With so many attacks each month on financial institutions, government agencies, health care organizations, insurance companies and basically anyone who is connected to the Internet, we are bound to witness different attack methods. Criminals may use different techniques, tools and procedures; they may also change attack vectors, command-and-control (C&C) tactics and execution of data exfiltration. However, there are three very interesting themes that repeat themselves in many of these attacks: the use of social engineering and social networks to map the target and initiate infection; the exploitation of zero-day vulnerabilities; and the use of remote access tools (RATs) to gain control of the designated system.

Getting Social Engineering Off the Ground

In the past, social engineering wasn’t necessarily difficult, but it required a significant investment of time and effort. You had to work to understand the structure of the company you were targeting and determine the best person or people to target within that organization. Then, after completing this preliminary detective work, you still had to decide the best way to reach out and make contact.

Today, the situation is very different — and substantially simpler for the bad guy. Thanks to professional social networking sites such as LinkedIn, a criminal can quite easily recognize the hierarchy of a targeted company. In short, anyone worth targeting has a LinkedIn profile — whether it’s a big-shot executive or slightly less conspicuous target such as a high-level administrative assistant.

Making initial contact isn’t much harder than identifying the ideal target. LinkedIn members are accustomed to receiving messages from people they don’t know and likely even expect it. Once the criminal gets to know his target — perhaps by inquiring about a job or some other topic mentioned on the target’s profile — it shouldn’t be too difficult to get the victim to open an email or attachment that will infect the computer and grant the attacker the access he or she desires.

Other Common Attack Strategies

Beyond choosing a target, the next common attack element is the exploitation of vulnerabilities. To be clear, not every software has vulnerabilities, not every vulnerability is exploitable and not every exploit is usable. But even still, there are a great number of vulnerabilities in code in systems that are being leveraged in attacks.

Not very surprisingly, most vulnerabilities out there are not within the operating system but are rather application vulnerabilities. Within these applications, many of the vulnerabilities are high-risk. The list of the most vulnerable applications includes three major Web browsers — Internet Explorer, Chrome and Firefox — as well as Adobe, Java and Microsoft Office products. These applications, which nearly everyone has and uses regularly, are the common entry points for malware infection or vulnerability exploitation.

A third common attack element is remote access. In many cases, a payload is delivered after exploitation occurs, allowing the attacker to install some sort of RAT on the device. It’s worth mentioning that RATs can be very easy to find, with a simple Google search for “RAT sample” generating numerous results. RATs give the attacker a significant level of control over the infected device, ranging from the ability to remove specific processes from the system to uploading files to the device and, in perhaps an even greater intrusion of privacy, to turn on the microphone or webcam.

It’s also worth mentioning that RATs are relatively easy to use and have very simple interfaces. Considering most attackers have a pretty high skill level when it comes to these types of technologies, RATs present an easy way to do a substantial amount of damage to victims and their devices.

In Conclusion

Social engineering, the exploitation of application vulnerabilities and the use of RATs are certainly not the only attack tactics employed by today’s cybercriminals; however, these three techniques — used independently or in tandem — repeat themselves in many cyberattacks and are therefore worth understanding. By implementing solutions to prevent these three attack types, a company can go a long way toward protecting itself from data breaches, fraud and other types of cybercrime.

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today