For Attackers, Home is Where the Hideout Is

January 19, 2021
| |
4 min read

Remember the good ol’ days of playing hide-and-seek? It’s hard to forget the rush of finding the perfect hiding place. I remember crouching into a tiny ball behind the clothes hanging in my mother’s closet, or standing frozen like a statue behind the curtain of our living room window. While it was “just a game” when we were kids, in today’s internet-connected world, that game has morphed into a much darker, more serious activity with attackers hiding in unexpected and oftentimes forgotten places. Attackers may live in some technologies, machines and systems for years, remaining unseen by antivirus and other detection controls.

I spoke with X-Force Red’s Chief Technology Officer and veteran hacker Steve Ocepek to learn more about the most popular attacker hideouts.

Register for the webinar

Where Can Attackers Hide?

In order to root them out, the best defensive hackers think like attackers. They know the top spots in which attackers could hide. From there, they can assess any type of environment, spot where attackers could hide for an extended period of time and show how those attackers may use that position to achieve their objectives. Ocepek says there are several likely places an attacker may call home. To find them, first look at personal computers.

According to Ocepek, attackers most often hide out in home-based computers. From there, they can compromise users by sending emails with malicious links or attachments or redirecting users to a malicious page. Typically, attackers use home PCs to build a botnet and launch more attacks. From a user’s standpoint, it’s tough to know if a computer is part of a botnet. Some signs include the machine or internet running slowly, but that happens to all of us, right?

Next, look at at-risk printers. Printers are configured to be easy to access and use, which means security is often overlooked. They are not viewed as a technology that needs patching, and as such they fall behind with open vulnerabilities. That’s a goldmine for attackers. With physical or network access, attackers could plant malicious software on a printer. Then, they can hide on the device and attack the connected network.

Working From Home Adds Entry Points

Although most offices sit empty these days, the most common way to compromise printers would be to gain transient access by infecting a user’s laptop (often through phishing), and then pivoting onto the printer. However, many printers are internet-connected, sometimes accidentally. A team of researchers recently proved how hackable printers can be when they accessed nearly 28,000 printers around the world and forced the devices to print a five-step guide about how to secure a printer.

Cable modems are also a likely entry point for an unexpected attack. Similar to printers, cable modems are not devices people often think about in terms of security. Unfortunately, their operating systems and software are often outdated. Even when this is known, users are not expected to update these devices, since they are managed by their providers. Primarily, users create less secure configurations instead. For instance, they might open ports to play games on the home network. There’s also a sort of monoculture when it comes to cable modem hardware — if you hack into one, you can hack into millions. These devices sit openly on the internet. If attackers find known flaws, they can exploit them in large numbers.

The Low-Hanging Fruit of Attacks

When you’re searching for places where attackers can hide, don’t forget to check facility control systems. These systems are built and managed by third-party vendors, yet they sit on the same network as a company’s other devices. Attackers can jump from them to other systems such as network-connected door locks, HVAC and surveillance. Oftentimes, they are not locked down or patched because companies don’t want to risk disrupting technologies that are run by third-party vendors. They also tend to be ‘set and forget’ technologies, which means their operating systems are most likely outdated. Unfortunately, those factors combined can make these systems a low-hanging-fruit target for attackers.

Hiding an Attack in the Virtual Closet

Next, check forgotten virtual machines (VM). When companies manage an armada of cloud-based virtual machines, some of them are most likely insecure. These devices may be throw-away test boxes or machines that developers set up and forgot about. They are also often public-facing, accessible from the internet, meaning anyone can access them, and tend to be left out of the security program. To compromise these forgotten virtual machines, an attacker merely needs to find them via one of their frequent internet scans, or via an internet scanner, such as Shodan, and exploit an unpatched vulnerability or easily-guessable password. Once compromised, the attacker installs a back door in order to command and control these systems, which also might have special access to other organization VMs.

All of those hideouts can serve as a place to live for attackers. Once inside, they can monitor a company’s traffic, perform reconnaissance and/or become part of a botnet or create their own. They can send commands to the infected devices, execute distributed denial-of-service attacks and commit fraud and other nefarious activities. In some cases, attackers could use the hideout as a foothold to then move laterally or deeper into the network, accessing whichever kind of information they want, whenever they want.

Shutting the Door on an Attack

So, how can you protect these overlooked hideouts? The typical prevention measures apply. Run antivirus software, keep operating systems up-to-date and understand your inventory, especially your cloud assets. It’s also important to engage with your third-party vendors to make sure they are keeping their products up to date.

Deploying ongoing vulnerability management and penetration testing programs can also help. Vulnerability management programs can detect known vulnerabilities such as a lack of antivirus software and outdated operating systems. They can also find rogue or forgotten cloud assets so that you always know what you have and whether it’s vulnerable to an attack. Penetration testing can help uncover vulnerabilities exposing devices that scanning tools cannot find, and it can show how attackers would use those vulnerabilities to accomplish their mission.

Finally, be vigilant. Include these hideouts in your security programs. Attackers hide in them because they are blind spots. So, simply being aware of them can give you a leg up against the adversary.

To learn more about these hideouts and other topical security issues, such as commonly missed threats and vulnerabilities and risks that can arise in a hybrid and remote workforce, join X-Force Red, Tenable and your security colleagues on Jan. 28 in a virtual panel discussion about these and other issues. Register here.

Abby Ross
Associate Partner, X-Force Red

Abby Ross is Associate Partner for X-Force Red, IBM Security's team of veteran hackers. Abby is a seasoned marketing and public relations professional, with ...
read more