With the rise of as-a-service products, there's been some buzz about the growing number of unsophisticated attackers. Whether an adversary is highly skilled and targeting an organization or taking advantage of a black market service to make a few bucks, any threat is a threat.
In fact, some one-trick pony adversaries may well be quite sophisticated. Simply because they rely on a singular tried-and-true method doesn't mean their attack poses any less of a risk.
Mike Cotton, vice president research and development at Digital Defense, does a lot of penetration testing to find vulnerabilities. Cotton said, "A lot of times we serve in an audit functionality that mimics an attacker, and we see the same things over and over again."
"One of the biggest initial vectors for getting the initial foothold remains email, but corporations gave up on securing email a long time ago."
According to Cotton, "They were putting identity protections and encryption on their messages, but a lot of people gave up the effort. It was too much effort, but they haven’t replaced them with other protections."
The recent hacks of government agencies showed that while there were email security settings, they were fairly open. Cotton said, "They didn’t have basic protections in place for validating that they couldn’t send messages outside relating to the company or spoofing attacks."
In order to protect against spoofing attacks, they should lock down their email systems. "A well crafted phishing message is really hard to stop if done properly, but if they haven’t taken even the most basic measures, they are even more vulnerable," Cotton said.
In addition to those who focus solely on social engineering, Cotton said there are also attackers who instead of targeting an organization with a malware payload, are leveraging open source intelligence gathering.
"They try to get a list of all the employees that work for an organization, then take that list of user names with well known passwords or passwords that they’ve gotten and do a slow password guess attack," said Cotton.
Though the success rate isn't very high, if they succeed at accessing the corporate email of only half of a percent of thousands of accounts, that is pretty good, said Cotton.
They can then use the access gained to turn around and gain more access, sending what appears to be a legitimate email about their VPN being locked up and needing a new key.
"There are lots of domain connected authentications that make these attacks easier. It was a hallmark of sophistication three to four years ago, but it’s gotten out there more and more as a mechanism being used more widely," Cotton said.
Some might say it's become so widely used that phishing has become more and more low brow.
According to the security research team at SS8 Networks, there are several techniques being used to maintain the effectiveness of one-trick pony phishing attacks for compromising enterprise networks.
Akshay Nayak, threat analyst at SS8 Networks, detailed these four examples.
- Right to left override: This attack makes use of the Unicode character &rlm (Right to left Mark) having Unicode value (U+200F). This character is used to display text in languages that are written from right to left like Arabic. This technique swaps extensions belonging to executable files with benign ones such as doc, pdf, jpeg, etc. Here's an example:
Nayak said, "Any OS that recognizes Unicode will see the right to left mark character (without the double quotes) and reverse any text that comes after it so that the name in the above example becomes:
- Multiple layers of extensions: This technique uses file names like:
yourtaxreturn.pdf.exeThe Windows operating system, in an effort to conceal its underlying intricacies and hides extensions by default. In the example above, the file is presented to the user as
yourtaxreturn.pdf. The attacker can also easily change the file format icon to the PDF version.
"This is actually an easier method of infecting users," said Nayak. "An adversary can rename files with multiple extensions and add a .exe to that. In order to make things easier for the user, Windows overlooks things that attackers can exploit."
- Utilizing trusted domains: involves appending words from the English dictionary to legitimate domain names. For example, attackers will create phishing websites like:
"Unsuspecting users that see PayPal in the URL will immediately trust the website," said Nayak, "and criminals also go through a lot of effort to make the phishing website look like the legitimate PayPal site."
- https: Security awareness training programs typically teach users to only trust websites that use HTTPS. However, certificate authorities like Let’s Encrypt provide free SSL certificates that can be used by phishing websites to present victims with the familiar green padlock associated with https websites.
"When combined with the other technique," said Nayak, "a phishing attack can be extremely successful in tricking users to click on a malicious link."
As single attack methods, they work pretty well, and the combined efforts of these exploits that are often seen in the wild can prove highly successful, said Nayak.
There are, however, many things that can be done to mitigate risks from these attacks. "Set the policy on Windows so that extensions are not hidden anymore. Look for certain patterns in the URL and in the domain. It’s pretty straightforward to protect against these attacks," Nayak said.
Nathan Sportsman, CEO of Praetorian, said that due to legacy, an adversary can go from a single attack to a more widespread attack. There are patches available but that's not always a feasible solution with some legacy environments.
So many of the tried-and-true methods that have been weaponized could be avoided if security teams focused on the basics a little more, Sportsman said. "Instead they are getting stuck on the next shiny technology and not even dealing with the basics of strong password policies."
While ransomware is prevalent and bigger forensic companies are struggling with it, Sportsman said they are seeing more one-offs, like a few machines being infected, hard drives locked, or holding the IP hostage.
"A lot of it is basic blocking and tackling. If they are going to wire money out in response to an email request for funds, that should not happen without anyone even noticing. Make sure that the person requesting and the person submitting the money are two different people," said Sportsman.
Enterprises can mitigate a lot of these attacks, but it is largely a people, process, and technology issue, according to Sportsman. "Corporations tend to focus on technology. They tend to believe that because it's a problem created by technology it will be technology that solves it."