Threat actors are using hunter-killer malware designed to impair the very security controls meant to detect and eliminate such threats. As a result, security teams can do everything correctly and still be compromised.
“This is a fundamental shift, not in low-level malware attacks, but really in the art of war. Take out your adversary’s defenses and everything becomes easy; the door is wide open,” said Crit Golden, head of solutions architects for Picus Security.
Golden’s comment came during an SC Media panelcast on the 10 most common attack techniques in the recently released Picus Red Report 2024. Picus Labs researchers analyzed 600,000 malware samples and mapped them to adversarial techniques outlined in the MITRE ATT&CK framework to discover a significant rise in hunter-killer malware. This type of malicious software is designed to actively seek out and eliminate specific targets, often with the intent of disrupting or destroying defensive security controls.
Notably, researchers found 70% of scrutinized malware employ stealth tactics, allowing for persistence in networks. An attack that obscures files or information saw a 150% surge, hampering security efficacy and threat detection. Furthermore, techniques targeting application layer protocol usage surged by 176%, notably in double extortion ransomware schemes for data exfiltration.
“It’s definitely a change in tactics,” said Simon Monahan, cybersecurity product leader for Picus. “Whereas they used to try and evade [security] controls, they’re actually now directly targeting and trying to impair them directly because they see that as a way that they can achieve their objectives, and in a more efficient way.”
Joye Purser, global field CISO for cloud-based data management provider Veritas Technologies, said the rise of hunter-killer malware is a top concern for her security group. “What do you do if you now assume that a threat actor is in your network? Because I think that’s the new normal – that we assume a threat actor is in the network and is employing stealth to persist,” she said.
Most prevalent attack techniques in 2023
Now in its fourth year, the Red Report shows the growing sophistication of threat actors to disable a target’s defenses as evidenced by the 10 most prevalent MITRE ATT&CK techniques.
T1055 Process Injection: The frequency of this technique surged by 45% within a span of just one year, propelling it from fourth place to the top spot in terms of prevalence. A significant portion – almost one third – of all scrutinized malware exhibits the capability to insert harmful code into authentic processes. This tactic enables adversaries to go unnoticed while possibly acquiring heightened permissions.
T1059 Command and Scripting Interpreter: This method remains popular because of its dual purpose. It allows attackers to execute and conceal harmful activities using built-in tools, evading detection by conventional security systems.
T1562 Impair Defenses: Entering the list at No. 3 due to a dramatic 333% increase in prevalence, this type of attack attests to bad actors’ boldness and aggression to disable or disrupt security tools.
T1082 System Information Discovery: The persistent presence of this attack technique signals an increased embrace of sophisticated cyber espionage operations. It underscores malicious activities aimed at unauthorized access to valuable information.
T1486 Data Encrypted for Impact: Continuously ranking among the foremost threats in annual Red Reports, a troubling pattern continues: 21% of the examined malware samples exhibit the ability to encrypt data to extort victims.
T1003 OS Credential Dumping: Although it has slipped from second to sixth place, operating system credential dumping remains crucial for attackers. Its persistent usage emphasizes attackers' sustained focus on acquiring elevated permissions for network traversal, lateral movement, and privilege escalation.
T1071 Application Layer Protocol: Picus Labs detected a surge of 176% in the use of the application layer protocol, which is among the techniques to break into the Top 10. This tactic is strategically employed for data exfiltration within complex double extortion schemes, aligning with the tactics commonly observed in today's ransomware landscape.
T1547 Boot or Logon Autostart Execution: Another newcomer to the Top 10 list is a boot or logon autostart execution, which is deployed to secure ongoing access to networks – a hallmark of advanced persistent threats (APTs), possibly indicating sophisticated adversaries.
T1047 Windows Management Instrumentation: Dropping two spots but still a popular attack technique, the data management tool for Windows systems attracts adversaries due to its ability to execute commands and scripts remotely on Windows-based systems. Its widespread adoption stems from its effectiveness in evading traditional security measures and enabling various malicious activities, including reconnaissance, lateral movement, and persistence within compromised networks.
T1027 Obfuscated Files or Information: Experiencing a 150% jump in prevalence from 4% in 2022 to 10% in 2023, this new entry underscores an attack pattern aimed at undermining the efficiency of security measures and obscuring harmful actions. This makes it more difficult to detect attacks, conduct forensic analyses, and manage incident responses.
Beyond best practices to stay ahead of attackers
These insights underscore the imperative for robust detection and response strategies within IT security.
Purser believes in a defense-in-depth approach and adoption of zero-trust principals. During the panelcast, she emphasized multi-factor authentication everywhere as well as incorporating advanced behavioral analyses and leveraging artificial intelligence (AI) tailored to detect anomalies.
Golden also believes AI will help level the field. “AI is going to completely change the defender’s world, I think, as much if not more so that it is for the adversary’s,” he said.
He and Monahan stressed the need for ongoing security validation. “Too often in security, we’re forced to assume, rather than obtain assurance, that everything is working effectively,” Monahan said. “Validation is absolutely essential to prove that your security posture is as robust as you think it is.”
Added Golden: “Challenge yourself. Challenge your technology. Challenge your people. Challenge your processes – just like you would think a sports team readies for game day. Because breach day is coming; you’re not impenetrable.”[1]
To combat Hunter-killer malware and stay ahead of 2024 malware trends, Picus is urging organizations to embrace machine learning, protect user credentials, and consistently validate their defenses against the latest tactics and techniques used by cybercriminals. For more information, download the Picus Red Report 2024.