Remember the good ol’ days of playing hide-and-seek? It’s hard to forget the rush of finding the perfect hiding place. I remember crouching into a tiny ball behind the clothes hanging in my mother’s closet, or standing frozen like a statue behind the curtain of our living room window. While it was “just a game” when we were kids, in today’s internet-connected world, that game has morphed into a much darker, more serious activity with attackers hiding in unexpected and oftentimes forgotten places. Attackers may live in some technologies, machines and systems for years, remaining unseen by antivirus and other detection controls.

I spoke with X-Force Red’s Chief Technology Officer and veteran hacker Steve Ocepek to learn more about the most popular attacker hideouts.

Register for the webinar

Where Can Attackers Hide?

In order to root them out, the best defensive hackers think like attackers. They know the top spots in which attackers could hide. From there, they can assess any type of environment, spot where attackers could hide for an extended period of time and show how those attackers may use that position to achieve their objectives. Ocepek says there are several likely places an attacker may call home. To find them, first look at personal computers.

According to Ocepek, attackers most often hide out in home-based computers. From there, they can compromise users by sending emails with malicious links or attachments or redirecting users to a malicious page. Typically, attackers use home PCs to build a botnet and launch more attacks. From a user’s standpoint, it’s tough to know if a computer is part of a botnet. Some signs include the machine or internet running slowly, but that happens to all of us, right?

Next, look at at-risk printers. Printers are configured to be easy to access and use, which means security is often overlooked. They are not viewed as a technology that needs patching, and as such they fall behind with open vulnerabilities. That’s a goldmine for attackers. With physical or network access, attackers could plant malicious software on a printer. Then, they can hide on the device and attack the connected network.

Working From Home Adds Entry Points

Although most offices sit empty these days, the most common way to compromise printers would be to gain transient access by infecting a user’s laptop (often through phishing), and then pivoting onto the printer. However, many printers are internet-connected, sometimes accidentally. A team of researchers recently proved how hackable printers can be when they accessed nearly 28,000 printers around the world and forced the devices to print a five-step guide about how to secure a printer.

Cable modems are also a likely entry point for an unexpected attack. Similar to printers, cable modems are not devices people often think about in terms of security. Unfortunately, their operating systems and software are often outdated. Even when this is known, users are not expected to update these devices, since they are managed by their providers. Primarily, users create less secure configurations instead. For instance, they might open ports to play games on the home network. There’s also a sort of monoculture when it comes to cable modem hardware — if you hack into one, you can hack into millions. These devices sit openly on the internet. If attackers find known flaws, they can exploit them in large numbers.

The Low-Hanging Fruit of Attacks

When you’re searching for places where attackers can hide, don’t forget to check facility control systems. These systems are built and managed by third-party vendors, yet they sit on the same network as a company’s other devices. Attackers can jump from them to other systems such as network-connected door locks, HVAC and surveillance. Oftentimes, they are not locked down or patched because companies don’t want to risk disrupting technologies that are run by third-party vendors. They also tend to be ‘set and forget’ technologies, which means their operating systems are most likely outdated. Unfortunately, those factors combined can make these systems a low-hanging-fruit target for attackers.

Hiding an Attack in the Virtual Closet

Next, check forgotten virtual machines (VM). When companies manage an armada of cloud-based virtual machines, some of them are most likely insecure. These devices may be throw-away test boxes or machines that developers set up and forgot about. They are also often public-facing, accessible from the internet, meaning anyone can access them, and tend to be left out of the security program. To compromise these forgotten virtual machines, an attacker merely needs to find them via one of their frequent internet scans, or via an internet scanner, such as Shodan, and exploit an unpatched vulnerability or easily-guessable password. Once compromised, the attacker installs a back door in order to command and control these systems, which also might have special access to other organization VMs.

All of those hideouts can serve as a place to live for attackers. Once inside, they can monitor a company’s traffic, perform reconnaissance and/or become part of a botnet or create their own. They can send commands to the infected devices, execute distributed denial-of-service attacks and commit fraud and other nefarious activities. In some cases, attackers could use the hideout as a foothold to then move laterally or deeper into the network, accessing whichever kind of information they want, whenever they want.

Shutting the Door on an Attack

So, how can you protect these overlooked hideouts? The typical prevention measures apply. Run antivirus software, keep operating systems up-to-date and understand your inventory, especially your cloud assets. It’s also important to engage with your third-party vendors to make sure they are keeping their products up to date.

Deploying ongoing vulnerability management and penetration testing programs can also help. Vulnerability management programs can detect known vulnerabilities such as a lack of antivirus software and outdated operating systems. They can also find rogue or forgotten cloud assets so that you always know what you have and whether it’s vulnerable to an attack. Penetration testing can help uncover vulnerabilities exposing devices that scanning tools cannot find, and it can show how attackers would use those vulnerabilities to accomplish their mission.

Finally, be vigilant. Include these hideouts in your security programs. Attackers hide in them because they are blind spots. So, simply being aware of them can give you a leg up against the adversary.

To learn more about these hideouts and other topical security issues, such as commonly missed threats and vulnerabilities and risks that can arise in a hybrid and remote workforce, join X-Force Red, Tenable and your security colleagues on Jan. 28 in a virtual panel discussion about these and other issues. Register here.

More from Data Protection

Third-party access: The overlooked risk to your data protection plan

2 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors.The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In this…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today