7 old attack vectors cybercriminals still use

Cybercriminals rely on old attack vectors to target organizations, systems and data. Why? They work and are cheap to exploit.

Outdated, obsolete computer systems in need of updating display binary code.
Maxiphoto / Getty Images

Even in today’s age of digital evolution, malicious hackers continue to use attack vectors dating back decades. Research shows notable periods of resurgence relating to certain methods deemed old-fashioned. What this indicates is that while attack specifics can change with time, points of infection, distribution and proliferation can remain and even lead to the most significant of breaches.

“Cybercriminals tend to return to ‘old favorite’ methods of attack, particularly when newer vectors get shut down or become more difficult to execute due to the efforts of law enforcement and security teams,” says Egress Threat Intelligence Vice President Jack Chapman.

Cato Networks Strategic Security Engineer Peter Lee agrees, citing two main reasons why cybercriminals use ‘old school’ attack vectors – economics and target acquisition. “The booming exploit market puts a price tag on everything that attackers throw at their targets and the prices vary enormously, so there’s a strong incentive for attackers to start cheap and work their way up. No need to burn your $2 million iPhone zero-day if you can compromise the same target by exploiting an unpatched web server CVE from 2017. Secondly, improvements in cyber defense across the board have made it more difficult for cybercriminals to get their message to key targets, which is occasionally forcing them to fall back on old vectors which have fallen off the radar of many defenders.”

Here are seven old attack vectors cybercriminals still use today with practical advice for defending against them.

1. Physical storage devices to infect systems, spread malware

The very first computer viruses spread via floppy disks, and the use of physical storage devices to infect systems and propagate malware persists to this day. This was evidenced in January 2022 when the FBI issued a public warning about BadUSB, a USB attack campaign in which numerous USB drives, laced with malicious software, were sent to employees at organizations in the transportation, defense, and insurance sectors.

The USBs were configured keyboards disguised as gift cards or invoices and, once inserted, injected commands to download malware such as credential grabbers, backdoors and ransomware. The campaign was an attempt to exploit the mass work-from-home trend and showed that modern fraudsters are not averse to using methods that are tens of years old.

“Since mid-2021, Cisco Talos Incident Response (CTIR) has responded to a growing number of engagements in which removable USB drives are infecting organizations with malware, affecting a variety of industry verticals,” David Liebenberg, head of strategic analysis at Cisco Talos, tells CSO. “We have observed several malware variants, typically older, delivered in this way, including Sality and PlugX, which target Windows systems and are known to spread through removable drives.”

Attackers are continuing to use this attack method because it works and to exploit the increase in hybrid working coupled with a lack of employee training, Liebenberg says. “Organizations using USBs or removable drives for legitimate business operations should limit and, if possible, restrict USB usage in the environment. They should also have clear policies restricting USB reuse or using USBs from home and provide training for employees about the risks associated with connecting personal USBs to corporate systems.”

2. Macro viruses to exploit Microsoft Word and Outlook

Attackers continue to target organizations with viruses written in macro language and hidden in documents, an attack vector since the Melissa virus of 1999. This virus exploited Microsoft Word and Outlook-based systems, infecting computers via email and a malicious attachment, before mass-mailing itself to the first 50 people in a victim’s contact list and disabling multiple safeguarding features.

“Despite ways for organizations to protect themselves, and guidance from the likes of the UK’s NCSC, US NIST, and Australian ACSC, macros are still difficult to completely defend against,” says Piers Wilson, head of project management at Huntsman Security. “A lot of the vectors around macros rely on social engineering. For instance, a document might appear as random characters while the covering email says that, as a sensitive document, users need to enable macros to decode it.”

Attackers might use macros for cybercrime or more sophisticated exploitation attempts, but a large part of protection comes down to user education and putting in technical controls at the gateway and endpoint, Wilson adds. “However, because so many documents still use macros (including, ironically, supplier security questionnaires), there is always the risk that vigilance will fail and an attack will get through.”

3. Exploiting old, unpatched vulnerabilities to gain attack footholds

Targeting previously identified vulnerabilities is a very common, time-tested tactic used by attackers and known vulnerabilities can be exploited years later if they are not patched, Forrester analyst Allie Mellen tells CSO. “A classic example of this is the exploit EternalBlue. Despite patches being released for the vulnerability in March of 2017, the exploit was used in May of 2017 by the WannaCry ransomware, then again in June of 2017 in the NotPetya cyberattack. This is why patching systems quickly and effectively is so important.”

Ryan Linder, risk and vulnerability engineer at Censys, concurs. “EternalBlue (CVE-2017-0144) is still making organizations vulnerable today. The exploit affects the Server Message Block (SMB) protocol. According to Censys’ search data, there are still over 200,000 systems exposed to the internet which support SMBv1, which was created in 1983,” he says. Many companies fail to keep their software up to date, which leaves them vulnerable to critical exploits, and even when exploits are disclosed publicly, many still fail to patch their systems, he adds.

Patching consistently is also a very difficult thing to do in a large, complex enterprise, which is why it’s important to prioritize these efforts and make it a company-wide effort, Mellen says.

4. SQL injection to manipulate web apps/pages, access databases

SQL attacks may be over 20 years old, but hackers keep going back to them to exploit web applications/webpages and access the databases that sit behind them, Chapman says. “It’s not a new or innovative approach, but cybercriminals know that they don’t need to reinvent the wheel to get results.” SQL injections still work because developers often cut code without adequate security awareness, he adds.

Indeed, SQL injections rank number 3 in the OWASP’s Top 10 for web vulnerabilities and, in 2021, 718 SQL injection vulnerabilities were accepted as CVEs. “Organizations can prevent these attacks by having dynamic application security testing (DAST) and static application security testing (SAST) in place,” Chapman adds.

5. Advanced fee fraud to scam users

This technique earned its reputation through 419 scams, commonly known as the “wealthy lost relative who died and left you money” trick. Research indicates it dates back as far as the 19th century and is frequently used by fraudsters in the present day. The method leverages time scarcity -- e.g., “You’ll miss out if you don’t act quickly and you’ll get a big return for a small outlay.”

“While the ‘wealthy uncle’s’ email still gets around these days, this technique is far more likely to be used in the context of a cryptocurrency scam (invest a small amount for a large windfall), wire transfer scam/gift card scams (help your boss out for favor in the workplace), or fake penalty scams (pay the IRS some money to have them cancel a tax bill),” Bugcrowd founder Casey Ellis tells CSO. These scams are effective because they trigger greed, loss aversion, and scarcity bias, he says.

“If a victim is successfully exploited, oftentimes an attacker will exploit sunk-cost fallacy and double down on getting more from them.” The social isolation and shifts in social dynamics created by the COVID-19 pandemic has seen an increase in this type of scam, since the normal ability to double-check whether engaging in an activity is wise or not is more difficult for the potential victim, Ellis says. “Within a company, fostering a culture of trust but verify, alongside zero blame (and zero criticism for double-checking if something is legit or not), can be an effective way to strengthen a workforce against this type of attack, and if done well, they can share their lessons and proactive paranoia to better safeguard their families and friends as well.”

6. Remote Desktop Protocol attacks to expose systems

RDP vulnerabilities have been an issue for years, yet approximately one-third of cyberattacks still begin with a Windows computer with RDP exposed to the internet, says Ray Canzanese, director of Netskope Threat Labs. “Attackers have completely automated their processes for discovering and attacking exposed services like RDP.”

RDP should never be exposed to the internet, Canzanese adds, and if you need RDP access when you are out of the house or out of the office, then you should be using one of the many virtual private network (VPN) or zero-trust network access (ZTNA) solutions that enable you to use RDP without exposing it. “You can use a VPN or ZTNA solution to ensure that no network services are exposed to the internet to be targeted by attackers.”

7. Cast-netting phishing aimed at groups of victims

Cast-netting email phishing attacks are named after a traditional fishing technique where the fisher throws a comparatively small net into a pond or other small area. They don’t care what fish they catch, but it will be from that small space. “Unlike Spear-phishing, which is very tightly focused on attacking a specific individual, or drift-net phishing, which can send out thousands to millions of emails in the hopes of catching anyone with the bait, cast-netting targets anyone in a specific organization,” says Vulcan Cyber Senior Technical Engineer Mike Parkin. “The attacker doesn’t care who in the organization takes the bait, as long as they get someone in the target space.”

Despite being an attack method that has been around for many years, it is still used today as it falls into the sweet spot of effort and effectiveness for cybercriminals, Parkin adds. “These attacks can use a timely hook, such as a local sporting event or the opening of a new restaurant nearby, that the targeted organization would find plausible and would make it past mass spam filters. Something like this requires much less research than crafting a hook that can catch a single individual. Once an attacker has a toe hold, they can expand their foothold into the organization’s environment.”

Copyright © 2022 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022