Hacking computer systems can take place in many different ways – from sophisticated attacks with hacking network components to technically primitive techniques like compromising business correspondence. In this post we will analyze the tactics used by the most dangerous hacker groups – Lazarus, Pawn Storm, Cobalt, Silence and MoneyTaker.
One of the most important criteria for choosing hacking tools, in addition to the degree of ownership by the group members, is efficiency. Modern cyberattacks are complex multi-stage operations, which require a lot of time and serious financial resources. If you fail to penetrate the system, all preliminary work and costs will be in vain. Thus, penetration tactics, which are used by leading groups, can be considered as the most effective.
Tactics such as these should be highlighted
All kinds of phishing – classic, target, phishing via social networks, tabnabbing;
– attacks on supply chains;
– attacks like Watering Hole;
– attacks through vulnerabilities in network equipment and operating systems;
– attacks via DNS hijacking.
In fact, all these methods have long been known, but each group brings its own “zest”, turning just an effective tactic into an armor-piercing projectile or elegantly combining several techniques to easily bypass the protection systems of companies.
In the simplest version, phishing is a simple email containing a malicious attachment or link. The text of the email is designed to convince the recipient to perform the actions required by the sender: open the attachment or click the link to change the password.
Emails sent by colleagues or supervisors are more credible than messages from strangers, especially if the design of the email matches the company’s style. That’s why the preparatory phase of a cybercampaign that uses phishing necessarily includes gathering information about the organization’s structure, the list of employees and their emails, as well as real emails containing design elements.
The Silence group uses the most common phishing with a slight nuance to penetrate: its campaigns necessarily include a test phase with sending out harmless emails to check the relevance of the collected address database. This improves the efficiency of the attack by sending malicious emails to a verified database of recipients.
The Pawn Storm grouping also uses phishing mailings and adds an impact amplifier such as authority to increase their effectiveness. In this regard, the preparatory phase of their campaign includes so-called High-Credential Phishing – the theft of high-level accounts. Having collected a sufficient amount of such data on the target organization, Pawn Storm mails the newsletter on behalf of these individuals, “charging” them with the payload that ensures the successful achievement of the goal.
In the arsenal of Fancy Bear receptions there is another, not too well known, – the substitution of a legal site for phishing in browser tabs – tabnabbing, described by Aza Raskin from Mozilla in 2010. The attack tabnabbing looks like this:
- the victim is lured to a harmless site that is controlled by the abuser;
- the site has a script that tracks the victim’s behavior: as soon as the victim switches to another tab or does not perform actions for a long time, the content of the site is changed to an authorization page in the mail or social network, and the site’s content is changed to the corresponding service’s favicon – Gmail, Facebook, etc.
- When the victim turns to the tab, he or she finds out that he or she has been “degraded” and enters his or her credentials without any doubt;
- script passes the login and password to the attacker, and then redirects the victim to the appropriate service, which did not even think to discard anyone.
Hackers Lazarus do not change into little things, preferring to hit exactly the target. Their weapons are targeted phishing in the mail and social networks. Having chosen the right employee for their tasks, they study his profiles in social networks and then enter into correspondence with him, which usually starts with a tempting offer of a new job. Using social engineering, they convince him under the guise of something important to download a malicious program and run it on his computer.
The MoneyTaker team, which specializes in banks, conducts phishing mailings on behalf of other banks, the central bank, the Ministry of Finance and other financial institutions. By copying the templates of the relevant departments, they give the letters the necessary and sufficient credibility for a successful attack.
It often happens that the target organization is well protected, especially if it is a bank, military or state organization. In order not to break the forehead against the “concrete wall” of defense systems, groups attack the counterparties with which their target interacts. By compromising the mail of several employees or even penetrating into correspondence, hackers get the necessary information for further penetration and the ability to perform the planned work.
For example, the Cobalt group penetrated into banking networks, attacking system integrators and other service providers, and hacking of electronic wallets developers and payment terminals allowed it to automatically steal money through payment gateways with its own program.
“Waterfall Type Attack”
“Watering Hole”, or Watering Hole, is one of the favorite tactics of Lazarus hackers. The meaning of the attack is to compromise legitimate sites that are often visited by employees of the target organization. For example, for bank employees such resources will be the site of the central bank, the Ministry of Finance and industry portals. After the hack, the site will host hacking tools under the guise of useful content. Visitors download these programs to their computers and provide attackers with access to the network.
Among the cracked Lazarus sites are the Polish Financial Supervision Commission, the Bank of Eastern Republic of Uruguay and the National Banking and Stock Commission of Mexico. Hackers used vulnerabilities in Liferay and JBoss to break into the sites.
OS and network equipment vulnerabilities
Exploiting vulnerabilities in operating systems and network equipment gives serious advantages, but this requires professional knowledge and skills. Using exploit kites without a deep understanding of how they work will quickly reduce the success of an attack to zero: hacked, but could not do anything.
Attacks with vulnerabilities are typical for MoneyTaker, Lazarus and Pawn Storm groups. The first two groups mainly use known bugs in network hardware firmware to embed their server into the company network via VPN, through which they perform further actions. But Pawn Storm’s arsenal reveals the most dangerous zero-day vulnerabilities for which there are no patches; it scans systems with known vulnerabilities.
Atacks via DNS
This family of attacks we detected only in Pawn Storm. Other known groups are usually limited to phishing and two or three alternative methods.
Pawn Storm uses several levels of DNS compromise. For example, there are known cases when they stole company credentials from the DNS control panel and changed MX servers to their own, gaining full access to correspondence. The malicious server received and transmitted all mail to the target company, leaving copies, and hackers could infiltrate any chain and achieve the desired result at any time, remaining unnoticed.
Another way to compromise was to gain full control over the DNS registrar servers. In many countries there are only a very small number of registrars, so intercepting control over the largest of them provided almost endless opportunities for implementation in information exchange of most public and private organizations, phishing and other types of impact.
Phishing is popular not only among script-kiddles that rent access to malicious services such as “Phishing kak-Service” or “Extortionist kak-Service”. The effectiveness and relative cheapness of this method made it the main and sometimes the only weapon of the most dangerous groups. The wealth of variants of its use plays into the hands of criminals: before compromising business correspondence, most security solutions are passed over, and the trustfulness and distraction of users will long be a reliable support for fraudulent attacks.
Protection of computer systems and network equipment is undoubtedly an important task along with timely installation of security updates, however, taking into account the hit-parade of cybercriminal tactics, measures related to protection against human factor take the first place.
Intercepted credentials from VIP mail will allow criminals to steal sensitive information of particular importance, and then use that mail and information to conduct a multi-pass attack. Meanwhile, trivial skill training and the use of MFA would deprive hackers of this opportunity.
However, defense systems also do not stand still, detecting malicious actions with the help of artificial intelligence, deep training and neural networks. Many companies are developing this class, and we also offer our customers the opportunity to defend themselves against sophisticated BEC attacks with specially trained artificial intelligence. Their use, together with the training of employees in safe behavior skills, will successfully counter cyberattacks of even the most technically trained groups.