/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow Us/ciol/media/post_banners/wp-content/uploads/2018/11/Cyber-security-attacks.jpg)
Cliff Stoll’s 1989 book, The Cuckoo’s Egg, tells the story of how a curious network admin discovered what may have been the earliest documented APT attack, while it was still in progress, on the nascent internet. Stoll rigged a cumbersome and noisy printer to log the attacker’s commands, manually typed on a terminal half a world away, that traversed Stoll’s university network.
Cybercriminals in 2018 put that same kind of personal touch on the year’s most lucrative attack method. Sophos has been closely tracking the growing threat of highly targeted attacks, in which one or more criminals manually break in to a company computer, disable or evade internal security tools in real time, and launch malware on whole networks of machines, all at once.
For most of the past decade, attackers have built up a repertoire of automation, coupled with exploitable vulnerabilities, in an attempt to rapidly attack targets and evade internal security measures or protection at the network and endpoint level. This use of automation has taken on myriad forms, from exploit kits that trap browsers and weaponized Office document files to malicious spam email that thoroughly obfuscates the threat it poses to victims and their technology.
/ciol/media/post_attachments/wp-content/uploads/2018/11/Figure-1.jpg "Figure")
Figure 1: Malspam with a double-suffixed zip attachment
But automation has an Achilles’ heel in its predictability. Once you realize that an unexpected email message with a zipped file attachment more likely than not contains something bad, you can take steps to block all emails with zipped file attachments. If you know attackers are likely to use vulnerabilities in Microsoft Word or Excel to infect machines, you patch those applications and operating systems and, for good measure, you might disallow users from opening those types of documents if they’re downloaded from the internet, or create rules that prevent users from enabling scripting technology like Office macros.
The attacker waits for the opportune moment – late at night on Friday of a holiday weekend, for example – to strike.
With targeted attacks, the behavior is inherently unpredictable, and the attackers can respond reactively to defense measures that, at first, thwart them from accomplishing their goal. If the attacker knows what they’re doing, those defenses may not stop them for long.
Transitioning to manual attack mode For nearly three years, a small but dedicated group of criminals attacked a wide variety of organizations using manual techniques to deliver a ransomware called SamSam. For much of that time, the criminal gangs commenced nearly every successful attack by bruteforcing RDP passwords. Long, complex passwords, never shared or reused anywhere else, are more resilient to this kind of attack, but the SamSam attacker managed a high degree of success by choosing the low-hanging fruit – machines with relatively weak passwords, accessible from outside the organization’s security perimeter.
Using this machine as a foothold, the criminals sniff for Domain Admin credentials using public domain tools, such as Mimikatz. Domain admins should only log into machines dedicated to that purpose and should not use those machines for casual web surfing or email. Clearly admins don’t follow these rules, though, because it really doesn’t take very long for attackers to capture those credentials and use them.
Once those domain admin credentials have been captured, the attacker waits for the opportune moment – late at night on Friday of a holiday weekend, for example – to strike. With a solid knowledge of Windows administration tools and techniques commonly used to distribute software or policy changes, the attacker attempts to push out the malware to all machines simultaneously.
/ciol/media/post_attachments/wp-content/uploads/2018/11/Figure-2.jpg "Figure")
Figure 2: SamSam’s revenue has surpassed $6 million since this chart was first published in June 2018, but its business model is no longer unique, as several copycats emergedOne big advantage to this hands-on methodology is that it gives the attackers the ability to work through impediments that would otherwise prevent the completion of their task. Sometimes that involves pushing commands or running additional software that disables network- or endpoint-based protection methods. This has led, in some cases, to virtual run-and-gun battles between the ransomware criminals and alert IT staff who responded promptly to alerts or otherwise noticed that something was amiss. From time to time, the victims did manage to thwart the attack, but (as far as we know) the attackers have been successful more often than not.
Once any internal protective measures are deactivated, the attacker strikes. The initial attack is over in a few moments, but the encryption takes a bit longer to complete. By the time most IT managers notice what’s happening, the damage is done.
The thoroughness of the attack is so complete, a high percentage of victims choose to pay the ransom. SamSam significantly raised the stakes by charging ransoms from $10,000 to more than $50,000 per attack, several orders of magnitude more expensive than the far more common GandCrab ransomware, which only demands a ransom starting at around $1000.
/ciol/media/post_attachments/wp-content/uploads/2018/11/Figure-3.jpg "Figure")
Figure 3: The SamSam attacker communicated directly with victims, and offered technical support, by means of a bespoke dark web chat page whose address was unique to each victim and incidentSource: SophosLabs 2019 Threat Report