[BreachExchange] The anatomy of an endpoint attack

[Destry Winant]

https://www.helpnetsecurity.com/2020/10/12/anatomy-of-an-endpoint-attack/

Cyberattacks are becoming increasingly sophisticated as tools and
services on the dark web – and even the surface web – enable low-skill
threat actors to create highly evasive threats. Unfortunately, most of
today’s modern malware evades traditional signature-based anti-malware
services, arriving to endpoints with ease. As a result, organizations
lacking a layered security approach often find themselves in a
precarious situation. Furthermore, threat actors have also become
extremely successful at phishing users out of their credentials or
simply brute forcing credentials thanks to the widespread reuse of
passwords.

A lot has changed across the cybersecurity threat landscape in the
last decade, but one thing has remained the same: the endpoint is
under siege. What has changed is how attackers compromise endpoints.
Threat actors have learned to be more patient after gaining an initial
foothold within a system (and essentially scope out their victim).

Take the massive Norsk Hydro ransomware attack as an example: The
initial infection occurred three months prior to the attacker
executing the ransomware and locking down much of the manufacturer’s
computer systems. That was more than enough time for Norsk to detect
the breach before the damage could done, but the reality is most
organization simply don’t have a sophisticated layered security
strategy in place.

In fact, the most recent IBM Cost of a Data Breach Report found it
took organizations an average of 280 days to identify and contain a
breach. That’s more than 9 months that an attacker could be sitting on
your network planning their coup de grâce.

So, what exactly are attackers doing with that time? How do they make
their way onto the endpoint undetected?

It usually starts with a phish. No matter what report you choose to
reference, most point out that around 90% of cyberattacks start with a
phish. There are several different outcomes associated with a
successful phish, ranging from compromised credentials to a remote
access trojan running on the computer. For credential phishes, threat
actors have most recently been leveraging customizable subdomains of
well-known cloud services to host legitimate-looking authentication
forms.

The above screenshot is from a recent phish WatchGuard Threat Lab
encountered. The link within the email was customized to the
individual recipient, allowing the attacker to populate the victim’s
email address into the fake form to increase credibility. The phish
was even hosted on a Microsoft-owned domain, albeit on a subdomain
(servicemanager00) under the attacker’s control, so you can see how an
untrained user might fall for something like this.

In the case of malware phishes, attackers (or at least the successful
ones) have largely stopped attaching malware executables to emails.
Most people these days recognize that launching an executable email
attachment is a bad idea, and most email services and clients have
technical protections in place to stop the few that still click.
Instead, attackers leverage dropper files, usually in the form of a
macro-laced Office document or a JavaScript file.

The document method works best when recipients have not updated their
Microsoft Office installations or haven’t been trained to avoid
macro-enabled documents. The JavaScript method is a more recently
popular method that leverages Windows’ built-in scripting engine to
initiate the attack. In either case, the dropper file’s only job is to
identify the operating system and then call home and grab a secondary
payload.

That secondary payload is usually a remote-access trojan or botnet of
some form that includes a suite of tools like keyloggers, shell
script-injectors, and the ability to download additional modules. The
infection isn’t usually limited to the single endpoint for long after
this. Attackers can use their foothold to identify other targets on
the victim’s network and rope them in as well.

It’s even easier if the attackers manage to get hold of a valid set of
credentials and the organization hasn’t deployed multi-factor
authentication. It allows the threat actor to essentially walk right
in through the digital front door. They can then use the victim’s own
services – like built-in Windows scripting engines and software
deployment services – in a living-off-the-land attack to carry out
malicious actions. We commonly see threat actors leverage PowerShell
to deploy fileless malware in preparation to encrypt and/or exfiltrate
critical data.

The WatchGuard Threat Lab recently identified an ongoing infection
while onboarding a new customer. By the time we arrived, the threat
actor had already been on the victim’s network for some time thanks to
compromising at least one local account and one domain account with
administrative permissions. Our team was not able to identify how
exactly the threat actor obtained the credentials, or how long they
had been present on the network, but as soon as our threat hunting
services were turned on, indicators immediately lit up identifying the
breach.

In this attack, the threat actors used a combination of Visual Basic
Scripts and two popular PowerShell toolkits – PowerSploit and Cobalt
Strike – to map out the victim’s network and launch malware. One
behavior we saw came from Cobalt Strike’s shell code decoder enabled
the threat actors to download malicious commands, load them into
memory, and execute them directly from there, without the code ever
touching the victim’s hard drive. These fileless malware attacks can
range from difficult to impossible to detect with traditional endpoint
anti-malware engines that rely on scanning files to identify threats.

Elsewhere on the network our team saw the threat actors using PsExec,
a built in Windows tool, to launch a remote access trojan with
SYSTEM-level privileges thanks to the compromised domain admin
credentials. The team also identified the threat actors attempts to
exfiltrate sensitive data to a DropBox account using a command-line
based cloud storage management tool.

Fortunately, they were able to identify and clean up the malware
quickly. However, without the victim changing the stolen credentials,
the attacker could have likely re-initiated their attack at-will. Had
the victim deployed an advanced Endpoint Detection and Response (EDR)
engine as part of their layered security strategy, they could have
stopped or slowed the damage created from those stolen credentials.

Attackers are targeting businesses indiscriminately, even small
organizations. Relying on a single layer of protection simply no
longer works to keep a business secure. No matter the size of an
organization, it’s important to adopt a layered security approach that
can detect and stop modern endpoint attacks. This means protections
from the perimeter down to the endpoint, including user training in
the middle. And, don’t forget about the role of multifactor
authentication (MFA) – could be the difference between stopping an
attack and becoming another breach statistic.