With so many attacks each month on financial institutions, government agencies, health care organizations, insurance companies and basically anyone who is connected to the Internet, we are bound to witness different attack methods. Criminals may use different techniques, tools and procedures; they may also change attack vectors, command-and-control (C&C) tactics and execution of data exfiltration. However, there are three very interesting themes that repeat themselves in many of these attacks: the use of social engineering and social networks to map the target and initiate infection; the exploitation of zero-day vulnerabilities; and the use of remote access tools (RATs) to gain control of the designated system.

Getting Social Engineering Off the Ground

In the past, social engineering wasn’t necessarily difficult, but it required a significant investment of time and effort. You had to work to understand the structure of the company you were targeting and determine the best person or people to target within that organization. Then, after completing this preliminary detective work, you still had to decide the best way to reach out and make contact.

Today, the situation is very different — and substantially simpler for the bad guy. Thanks to professional social networking sites such as LinkedIn, a criminal can quite easily recognize the hierarchy of a targeted company. In short, anyone worth targeting has a LinkedIn profile — whether it’s a big-shot executive or slightly less conspicuous target such as a high-level administrative assistant.

Making initial contact isn’t much harder than identifying the ideal target. LinkedIn members are accustomed to receiving messages from people they don’t know and likely even expect it. Once the criminal gets to know his target — perhaps by inquiring about a job or some other topic mentioned on the target’s profile — it shouldn’t be too difficult to get the victim to open an email or attachment that will infect the computer and grant the attacker the access he or she desires.

Other Common Attack Strategies

Beyond choosing a target, the next common attack element is the exploitation of vulnerabilities. To be clear, not every software has vulnerabilities, not every vulnerability is exploitable and not every exploit is usable. But even still, there are a great number of vulnerabilities in code in systems that are being leveraged in attacks.

Not very surprisingly, most vulnerabilities out there are not within the operating system but are rather application vulnerabilities. Within these applications, many of the vulnerabilities are high-risk. The list of the most vulnerable applications includes three major Web browsers — Internet Explorer, Chrome and Firefox — as well as Adobe, Java and Microsoft Office products. These applications, which nearly everyone has and uses regularly, are the common entry points for malware infection or vulnerability exploitation.

A third common attack element is remote access. In many cases, a payload is delivered after exploitation occurs, allowing the attacker to install some sort of RAT on the device. It’s worth mentioning that RATs can be very easy to find, with a simple Google search for “RAT sample” generating numerous results. RATs give the attacker a significant level of control over the infected device, ranging from the ability to remove specific processes from the system to uploading files to the device and, in perhaps an even greater intrusion of privacy, to turn on the microphone or webcam.

It’s also worth mentioning that RATs are relatively easy to use and have very simple interfaces. Considering most attackers have a pretty high skill level when it comes to these types of technologies, RATs present an easy way to do a substantial amount of damage to victims and their devices.

In Conclusion

Social engineering, the exploitation of application vulnerabilities and the use of RATs are certainly not the only attack tactics employed by today’s cybercriminals; however, these three techniques — used independently or in tandem — repeat themselves in many cyberattacks and are therefore worth understanding. By implementing solutions to prevent these three attack types, a company can go a long way toward protecting itself from data breaches, fraud and other types of cybercrime.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Trickbot rising — Gang doubles down on infection efforts to amass network footholds

11 min read - IBM X-Force has been tracking the activity of ITG23, a prominent cybercrime gang also known as the TrickBot Gang and Wizard Spider. Researchers are seeing an aggressive expansion of the gang’s malware distribution channels, infecting enterprise users with Trickbot and BazarLoader. This move is leading to more ransomware attacks — particularly ones using the Conti ransomware. As of mid-2021, X-Force observed ITG23 partner with two additional malware distribution affiliates — Hive0106 (aka TA551) and Hive0107. These and other cybercrime vendors…