Threat actors use old techniques to create greater disruption in cyberattacks

SAN FRANCISCO — The top cyberattack trends see threat actors engaging in old tactics to create greater disruption. These include living-off-the-cloud, multi-factor authentication bypass, threats to data backups, stalkerware, and satellite attacks, according to SANS Institute leaders during day three of the RSA Conference.

Vowing to “keep it boring,” Heather Mahalik, senior director of digital intelligence at Cellebrite and SANS faculty fellow, explained that “attackers are using old techniques to do newer fancy things.”

Click here for all the coverage coming out of RSAC.

Organizations need to go back to the basics, “as technology changes and as things change for us as users, how does it impact the attacks?”said Mahalik. Attackers are using some new techniques, but they are also heavily relying on things that work because “why would they reinvent the wheel?”

“If you're an attacker and you want access, why not use what simply works already?” she added.

This can be seen with the pivot from living-off-the-land attacks to living-off-the-cloud attacks. In 2020, the living-off-the-land technique thrived using built-in binaries and operating systems. 

While it remains a prevalent threat, Katie Nickels, director of intelligence for Red Canary and nonresident senior fellow at the Atlantic Council, explained that organizations must also monitor for living-off-the-cloud attacks, as it’s “not just enough to pay attention to the operating systems and the endpoints.

The method is not new, but Nickels said attacks leveraging cloud services are on the rise to match the increased use of cloud services for the enterprise. These attacks are easy, cheap, and convenient for setting up infrastructure.

“Adversaries can easily spin up infrastructure to compromise our organizations, and it also makes it easier for them to blend in,” said Nickels. “As a defender looking at network traffic, it's tough for me to tell, is this cloud traffic legit or benign? It’s really difficult.” 

“We all use cloud services legitimately in our organizations, stuff goes right through those firewalls and proxies,” she continued. 

For example, in "living-off-the-SaaS” attacks, threat actors target the ngrok software, used by developers to share code without the need for domain hosting. However, malicious users can also leverage the software to easily obtain a URL, right through the firewall. Nickels noted ngrok is “great for the developer, but also great for adversaries.”

So, how can organizations fight what they can’t see? The answer is not simply changing the detection response or to block all the bad domains, particularly as ngrok is legitimate software.

“It’s about infrastructure,” said Nickels. “Know normal, find evil. … Use what's normal for cloud services in your environment to help you identify the bad stuff.”

Actors bypassing multi-factor authentication

While admitting it may be “more of a shiny object,” Nickels is also concerned about threat actors bypassing multi-factor authentication. MFA is “an incredibly powerful force for security,” but nation-state hackers have used brute-force attacks to gain access to an account, just by guessing the password.

Even though a targeted organization disabled the MFA service for an employee, the attacker could still access the account in Active Directory, if it’s not disabled. In one attack, the threat actor was able to pivot from AD, re-enable the MFA service for the targeted account, to “essentially bypass MFA.”

However, “just because adversaries can bypass, it doesn't mean you should stop using MFA, which prevents 99% of the issues,” said Nickels. “Keep using it, but be thoughtful in how you implement it … and go back to tried and true methods going to help you with this technique.”

Johannes Ullrich, dean of research for SANS Technology Institute, SANS faculty fellow, and Internet Storm Center founder, added that the most common issue with MFA implementations is mishandling lost, broken, or stolen second factor authenticators. Entities must consider their policies for resetting or recovering passwords, particularly with something like web offense.

Healthcare backups at risk

Another notable threat to the healthcare sector are ongoing risks to backups. It’s commonly said that backups are crucial to ensuring systems can be effectively recovered after a ransomware attack, but what happens when the backups are corrupted by the attacker?

Most organizations have a diverse set of backup technologies, including those stored in the cloud, explained Ullrich. With each iteration comes unique attack methods, heightened by possible misconfiguration, password missteps, and other mistakes.

Attackers need only “take advantage of that instrumentation,” said Ullrich. If users stop clicking on attachments or malicious links, attackers may pivot to stealthier methods.

It’s the same idea behind living-off-the-cloud tactics, where an actor gets into the backup solution and “configures a second destination.” The attacks become more evasive when entities are using the same cloud solution for services, as for their cloud backups. It’s an ideal method for making “it even more tricky to identify that something odd is going on,” he added. 

Everyone is a target, so no entity should believe they’re not important enough to target, explained Mahalik. Even if something was a common threat in the past, hackers will continue to leverage old techniques that find continued success.