyber Troops / Pro-State Groups 

Cyber espionage, full capture of infrastructure for the ability to control and use any actions and approaches, hacktivism

Self-discovered 0-day vulnerabilities, developed and implemented "bookmarks"

From whom the antivirus will save

Automated systems (like automated scanners) try to exploit classic web vulnerabilities. In general, subject to the basic principles of information security and the presence of a standard set of information security systems, they are not terrible. But if the organization has an unprotected RDP with an "admin: admin" account, then most likely an automated system will be able to access such a host.

Cyber bullies (usually loners) are novice hackers who master the basic toolkit. Their arsenal includes various Open Source tools (remember at least Kali Linux). Basic defenses can be countered, provided they are configured correctly and there are no obvious unsecured servers. In a word, everything is the same as with automated systems. That is, they act on the principle of "quickly look at what you have on the perimeter." If your administrators or contractors make a mistake, then these pests will notice it right away. There are a lot of such "mother's hatskers" and some of them will definitely be lucky to stumble upon an open server or service.

WAF and Sandbox won't help anymore

Cybercrime is more complicated. These are organized groups that are primarily aimed at monetizing the attack, whether it be encryption followed by ransom and installation of miners or direct withdrawal of funds, for example, from banks.

Their main goal is to bypass basic defenses (sandboxes, antivirus, firewall, WAF). In addition, they are well aware of how cybersecurity works in organizations, because most often they themselves once worked there (and maybe they still work)... In addition, they have enough money to simply buy access to the organization they are interested in. Why waste time looking for an entry point when everything has already been done by some kind of automated systems? They also often buy well-known malware, but they know how to customize it. In addition, cybercriminals always have a few tricks from social engineering. For example, in 2020, they skillfully used the current topic of COVID-19 to infect computers of corporate users and from there gain access to the infrastructure. And here it becomes impossible to detect intruders without monitoring, because all of their techniques are designed to bypass basic defenses.

In a word, in the case of cybercriminals, basic information security systems are no longer enough. It is required to implement processes for monitoring information security incidents and patch management processes, as well as basic monitoring of information security and infrastructure. We are not talking about something supernatural, because so far such attackers have not learned how to bypass the SOC. It is enough to set up 20-30-40 scenarios to identify typical incidents.

When you need forensics

Cyber mercenaries use the same evasion techniques as previous attackers, but they do it in a much more professional manner. They exploit 0-day vulnerabilities at the stage of penetration and movement in the infrastructure, leave practically no traces on hosts, use malware that is executed in RAM, and use legitimate services, covering up traces after rebooting the equipment. As a result, it is almost impossible to detect signs of their presence without professional forensics.

The most tech-savvy category is the pro-government cyber group. Agree, when your customer is a state, you cannot lose face. Such cybercriminals can afford to spend time on their own searching for vulnerabilities for targeted attacks and developing their own malware.

To resist such hackers, it will not be enough just to collect logs from information security systems, critical servers and systems. You need maximum infrastructure coverage, network segmentation, control of terminal servers, control of privileged users, advanced monitoring with the use of additional components (NTA and EDR to control network traffic and everything that happens on hosts). In a word, a complete set!

Building a Kill Chain from separate, possibly not very significant incidents, as well as Threat Hunting and Silent Detected technologies at the stage of detecting incidents helps to detect villains who carefully cover their tracks and use multi-component attacks.

(с) egoriwe999