With so many attacks each month on financial institutions, government agencies, health care organizations, insurance companies and basically anyone who is connected to the Internet, we are bound to witness different attack methods. Criminals may use different techniques, tools and procedures; they may also change attack vectors, command-and-control (C&C) tactics and execution of data exfiltration. However, there are three very interesting themes that repeat themselves in many of these attacks: the use of social engineering and social networks to map the target and initiate infection; the exploitation of zero-day vulnerabilities; and the use of remote access tools (RATs) to gain control of the designated system.
Getting Social Engineering Off the Ground
In the past, social engineering wasn’t necessarily difficult, but it required a significant investment of time and effort. You had to work to understand the structure of the company you were targeting and determine the best person or people to target within that organization. Then, after completing this preliminary detective work, you still had to decide the best way to reach out and make contact.
Today, the situation is very different — and substantially simpler for the bad guy. Thanks to professional social networking sites such as LinkedIn, a criminal can quite easily recognize the hierarchy of a targeted company. In short, anyone worth targeting has a LinkedIn profile — whether it’s a big-shot executive or slightly less conspicuous target such as a high-level administrative assistant.
Making initial contact isn’t much harder than identifying the ideal target. LinkedIn members are accustomed to receiving messages from people they don’t know and likely even expect it. Once the criminal gets to know his target — perhaps by inquiring about a job or some other topic mentioned on the target’s profile — it shouldn’t be too difficult to get the victim to open an email or attachment that will infect the computer and grant the attacker the access he or she desires.
Other Common Attack Strategies
Beyond choosing a target, the next common attack element is the exploitation of vulnerabilities. To be clear, not every software has vulnerabilities, not every vulnerability is exploitable and not every exploit is usable. But even still, there are a great number of vulnerabilities in code in systems that are being leveraged in attacks.
Not very surprisingly, most vulnerabilities out there are not within the operating system but are rather application vulnerabilities. Within these applications, many of the vulnerabilities are high-risk. The list of the most vulnerable applications includes three major Web browsers — Internet Explorer, Chrome and Firefox — as well as Adobe, Java and Microsoft Office products. These applications, which nearly everyone has and uses regularly, are the common entry points for malware infection or vulnerability exploitation.
A third common attack element is remote access. In many cases, a payload is delivered after exploitation occurs, allowing the attacker to install some sort of RAT on the device. It’s worth mentioning that RATs can be very easy to find, with a simple Google search for “RAT sample” generating numerous results. RATs give the attacker a significant level of control over the infected device, ranging from the ability to remove specific processes from the system to uploading files to the device and, in perhaps an even greater intrusion of privacy, to turn on the microphone or webcam.
It’s also worth mentioning that RATs are relatively easy to use and have very simple interfaces. Considering most attackers have a pretty high skill level when it comes to these types of technologies, RATs present an easy way to do a substantial amount of damage to victims and their devices.
In Conclusion
Social engineering, the exploitation of application vulnerabilities and the use of RATs are certainly not the only attack tactics employed by today’s cybercriminals; however, these three techniques — used independently or in tandem — repeat themselves in many cyberattacks and are therefore worth understanding. By implementing solutions to prevent these three attack types, a company can go a long way toward protecting itself from data breaches, fraud and other types of cybercrime.
Executive Security Advisor, IBM Security