Over half of the targeted threats investigated by Dell SecureWorks over the past year have been carried out not with backdoor malware but compromised credentials and the victim company’s own remote access tools, according to the security vendor.
The firm’s Counter Threat Unit (CTU) claimed that this “living off the land” approach to targeted attacks makes them especially difficult for IT teams to spot, perhaps delaying their discovery for weeks, months or even years.
One such threat group was TG-1314, which the researchers found had used compromised credentials from the employee of a manufacturing company to access an internet-facing Citrix server and infiltrate the target network.
“CTU researchers discovered evidence that the threat actors were not only leveraging the company’s remote access infrastructure, but were also using the company’s endpoint management platform, Altiris, to move laterally through the network,” it explained in a blog post.
Another company had hundreds of credit and debit card numbers lifted from its PoS terminals after an employee’s credentials for its Citrix Centralized Security Management Server were stolen.
Once inside the network they soon got hold of the domain administrator’s credentials. Although the victim firm’s AV software eventually detected the malware the attackers used to steal the POS data, the attackers merely instructed the server to whitelist it – enabling the attack to continue, Dell said.
In a final example given by researchers, attackers targeted a pharmaceutical manufacturer using no malware whatsoever.
A spear-phishing email claiming to come from the IT department yielded domain usernames and passwords, which were used to VPN into the network.
After that, admin credentials were stolen and used to move laterally around the network, with sensitive IP extracted using FTP – a protocol used legitimately by the company and therefore able to disguise malicious behavior fairly convincingly.
CTU praised “memory collection and analysis” as an important part of a successful targeted attack response plan, claiming it was “crucial” to it identifying TG-1314.
In particular, the Volatility framework was used to analyze the memory collected from systems involved in the intrusion, it revealed.
This is a better strategy than tools which rely on detection of command-and-control IP addresses, domains, protocols and so on, which are set up to indicate the presence of malware.
“[Threat groups] will leverage legitimate remote access solutions for entry and valid system administrator tools for lateral movement, if possible,” Dell concluded.
“To help disrupt this tactic, it is important that organizations implement two-factor authentication for all remote access solutions and consider doing the same for internal, high-value assets like their internal system management consoles.”