Top 10 of 2020: Vulnerabilities and Attacking Techniques

      Comments Off on Top 10 of 2020: Vulnerabilities and Attacking Techniques

The risk and severity of cyber-attacks have clearly grown over the last 5-6 months. In the Covid19 situation, dependence on digital platforms, applications, and infrastructure underscores the need for efficient cybersecurity defence.

It goes without saying that the advancement of technology and the wide use of digital media is making attackers smarter by the day. Today these cyber criminals take advantage of individuals and firms who pay less heed to cybersecurity. In the future organizations will face cyber threats under three key areas 

  • Disruption: Over-dependence on fragile connectivity will increase the risk of premeditated internet outages that compromise business operations. Cybercriminals will continue to use ransomware, polymorphic APTs, and Malwares.
  • Distortion: Spread of misinformation by bots and automated sources will cause a compromise of trust in the integrity of information.
  • Deterioration: Rapid advances in smart technologies and attackers shall continue to find and exploit vulnerabilities

Spear phishing Attachments

Spear phishing attachment is a specific variant of spear phishing.  Spear phishing attachment is different from other forms of spear phishing in that it employs the use of malware attached to an email. All forms of spear phishing are electronically delivered social engineering targeted at a specific individual, company, or industry.

The most common phishing mechanisms are:

  • Delivery of malicious software (less common)
  • Delivery of malicious documents
  • Delivery of a URL lure in the message body or in an otherwise benign attachment
  • Simple requests for information or assistance

Ransomware as a Service

The ransomware threat is growing. Ransomware attacks are on the rise, and the monetary value for ransomware payments is rapidly increasing. The RaaS business model is gaining popularity with ransomware developers as indicated by the increasing number of ransomware variants using the model. This increase in RaaS support creates more opportunities for external affiliates to use ransomware, further expanding the threat landscape to organizations. Ransomware will remain a problem for the foreseeable future, so it is imperative for organizations to take preventative action to protect themselves.

Third Party and Supply Chain Exploits

Today, almost all organization procure services, products (software and hardware) from third party providers. These days adversaries don’t target their initial goal directly. Instead, they focus on finding and compromising the most vulnerable elements in their victim’s supply chain network: subcontractors and third-party providers an intended victim works with. There are several ways of compromising a supply chain: from sending phishing emails in order to steal a supplier’s identity to injecting malicious code into third-party software. Software supply chain attacks pose the most danger since they are much harder to detect. These attacks target not third-party provider accounts or corporate networks, but third-party software used by a victim. Such an attack can be performed by exploiting existent vulnerabilities in this software or by modifying this software with malicious code insertion.

Cloud Jacking

Cloud Jacking is likely to emerge as one of the most prominent cybersecurity threats in 2020 due to the increasing reliance of businesses on cloud computing. Misconfiguration will drive a majority of the incidents. Code injection attacks, either directly to the code or through a third-party library, are prominently used against cloud platforms. These attacks — from cross-site scripting and SQL injection — are carried out to eavesdrop, take control of, and even modify sensitive files and data stored in the cloud. Attackers alternatively inject malicious code to third-party libraries that users unwittingly download and execute.

Credential Dumping

Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. These credentials are then used to access restricted information, perform lateral movements, and install other malware.

Credential dumping comes in various shapes and sizes but can be broken down into three main implementation categories:

  • Accessing hashed credentials
  • Accessing credentials in plaintext
  • Acquiring key material (most commonly on Linux and macOS)

Custom AV/EDR signature to block credential dumping tools can prevent this. Continuous API Monitoring, Analysis of Powershell Logs, Process Monitoring, and Deception – credential honeypot can help organizations to detect credential duping.

Malware Persistence

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

Source: Digital Forensics

DNS Hijacking

DNS (Domain Name System) is crucial to all organizations that rely on the Internet for conducting business – it’s critical for the performance and reliability of your internet applications and cloud services. DNS Hijacking is an attacking technique where the attacker creates a dummy site that looks and feels just like the site they are targeting. Here are steps followed in DNS Hijacking:

  • The attacker uses a targeted attack (such as spear phishing) to obtain login credentials to the Admin panel of the DNS* provider for the target site.
  • The attacker then goes into the DNS admin panel and changes the DNS records for the site they are targeting (this is known as DNS Hijacking), so that users trying to access the site will instead be sent to the dummy site.
  • The attacker forges a TLS encryption certificate that will convince a user’s browser that the dummy site is legitimate.
  • Unsuspecting users go to the URL of the compromised site and get redirected to the dummy site.
  • The users then attempt to log in on the dummy site, and their login credentials are harvested by the attacker.

Hardware Trojans

Hardware trojan engineering is on rising. It is a form of malicious circuitry that damages the function or and trustworthiness of an electronic system. In the power, transport, manufacturing, oil and gas sector, integrity and availability of hardware are very crucial.

Given the increasing complexity of modern electronics and the cost of fabrication, entities from around the globe have become more heavily involved in all phases of the electronics supply chain. In this environment, hardware Trojans (i.e., malicious modifications or inclusions made by untrusted third parties) pose major security concerns, especially for those integrated circuits (ICs) and systems used in critical applications and cyberinfrastructure.

Application Interfaces: Broken Access Control

Recent studies indicate that application programming interface (API) security readiness typically lags web app security across the majority of organizations today. Additionally, more than two-thirds of the organizations readily make APIs available to the public to allow external developers and partners to tap into their app ecosystems and software platforms.

As the dependence on APIs increases, API-based breaches have become more prominent. This has triggered adverse impacts on high-profile apps in financial processes, messaging, peer-to-peer and social media. As more organizations continue to adopt APIs for their applications, API security will be exposed as the weakest link, which could lead to cloud-native threats and put user data and privacy at risk.

Connection to Proxy

Proxies can also serve as discrete methods for adversaries to access and remove information from networks of interest. Adversaries use a wide variety of proxy methods to hide their command and control traffic, including PuTTY/SSH forwarding, Dynamic DNS, domain fronting, fast flux, Tor, i2p, SOCKS, STUN, and host firewall forwarding.

Adversaries most commonly use connection proxies in the following ways:

  • Using proxies for internal or external communication
  • Injecting into trusted processes to make connections
  • Routing connections through less attributable access points

Proxy Sandbox, Proxy blocklist with TI feeds, Proxy uncategorized website blocklist can be practiced preventing proxy-based attacks.

In this age of digital transformation and globalization, cybercriminals are constantly looking for fresh exploits and coming up with advanced strategies to defraud and damage institutions and organizations. In light of this fact, businesses should be mindful of not just the ever-growing number of vulnerabilities but also of the cybersecurity threats that are on the rise with the time.

Visit AISS2020 page to know more about AISS overview, key sessions, highlights, who should attend & register for FREE: https://www.dsci.in/events/aiss-2020/