Media Alert: Dell SecureWorks Warns Organizations of Hackers Using Little or No Malware to Breach their Targets
ATLANTA , September 2, 2015 -- Dell SecureWorks Counter Threat Unit (CTU) research team is warning organizations, if they are housing valuable intellectual property, industrial secrets, financial data or sensitive govt. political information, to be on alert for threat actors trying to breach their computer systems, using little or no malware in their attacks. In nearly all of the intrusions in the past year responded to by the Dell SecureWorks' Incident Response Team, cyber criminals utilized the target's own system credentials and legitimate software administration tools to move freely throughout the company's networks infecting and collecting valuable data. The CTU has coined this tactic: "living off the land." Unfortunately, traditional security solutions, which focus solely on a threat group's malware and infrastructure (such as Command and Control IP addresses and domain names), are of little use when the hackers don't employ malware in their operation, or use it so sparingly and for such a short time that it leaves few traces behind. To combat these ever increasing "living off the land" attacks, organizations must implement endpoint security solutions which are designed to focus on threat actor behavior and instrumented to determine if an activity in a network is suspicious or not. Similar to how IPS/IDS, Firewall and anti-virus solutions have become "must have" layers of security, endpoint security has become a "must have" when it comes to defending against the ever-evolving cyber threat landscape.
Hackers Turn a Manufacturer's Single-Factor VPN Service and Endpoint Management Platform Against Them
In a recent incident investigated by the Incident Response Team, the threat group began by compromising the network credentials of an employee of a manufacturing company. With these in hand, the threat actors easily logged into the company's Citrix solution. This legitimate remote access solution allows remote employees to connect to internal corporate resources. This step was simple for the threat actors because the company had not implemented two-factor authentication for employees logging in remotely. Not only did the threat actors leverage the company's remote access infrastructure, but they also took advantage of the company's endpoint management platform, Altiris, to move laterally through the company's network and compromise targeting hosts within the environment to steal specific intellectual property. Altiris is an administration tool used to remotely distribute new software and software patches to an organization's endpoint computers.
Threat Actors Use Company's Centralized Security Management Server to Launch Credit/Debit Card Data Stealing Tools onto POS Terminals
Another example of hackers "living off the land" involved the stealing of hundreds of credit and debit cards from an organization's Point-of-Sale (POS) Terminals. When the Incident Response Team was brought into investigate, they discovered that the threat actors got their initial foothold into their target's IT environment by getting an employee's network credentials for the company's Citrix server, which did not require employees to use two-factor authentication to log in remotely. Once the threat actors got into the target's network, it did not take them long to capture the domain administrator's credentials. With these the threat group did a thorough reconnaissance of the target's IT environment discovering the perfect system to assist them in their cyber heist. It was the company's Centralized Security Management Server, which was used to deploy and manage the organization's anti-virus software for all of their endpoints, including their POS terminals. With the domain administrator credentials in hand, the threat group had easy access to this very "trusted" system. Because the POS Terminals trusted this system, they simply pushed their malware tools down to the terminals, which in turn captured all of the credit and debit card data entered into each terminal. After a few weeks, the company's anti-virus software did detect the financial data-stealing malware, however, the threat group very cleverly instructed the Security Management Server to whitelist the malware, allowing for its continued use.
An interesting note, the target had done a decent job at ensuring that only a few systems and only a few employees had rights to communicate with their POS Terminals. However, their Centralized Security Management Server was one of the "trusted" systems that had to communicate with the POS Terminals and company endpoints in order to keep their anti-virus up to date. The key take away here is that organizations must regularly monitor their key systems for signs of malicious activity, no matter how "trusted," especially if those systems can communicate with one's sensitive assets, such as POS Terminals.
Hackers Successfully Breach a Pharmaceutical Manufacturer Using No Malware
Another incident investigated by Dell SecureWorks Incident Response Team this year involved a case where the threat group was targeting a pharmaceutical manufacturer. In this case, the threat group did not use one stich of malware in their entire operation, no backdoors, no custom tools, nothing. They utilized social engineering and various system administration tools, which were present in the target's environment. They got their initial foothold into the company by sending a convincing spearphishing email to several company employees, posing as the organization's IT department. They used the ploy that the IT department was testing a new webmail solution and asked all of the employees to click a link and provide their domain username and password. It only takes one user to fall victim, which is what happened in this case, and within hours the threat actors were using the compromised credentials to VPN into the victim's network. It wasn't long before system administrator credentials were stolen and it was easy sailing from then on. The newly obtain privileged credentials were used to move laterally and connect to other systems in the environment using the Remote Desktop Protocol (RDP). Legitimate system administrators and helpdesk employees use RDP to maintain systems, making it challenging for network defenders to protect against this tactic. Unfortunately, in doing the forensics the Incident Response Team found that the threat group had exfiltrated many files containing very sensitive Intellectual Property. Data was exfiltrated using the File Transfer Protocol (FTP), which was used legitimately by the company to conduct their business operations.
Steps to Combating Cyber Attacks Using Little or No Malware
Dell SecureWorks advises any organization housing valuable Intellectual Property, industrial secrets, financial data or sensitive govt./ political information, to take the following steps to help protect themselves from threat actors using little or no malware in their cyber attacks. Also, if threat actors have been successful in compromising your organization , it is paramount that these defensive improvements be implemented to ensure the successful eviction of the threat actors. The Incident Response Team has seen case after case where victim organizations did not shut off the threat group's original entry point or other similar entry points and the threat actors simply reentered the target's environment and began wreaking havoc all over again. A target must ensure that they shut off all points of entry prior to kicking out the intruders, otherwise, resources put towards eviction are waisted.
- Mandate the use of two-factor authentication for all remote access solutions and for all company employees, business partners (anyone accessing your corporate network)
- Remove Local Administrator rights for users
- Audit privilege domain account usage, including administrator and service accounts
- Segment sensitive data on the network and closely monitor choke points
Dell SecureWorks also advises organizations with valuable data to not only implement IDS/IPS, Firewall, and Anti-Virus as key security layers, but they must also implement an endpoint security solution across their environment which is focused on threat actor behavior and determining if an activity within one's network is malicious or not.
The solution should be able to:
- Assess the host for known and unknown threats
- Monitor for threats attempting to maintain persistence
- Monitor process creations and associated files
- Examine thread injection events looking for adversaries moving between processes
- Examine network connection data at the host level to identify suspicious communications being sent to and from the host
- Monitor DNS activity at the host level