The cybersecurity landscape is continuously evolving, with new threats and trends emerging every day. In Q3 2023, we have observed several key trends that are expected to increase in importance in the coming months. This post will delve deeper into these trends, providing an in-depth analysis of each one and its potential impact on the cybersecurity landscape.
Token/Cloud API Abuse
As attackers seek new ways to infiltrate systems and networks, the abuse of tokens and cloud APIs has become more prevalent. Tokens, which are often easier to steal than user credentials, can grant access to sessions established by multi-factor authentication (MFA). This makes them a valuable target for attackers.
Moreover, the lack of clarity on where tokens can be found in integrated ecosystems, such as Windows applications like Office 365, adds to the challenge of preventing unauthorized access. This obscurity makes it difficult to identify processes from which tokens can be extracted, rendering traditional defense mechanisms less effective.
Threat Actors Using Systems Out of EDR Scope for Persistence
Threat actors are increasingly targeting systems that fall outside the scope of traditional Endpoint Detection and Response (EDR) or Antivirus (AV) solutions. Appliances, routers, and IoT systems are often overlooked by these agent-based security solutions, making them attractive targets for attackers seeking to establish persistence within a network. The lack of centralized logging on these systems further complicates the detection and remediation of compromises.
To adapt to this trend, it is expected that threat actors will modify their toolsets to include more Linux tools, tunneling tools, tools compiled for the ARM architecture, and multi-platform tools.
Vulnerable Driver Usage
Attackers are increasingly exploiting vulnerable drivers to escalate privileges to LOCAL SYSTEM. Signed vulnerable drivers are particularly attractive as they can be used to disable security solutions such as Antivirus software or EDRs early in an attack.
While efforts have been made to address this issue, such as the deployment of the Vulnerable Driver Blocklist by Microsoft, the slow adaptation to new threats and the reliance on manual updates leave systems exposed.
Projects like LOLDrivers aim to bridge this gap by providing comprehensive lists of vulnerable drivers and associated detection mechanisms.
Malicious .lnk, .html, Embedded Office Docs in PDF, and .iso Files
Infection chains often include popular file types like .lnk, .html, .pdf, and .iso files.
A recent trend involves embedding office documents within PDF files, a tactic expected to grow in popularity.
Havoc, a C2 framework, has gained popularity due to its robust feature set and active development.
Key features include sleep obfuscation via Ekko, Ziliean, or FOLIAGE, x64 return address spoofing, indirect syscalls for Nt* APIs, SMB support, token vault, and a variety of built-in post-exploitation commands.
The ability to patch Amsi/Etw via hardware breakpoints and the use of proxy library loading and stack duplication during sleep make Havoc particularly compelling for threat actors.
Abuse of Legitimate Remote Access Software for Persistence
Remote access trojans are often detected by Antivirus software, leading attackers to turn to legitimate remote access software as an alternative.
These applications, which include ConnectWise Control, Anydesk, NetSupport, TeamViewer, Atera, LogMeIn, and Splashtop, are often not classified as possibly unwanted applications (PUA) by security solutions. As a result, their use by attackers often goes unnoticed, allowing them to establish persistence without raising suspicion.
Tunneling (e.g., ngrok, frp, etc.)
Tunneling tools enable threat actors to proxy connections from internal services to remote systems while avoiding detection. These tools, which often support multiple architectures, align with the trend of using appliances, routers, and IoT systems for persistence.
As a result, they are becoming increasingly popular among threat actors seeking to establish covert communication channels.
SEO poisoning involves manipulating search engine rankings to lure users to malicious websites.
This technique, which has seen a significant uptick since the beginning of 2023, involves a variety of tactics, including keyword stuffing, cloaking, artificially increasing click-through rates, and using private link networks.
Some threat actors also use targeted SEO poisoning, such as spear-phishing, to target specific audiences. This makes the attacks more challenging to identify and defend against, as they are tailored to the victim.
As the cybersecurity landscape evolves, staying informed about emerging trends is crucial for developing effective defense strategies. The trends highlighted in this post are expected to play a significant role in shaping the threat landscape in the coming months. By understanding these trends and adapting our defenses accordingly, we can better protect ourselves and our organizations from cyber threats.