Four ways relentless hybrid attackers are targeting their prey
One way to understand the mind of hybrid attackers is to compare their behavior to the animal kingdom. They are predators using a relentless arsenal of tactics to hunt their prey across a large domain. Threat actors are the honey badger. A snake bite or a few bee stings might delay their attack for a moment, but they’ll find a way to take down the entire hive and satisfy their appetite.
But what is a hybrid attack? Today, all cyberattacks are hybrid. Every enterprise uses a mix of on-premises and cloud services, and the number of services used is rising. In fact, employees now use an average of 20 cloud and SaaS apps every month. Despite enterprises having every preventative measure in place, attackers are using this widening attack surface to their advantage. They can start with anyone or anything they can access, no matter how small, before moving at speed to extend their access and disrupt business operations at scale. Some of the most common traits that make stopping hybrid attacks difficult are how they bypass prevention, compromise identities, elevate and hide in privileges to move laterally across domains -- often at high speed.
Fortunately, we don’t have to tread too far into the Sub-Saharan region to gain insight into hybrid attacks. Our latest eBook explores how cyber attackers infiltrate, escalate privileges, move laterally, and progress their attacks. With this in mind -- we have pinpointed four hybrid attack methods that SOCs need to bolster their resilience against, and outlined how they can be dealt with, so enterprises can keep the honey badgers at bay.
1. MFA Bypass
A multi-factor authentication (MFA) attack involves an attacker gaining initial access to a user’s computer before bypassing MFA security layers. For instance, an attacker could buy VPN access on the dark web and connect to a network endpoint. Once connected remotely, the attacker can perform network reconnaissance and move laterally across the network and access shared company credentials while exploring resources such as SharePoint.
Once established in the cloud, the attacker could set up a new email rule such as automatically forwarding emails that contain specific keywords, ensuring key data and files can instantly be exfiltrated from certain email accounts. Crucially, it’s worth noting that attackers can bypass MFA even with endpoint detection and response deployed, meaning more abrupt measures are required to halt threats once a hybrid environment has been infiltrated.
2. Spear Phishing
Spear phishing is a personalized phishing attack that targets specific individuals. In a spear phishing attack, an attacker might target an employee via LinkedIn to gather detailed information. This is becoming increasingly easy to do as generative AI can summarize a users’ social media persona in a matter of seconds. Using this intel, threat actors can craft convincing messages and potentially use WhatsApp's encryption to bypass web proxies. If the employee clicks a malicious link or attachment, malware infects their corporate laptop, giving the attacker network access.
The attacker then breaches the Zero Trust Network Architecture by pivoting to the data center using a remote command service. Next, they install command and control tools for continuous access and begin reconnaissance to locate sensitive data. They steal admin credentials from the server, enabling lateral movement and access to other servers. For attackers, one of the main benefits of spear phishing is that controls such as secure web gateways, email security, anti-virus and firewalls won’t prevent access.
3. Living Off The Land
A Live off the Land (LOTL) attack sees attackers use existing legitimate tools and features within a system to evade detection. In a LOTL attack, the attacker first gains access to a home office to conceal their activities. They then establish persistence -- for example by using EarthWorm, a fast reverse proxy, to set up command and control callbacks, allowing them to gather information about local drives. Next, they crack passwords to extract and copy the system registry hive from the Windows domain controller.
Using PowerShell, they identify logins and employ password spraying and brute force techniques to gain further access. Once inside, the attackers map the network and Active Directory structure to steal valuable corporate data. Finally, they obtain credentials and delete logs to cover their tracks. While LotL attacks are stealthy, actions like enumerating network topology and AD structure, obtaining credentials, and clearing logs can serve as valuable attack signals that alert security teams to an attack in progress.
4. Zero-day exploit
Zero-day exploits are nearly impossible to protect against as they never been seen before. They exploit unseen vulnerabilities, increasing risk for businesses as their software usage grows. A recent and notable zero-day exploit was CVE-2023-0669, a pre-authentication command injection vulnerability in Fortra's GoAnywhere managed file transfer product. In this incident, the attacker exploits an exposed file-sharing server where EDR can't be run. After gaining access, they deploy command and control tools for external oversight. They then map the network and discover an admin account, which they use to move laterally via remote code execution to another server.
Using this jump server, the attacker accesses the AD FS server and enables multi-factor authentication bypass. Leveraging existing tools or ‘Living off the Land’, they find a path to the cloud by reading architecture documents from a CIFS server.
With the compromised admin account, the attacker accesses Azure Active Directory. They discovered documents detailing valuable data are stored in AWS and use the account's federated access to connect to AWS. The attacker then maps AWS using the compromised account to access high-value data.
Don’t rely on a preventative approach
In an increasingly hybrid world, the unfortunate reality is that attackers will keep exploiting hybrid security gaps -- using them to slip past protection tools, steal credentials, bypass MFA and prove most prevention-based security measures ineffective. Against increasingly complex attacks, security teams must move past preventative approaches to security and adopt an effective detection and response strategy. This approach examines the intersections between authorized but suspicious activities -- and the sorts of behaviors that an adversary will exhibit as part of an unfolding hybrid attack.
Crucially, organizations must focus on spotting signs that a threat actor has managed to hijack an account as soon as possible. Going back to the animal kingdom, AI can be incredibly useful when it comes to protecting the hive, empowering security teams to identify malicious behavior, accurately detecting and prioritizing unauthorized access attempts. By using AI to improve signal clarity, analysts can stop real threats from slipping under the radar. This approach will also improve IT resilience, enabling SOC teams to spend less time on repetitive tasks and more time on investigating and responding to these attempted attacks.
Image Credit: Pixabay
Christian Borst is CTO EMEA at Vectra AI, the leader in AI-driven extended detection and response.