Crooks can thrive by ‘living off the land’ rather than forging elaborate schemes.
Half of all breaches Dell’s SecureWorks outfit has responded to over the last year have been a result of attackers using legitimate admin tools and stolen credentials.
Dell’s threat research unit says the “living off the land” hack tactic makes security controls that seek malware and hacking infrastructure redundant, especially when command and control infrastructure are not used or run only briefly.
Researchers cited three recent investigations where companies had been popped using administrator credentials.
In one case, attackers stole the network credentials a manufacturing company staffer which were then used to log into the corporate Citrix platform and tap internal corporate resources.
Those crims also used the unnamed client’s Altiris software distribution platform to pivot laterally through the company’s network and yank intellectual property.
Citrix was the target of choice in another separate hacking incident investigated by Dell investigators in which hundreds of debit and credit cards were sucked out of point of sales terminals. Attackers used the company’s centralised security management server and the trusted permissions it offered to siphon cards from the payment terminals.
A third significant incident saw a pharmaceutical manufacturer popped through social engineering and system admin tools in use in the victim’s environment. A phishing expedition hooked admin credentials while the organisation’s remote desktop protocol and file transfer protocol were commandeered to exfiltrate a huge amount of data.
“Detecting threat actors who are ‘living off the land’, using credentials, systems, and tools they collect along the way instead of backdoors, can be challenging for organizations that focus their instrumentation and controls primarily on the detection of malware and indicators such as command and control IP addresses, domains, and protocols,” the researchers say.
“They will leverage legitimate remote access solutions for entry and valid system administrator tools for lateral movement, if possible.”
Dell’s threat people say memory analysis is crucial to identify the Citrix hacking group. They describe in a post how the Volatility framework can be used to identify those attackers.
They say organisations must run two factor authentication, remove abundant local administrator rights, and audit domain usage.