[BreachExchange] Motivations and malware: inside the mind of a hacker
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Jul 5 20:55:59 EDT 2018
https://www.reseller.co.nz/article/643411/motivations-
malware-inside-mind-hacker/
Whether a hacker uses a computer exploit or malware, their motivations are
the same. Understanding why and how hackers hack is key to your defence.
Whatever the threat, it is arriving to your computer in one of two ways:
human adversary or malware.
Human attackers can use any of the hundreds of thousands of known computer
exploits and attack methodologies to compromise a computer or device.
People are supposed to run patching routines, and many devices and software
programs try their best to automatically update themselves, yet many
computers and devices are left vulnerable for long periods of time even
after the patches are available, a fact that hackers love.
Unique malware programs number into the hundreds of millions, with tens of
thousands of new ones created and released each day.
The three main malware categories are viruses (self-replicating), worms
(self-traveling), and Trojan horse programs (which require an end-user
action to execute).
Today’s malware, usually arriving via web page or email, is often a
combination of multiple malware classes.
Often the first malware program to exploit a system is just a “stub
downloader” program, which gains initial access and then “phones home” to
get more instructions and to download and install more sophisticated
malware.
Often the stub program will download over a dozen different new malware
variations, each designed to avoid anti-malware detection and removal.
Malware writers maintain their own malware multi-detection services,
similar to Google’s legitimate VirusTotal, which is then linked to an
automated updating service which modifies their malware to be undetectable
by current anti-malware engines.
It’s this nearly instantaneous updating that causes so many “unique”
malware programs to be created and distributed.
The malware writer or distributor may also be paid to infect people’s
devices with completely different types of malware.
It’s a renter’s market out there, and if the malware controller can make
more money renting the compromised devices than they can make alone, they
will do it. Plus, it’s much less risk for the controller in the end.
Many hackers (and hacking groups) use malware to gain access across a
company or much broader array of target victims, and then individually
select some of the already compromised targets to spend more effort on.
Other times, like with most ransomware, the malware program is the whole
ball of wax, able to compromise and extort money without any interaction
from its malicious leader.
Once released, all the hacker has to do is collect the ill-gotten gains.
Malware is often created and then sold or rented to the people who
distribute and use them.
Why do hackers hack?
The reasons why hackers commit crimes fall into these general categories:
- Financial motivations
- Nation-state sponsored / cyber warfare
- Corporate espionage
- Hackivists
- Resource theft
- Gamer issues
Financial theft and nation-state attacks are easily the largest portion of
cybercrime. Decades ago, the lone, solitary youth hacker powered by junk
food was an adequate representation of the average hacker.
They were interested in showing themselves and others that they could hack
something or create interesting malware. Rarely did they do real harm.
Today, most hackers belong to professional groups, which are motivated by
taking something of value, and often causing significant harm. The malware
they use is designed to be covert as possible and to take as much of
something of value as is possible before discovery.
How do hackers hack?
Regardless of their motivations, hackers or their malware usually break in
and exploit a computer system the same way and use most of the same types
of exploits and methodologies, including:
- Social engineering
- Unpatched software and hardware vulnerabilities
- Zero-day attacks
- Browser attacks
- Password attacks
- Eavesdropping
- Denial of service
- Physical attacks
This list does not include insider threats, unintended data leaks,
misconfiguration, user errors, and myriad other threats not connected
directly to intentional hacking.
The most common ways devices are compromised are un-patched software and
social engineering. These threats compromise the vast majority of the risk
(over 95 per cent) in most environments. Fix those issues and you get rid
of a ton of risk.
Zero-day attacks, where a hacker or malware program exploits a
vulnerability not known by the public, are always newsworthy when they
occur because the vendor doesn’t yet have a patch for them.
Only a handful of them are discovered each year. Usually, they exploit only
one company, or a few companies, before they are found, analysed, and
patched.
Far more zero days are probably being used, especially by nation-states,
than we realise, but because they are used very sparingly by those types of
hackers, we rarely discover them, and they can be used again and again when
needed.
The vast majority of malicious exploits come through the internet and
require that a user do something - click on a link, download and execute a
file, or supply a log-on name and password - for the maliciousness to begin.
Browser security improvements have made less common “silent drive-by”
attacks, where a threat executes without any user action when a user visits
a web page or opens an email.
Protection from hackers
A key to defeating hackers and malware, regardless of their motivation, is
to close the root cause exploit holes that allow them and their malware to
be successful.
Take a look at the root cause exploits listed above, determine which ones
are used the most against your organisation, and then create or improve
existing defences to minimise them.
If you can do that, you’ll build a solid security defence second to none.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180705/f2a27499/attachment.html>
More information about the BreachExchange
mailing list