Favorite hacker tactics

One of the most important criteria for choosing hacker tools, in addition to the degree of ownership of group members by them, is effectiveness. Modern cyber attacks are complex multi-stage operations, the implementation of which requires a lot of time and serious financial resources. If penetration into the system fails, all the preliminary work and costs will be in vain. Thus, penetration tactics in systems that are used by leading groups can be considered as the most effective.
Among these tactics should be highlighted:
1) all types of phishing – classic, targeted, phishing through social networks, tabnabbing;
2) attacks on the supply chain;
3) attacks like Watering Hole (“watering hole”);
4) attacks through vulnerabilities of network equipment and operating systems;
5) attacks through DNS interception.

In fact, all these methods have long been known, but each group brings its own “twist”, turning just effective tactics into an armor-piercing projectile or gracefully combining several techniques to easily bypass the protection systems of companies.

Phishing

In its simplest form, phishing is a regular email containing a malicious attachment or link. The text of the letter is composed in such a way as to convince the recipient to perform the actions necessary for the sender: open the attachment or follow the link to change the password.

Letters sent by colleagues or managers are more credible than messages from strangers, especially if the design of the letter is consistent with the style adopted by the company. In this regard, the preparatory phase of a cyber campaign using phishing necessarily includes collecting information about the structure of the organization, a list of employees and their emails, as well as real letters containing design elements.

Silence Grouping It uses the most common phishing for penetration with a slight nuance: its campaigns necessarily include a test phase with the sending of harmless letters to check the relevance of the collected address base. This allows you to increase the effectiveness of the attack by sending letters with malicious load to the verified recipient database.

Grouping Pawn Storm It also uses phishing mailings, and to increase their effectiveness, an influence amplifier such as authority is added to them. In this regard, the preparatory phase of their campaign includes the so-called High-Credential Phishing – the theft of high-level accounts. Having collected a sufficient amount of such data on the target organization, Pawn Storm conducts mailing on behalf of these persons, “charging” them with a payload that ensures the successful achievement of the goal.

In the arsenal of Fancy Bear tricks there is another, not too well-known, one – replacing a legal site with a phishing site in browser tabs – tabnabbingdescribed by Aza Raskin of Mozilla in 2010. The tabnabbing attack is as follows:

• the victim is lured to a harmless site that is controlled by an attacker;
• there is a script on the site that monitors the victim’s behavior: as soon as she switches to another tab or for a long time does not perform actions, the content of the site changes to the authorization page in the mail or social network, and the favicon of the site to the favicon of the corresponding service – Gmail, Facebook, etc. d.
• Returning to the tab, the victim discovers that she has “logged in” and without a doubt enters her credentials;
• the script passes the login and password to the attacker, and then redirects the victim to the appropriate service, which he did not think to log out to anyone.

Hackers Lazarus Do not exchange for trifles, preferring to hit exactly on target. Their weapons are targeted phishing by mail and social networks. Having chosen a company employee suitable for their tasks, they study his profiles in social networks, and then enter into correspondence with him, which usually begins with an attractive offer of a new job. Using social engineering, they convince him, under the guise of something important, to download the malware and run it on their computer.

MoneyTaker Team, which specializes in banks, conducts phishing mailings on behalf of other banks, the central bank, the ministry of finance and other financial-related organizations. By copying the templates of the relevant departments, they give the letters the necessary and sufficient degree of credibility for a successful attack.

Counterparty Attacks

It often happens that the target organization is well protected, especially when it comes to a bank, military or state organization. In order not to break the forehead against the “concrete wall” of the defense complexes, the groups attack the counteragents with which their target interacts. Having compromised the mail of several employees or even infiltrated the correspondence, hackers receive the information necessary for further penetration and the opportunity to fulfill their plan.

For example, the Cobalt group penetrated banking networks, attacking system integrators and other service providers, and hacks by electronic wallet developers and payment terminals allowed it to automatically steal money through payment gateways using its own program.

Watering Attack

Watering Hole, or Watering Hole, is one of Lazarus’s favorite tactics. The meaning of the attack is to compromise the legal sites that are often visited by employees of the target organization. For example, for bank employees, such resources would be the central bank’s website, ministries of finance, and industry portals. After hacking, hacking tools are placed on the site under the guise of useful content. Visitors download these programs to their computers and provide attackers with access to the network.

Among hacked Lazarus sites – Polish Financial Supervision Commission, Bank of the Eastern Republic of Uruguay and National Banking and Stock Commission of Mexico. Hackers used vulnerabilities in Liferay and JBoss to hack sites.

OS and network hardware vulnerabilities

Exploiting vulnerabilities of operating systems and network equipment provides significant advantages, but this requires professional knowledge and skills. Using exploit kits without a deep understanding of the principles of their work will quickly nullify the success of the attack: they hacked into a hack, but could not do anything.

Vulnerability attacks are common for MoneyTaker, Lazarus, and Pawn Storm. The first two groups mainly use the known errors in the firmware of network equipment to introduce their server into the company’s network through a VPN, through which they carry out further actions. But in the arsenal of Pawn Storm, dangerous zero-day vulnerabilities are discovered, for which there are no patches; it scans for systems with known vulnerabilities.

DNS Attacks

This is a family of attacks we recorded only with Pawn Storm. Other well-known groups are usually limited to phishing and two to three alternative methods.

Pawn Storm uses several levels of DNS compromise. For example, there are cases when they stole company credentials from the DNS control panel and changed MX servers to their own, gaining full access to correspondence. The malicious server received and transmitted all the mail to the target company, leaving copies in its possession, and hackers could infiltrate any chain at any time and achieve the desired result, undetected.

Another way of compromising was to take complete control of the DNS registrar’s servers. In many countries there is only a very small number of registrars, so the seizure of control over the largest of them provided almost endless possibilities for introducing most public and private organizations into the information exchange, phishing and other types of influence.

findings

Phishing is not only popular with script kiddis renting access to malicious services such as Phishing-as-Service or Extortion-as-Service. The effectiveness and relative cheapness of this method made it the main, and sometimes the only weapon of the most dangerous groups. The wealth of options for using it plays into the hands of criminals: before compromising business correspondence, most protective solutions pass, and the credulity and distraction of users will be a reliable support for fraudulent attacks for a long time to come.
Protecting computer systems and network equipment is undoubtedly an important task along with the timely installation of security updates, but taking into account the charts of cybercrime tactics, measures related to protection from the human factor come first.

Intercepted credentials from a senior person’s mail will allow criminals to steal sensitive information of special importance, and then use this mail and information to conduct a multi-pass attack. Meanwhile, banal training of skills and the use of MFA would deprive hackers of this opportunity.

However, defense systems also do not stand still, detecting malicious actions using artificial intelligence, deep learning and neural networks. Many companies are developing this class, and we also offer our customers protection from sophisticated BEC attacks with the help of specially trained artificial intelligence. Their use in conjunction with training employees in safe behavior skills will allow them to successfully resist cyber attacks by even the most technically trained groups.