Recently we have seen more increase in various threats and the ways of intruding the network and there were increase by APT groups. Mostly because of political agenda, cyberespionage, cyberwars, competitions and more of script kiddies.
Even though it’s urging and pushing us to implement SOC in your organization, still it does not achieve what it intends to do, because of the weak process and scope definement and pure lack of skills. Cyber Criminals are exponentially increasing in numbers and the technology they were using is beyond limitations and boundaries.
After the increase of APT threat actors, cyber-attacks are becoming the first and the crucial weapon for many political causes, reputation losses, competitions, loss of data and more.
In 2018, we have seen various Data breaches, DDoS attacks, Ransomware variants, Emerging baking Trojan (Emotet, Heedo), TrickBot, Huge variants and exponential increase of MalSpams, Vulnerability exposures, Defacements of government sites, etc. based on the factors (CyberCrime, CyberWarFare, Hactivism, CyberEspionage).
They have targeted mostly, Public administration, Financial sectors, Transportation, Schools, Hospitals, Water Supply, Manufacturing and more and more. As we seen , when the defenders learn, the offenders are evolve in such a way.
This article is what kind of threats we might encounter in forthcoming year, a point-of-view of threat hunting and CyberSOC perspective. We might not be the target, but we have to assume that we are breached/under attack. This Even though towards security drives you to achieve a better defense from modern cyber threats.
What We Can Expect?
1.) More MalSpam campaigns and more variants like AZORult, Emotet. As soon, the vulnerability (Equation Editor Exploit) identified, we have seen more MalSpam techniques trying to exploit and a huge pile of banking trojans utilized this in their attack pattern.
We might except new patterns and more MalSpams this year. The upcoming variants might be more complex in structure and difficult to control.
As we seen earlier, the Emotet Even though having capabilities of lateral movement, command Even Even though control, further payload drop, registry changes, even detection evasion techniques. So we might expect bad and better in the future.
2.) More attacks based on exploits. In many scenarios, hackers/script kiddies expose the vulnerabilities and post in forums, where the DarkNet threat actors eager to utilize and expose.
Most times, they grab the piece of codes and embedded in their malware for better achievement and evasion of signature-based detection. Nowadays, vulnerabilities are the crucial point-of-contact for most organization, either network or applications. Unless you are not updated, the threat actors will!.
3.) Possibility of embedding hidden links in the message body. Recently there were emails with more precise and clear contents and it lures victims easily. So the email gateways were able to scan the email for any attachments and URLs.
But, what if the attacker embedded an URL inside a single letter of the complete email body instead attaching files or add open url and lure the victim to click&Bait. Also, on rare occasions, hackers might exfiltrate the entire email body based upon the codings in Trojan they inject.
4.) Punycode encoding domain, this should be funny but in some scenarios it might consider as critical. Recently we have seen some email with embedded URL, there was a link with Emoji’s.
The site looks weird and we tried decoding and check in urlscans and the URL might as malicious, but in the case the first instance it does not achieve like Emojiwasand it does not do as malicious.
But ultimately both redirecting to same site. Scrip kiddies might use this technique for the fun factor. Most social medias and the browsers are supporting this, also there are many sites to help you encoding the Emoji. Possible use of Chinese characters to encode the C2 strings (in addition to base64 encoding).
5.) Emerging Pay-Per-Install. Malware authors are becoming very profitable over these years, the process of distributing the malware/bots are becoming more complex for the authors.
Earlier, they used a worm and it would exploit the vulnerabilities that would allow propagation. Now, the authors came up with a new model “PPI”, it’s purely based on revenue sharing and commission. The kingpin (originator) creates a site and distribute malware, the second level download it and spread, the third level download again and spread more in the huge count. Most of the MalSpam, Trojan campaigns are very much from this type of malware distribution.
There are “N” number of techniques for them to spread, like IM, Social media ads, Pornsites, Advertisements, Email accounts, Lottery emails, Business news, Sports, etc. Even though you are clicking on an unwanted link, it doesn’t mean it downloads malware, it’s just adding up an entry for next task.
6.) Threat Actors are not an individual. Some might still believe, that the threat actors might be a single person. But it’s a myth, most of the APT groups and threat actors aren’t individual, they are a well equipped teams with high skillsets.
As per Cyber Threat Intelligence, an APT group might be run with agenda and the scope of plans. they will have an organization entity, leader, intelligence team, BlackHat hackers, software engineers, pentester, red
Every attack is not randomly baited, it was a well verse plan with precise vision. Also, cybercriminals no longer use hijacked servers to host C&C servers, spam tools, and other malicious activities; instead they use their “own” data centers around the world. Furthermore, to avoid Google’s indexing radar, they don’t register any hostname/domain for these servers and use only IP addresses instead.
7.) APT groups are on the verge of recrutiting insider threats in Dark Market and more on social medias to achieve their goal easily.
8.) Huge Role of Cryptocurrency Mining. Like other currencies, it is often considered a commodity that can be used to pay for goods or services.Cryptocurrency-mining malware is malicious software designed to use a device’s CPU power to mine cryptocurrency without authorization.
Threat actors deploy this malware to increase their aggregated computing power for mining cryptocurrency, ultimately boosting their chances of solving the equation and earning cryptocurrency without added cost to the threat actor. Cryptocurrency-mining malware may go unnoticed on a device as it often only uses CPU power, appearing to users as though the device is simply running slower than usual.
However, cryptocurrency-mining malware has the potential to render a device unresponsive and/or unavailable to legitimate processes by exhausting the system’s CPU and memory resources. Cryptocurrency-mining malware can infect any range of devices, including: laptops, desktops, servers, and mobile and IoT devices.
Infection Methods
Cryptocurrency-mining malware can infect a user’s device through several means, including: clicking a malicious link, visiting a compromised website, downloading an infected application, downloading a malicious file, or installing an infected web browser extension.
PyRoMineIoT (NSA Exploit) and Kingminer (2018) created a great impact which is a Monero-mining malware targeting Windows Servers, particularly IIS and SQL servers. The actors behind the malware use various evasion methods to bypass detection.
9.) Fileless Ransomware. Get ready to meet the first Fileless ransomware, the malware authors are on the verge to create an impact on developing a ransomware with the fileless infecting technique, which writes values in memory and proceed further.
Memory is volatile and dynamic, giving malware the opportunity to change its shape or otherwise operate in the blind spot of antivirus and similar technologies. The adversary can unpack malware into memory without saving artifacts to the file system. Imagine, a ransomware with this capabilities?.
10.) Year of LOLBins and GTFOBins. Short for “living-off-the-land binaries,” they are trusted binaries that an attacker can use to perform actions other than those for which they were originally intended.
As such, LOLBins make it possible for attackers to bypass defensive countermeasures such as application whitelisting, security monitoring, and antivirus software with a reduced chance of being detected.
Using this technique, an attacker can achieve; Executing code, CnC, Bypassing UAC, Compile in memory, Surveillance(keylogger), remote access, Evade logging, Persistence, pass-through execution of scripts. There are huge binaries, has been abused over the years by the threat actors in various attacks. These binaries cannot be blocked since they were meant for specific purposes in the windows environment.
The many tools that attackers invoke for these purposes include regsvr32.exe, rundll32.exe, certutil.exe and schtasks.exe. For a comprehensive listing and description of such built-in binaries, libraries, and scripts that attackers misuse.
Likewise, GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. As a Cyber Threat Hunter, you should aware of these binaries and ensure you aware of the attacks by using it.
11.) AI Based APT attack. We aware of the Cyber kill chain, Mitre ATT&CK frameworks were helpful in tracking down an APT attacks in your organization. But still it gives the analysis/pattern of an known attack. Based upon that inputs, you can map the events which observed in your ogranization.
Still it will not provide complete security for future attacks. Example: There was a pattern observed followed by defensive evasion and persistence. We might deploy defense based on this, what if the attacker change the pattern or order? Likewise, there are huge unique ways the attacker propogate and achieve their goals.
As we are moving into the world of Machine language and Artificial Intelligence to provide more secure over the APT attacks and to analyse the TB of logs using ML. We are creating more space to analyze, but what if the CyberCriminals use the same way to attack.
There are more chances that the APT groups build an CyberSpace of own and deploy ML and AI. They will feed the existing attack patterns, known/unknown vulnerabilities, known variants of Banking Trojans, Exploit Kits, Tons of GitHub Exploit codes, DGA, etc.
This will create multiple attack patterns and analyze the organization and initiate an attack without any human reconnaisance. If defenders detect, instantly the AI create a new pattern and start the attack.
Already we are seeing combinations of Banking trojans, Exploit kits, ransomware droppers. If these kinds of patters initiated by AI, it’s unimaginable.
12.) Evolution of DarkNet market trends and more. There are lots of malware authors selling their codes/scripts in DarkNet and it leads to huge cyber attacks. Not only the malware codes are getting sold, there are services which are getting sold by hackers in dark market to threat actors, like RDP, Credentials, Stolen datas and more.
Conclusion:
We are still running behind malware execution and looking after the brute force login failures. But the Myth is, when we started to learn the attack, the attacker finds a new way. We aware that the PowerShell plays a vital role in many attacks and we need to monitor, but it doesn’t prove that it ends there.
We are still running behind malware execution and looking after the brute force login failures. But the Myth is, when we started to learn the attack, the attacker finds a new way. We aware that the PowerShell plays a vital role in many attacks and we need to monitor, but it doesn’t prove that it ends there.
There are several windows build-in binaries where the attacks abuse and achieve their goal. we should definitely think out of the box, instead of depending on your SOC, organizations must deploy darknet intelligence and cyber threat hunting, to know what’s happening out there. Always assume that you are under attack. Don’t rely much on blocking the IOCs, rely more on TTP.
Let’s that your cyber intelligence team observed some MalSpam campaign and it’s a combination of Emotet and the dropper is ransomware, just blocking those IOCs will save you now, but still, you are not safe.
Attackers are started using DGA and new hashes everytime they intrude. To understand the pattern, analyze the attack, think like an attacker, know the routes, know where you are open, then hunt it down.
Because most SOC teams think everything is malware, but you should understand the behavior and the threat profiles, whether it’s Trojan or ExploitKit or CnC or Ransomware or Bot, Because some will come alone and some come up with extra scripts, so knowing the difference help you in hunting the complete attack cycle.
Comments
Post a Comment