security-5726869_1920-100936523-orig.jpg?auto=webp=85,70
A new study of over a half-million malware samples collected from various sources in 2022 revealed that attackers put a high value on lateral movement, incorporating more techniques that would allow them to spread through corporate networks. Several of the most prevalent tactics, as defined by the MITRE ATT&CK framework, that were identified in the dataset aid lateral movement, including three new ones that rose into the top 10.
"An increase in the prevalence of techniques being performed to conduct lateral movement highlights the importance of enhancing threat prevention and detection both at the security perimeter as well as inside networks," researchers from cybersecurity firm Picus, said in their report.
Many years ago lateral movement used to be associated primarily with advanced persistent threats (APTs). These sophisticated groups of attackers are often associated with intelligence agencies and governments, whose primary goals are cyberespionage or sabotage. To achieve these goals these groups typically take a long time to understand the network environments they infiltrate, establish deep persistence by installing implants on multiple systems, identify critical servers and sensitive data stores and try to extract credentials that gives them extensive access and privilege escalation.
APTs also used to operate in a targeted manner, going to specific companies from specific industries that might have the secrets their handlers are looking for. So, companies who didn't have APTs in their threat models could focus more on blocking threats at the perimeter instead of detecting them inside their networks, which often requires advanced logging, event monitoring and active threat hunting by specialized personnel.
That all changed with the rise of manually operated ransomware groups that use groups of hackers known as "affiliates" to manually break into networks, move laterally, and gain as much access as they can over the systems -- sometimes by compromising the domain controllers -- before deploying the ransomware for maximum impact. These hackers-for-hire borrowed all the techniques APTs were using, including exploiting zero-day vulnerabilities, abusing existing operating system utilities and capabilities to reduce their footprint -- a tactic known as living off the land -- or deploying third-party tools that are commonly used by IT administrators or security teams. Given ransomware's success, other cybercriminal groups have become adopting similar techniques, making lateral movement a challenge for organizations of all types and sizes, regardless of industry.
Malware programs now include 11 malicious actions on average
MITRE ATT&CK is a knowledge base of tactics, techniques, and procedures (TTPs) that provide a framework for cybersecurity professionals to prioritize defences against malicious campaigns, malware and threat groups. The latest version of the framework tracks 14 tactics, 193 techniques and 401 sub-techniques, as well as 135 attack groups and 718 pieces of malicious or dual-use software.
A tactic is an objective an attacker is trying to achieve with its activities. Each tactic is further broken down into techniques, which are methods of achieving that goal, and those are further broken down into sub-techniques. For example, the Lateral Movement tactic includes the Remote Services technique, which includes sub-techniques such as Remote Desktop Protocol (RDP), SMB/Windows Admin Shares, Distributed Component Object Model (DCOM), Secure Shell (SSH), Virtual Network Computing (VNC) and Windows Remote Management (WinRM). All these services can be exploited in different ways.
Picus analyzed 556,107 files that were collected from commercial and open-source threat intelligence services, security vendors and researchers, malware sandboxes and malware databases and categorized 507,912 as malicious. The company then organized them by MITRE ATT&CK techniques and found that on average each malware included 11 TTPs that mapped to nine ATT&CK techniques. A third of the samples used over 20 TTPs and one in ten used over 30.
"These findings suggest that malware developers behind these attacks are highly sophisticated," the researchers said. "They have likely invested significant resources into researching and developing a wide range of techniques for evading detection and compromising systems."
|
Rank |
Prevalence in malware |
MITRE ATT&CK Technique |
MITRE ATT&CK Tactics |
|
1 |
31% |
T1059 Command and Scripting Interpreter |
Execution |
|
2 |
25% |
T1003 OS Credential Dumping |
Credential Access |
|
3 |
23% |
T1486 Data Encrypted for Impact |
Impact |
|
4 |
22% |
T1055 Process Injection |
Defense Evasion |
|
5 |
20% |
T1082 System Information Discovery |
Discovery |
|
6 |
18% |
T1021 Remote Services |
Lateral Movement |
|
7 |
15% |
T1047 Windows Management Instrumentation |
Execution |
|
8 |
12% |
T1053 Scheduled Task/Job |
Execution |
|
9 |
10% |
T1497 Virtualization/Sandbox Evasion |
Defense Evasion |
|
10 |
8% |
T1018 Remote System Discovery |
Discovery |
Many of the most prevalent MITRE ATT&CK techniques enable lateral movement
The most prevalent MITRE ATT&CK technique observed was abuse of command and scripting interpreters, used by 31% of the malware samples. Part of the reason why this technique is so popular is because it falls under the Execution tactic, which is a key step in most attacks, and because it's further split into eight sub-techniques for the various command line and scripting language interpreters that attackers usually abuse across all operating systems. This makes its scope very wide. These sub-categories include PowerShell, AppleScript, Windows Command Shell (cmd), Unix Shell (bash, sh, zsh etc.), Visual Basic, Python, JavaScript and the custom command line interface (CLI) of network devices.
Some of these interpreters exist natively in operating systems and are attackers’ favorites. The Windows and Unix (Linux, macOS) command line shells are almost always used by attackers and so is PowerShell, a widely used scripting language for Windows OS administration. Visual Basic includes the Visual Basic Application (VBA) that's used for macros in Excel and Word, which has been a common way to distribute malware for years.
These command and scripting interpreters can also be used to achieve other techniques that are covered in MITRE ATT&CK. For example, PowerShell is commonly used to inhibit system recovery by disabling services that can help in data recovery, impair defences by adding exclusion rules to Windows Defender, download and execute malicious payloads, abuse valid accounts, collect information about the current system, or discover remote systems. In addition to manual abuse of PowerShell and custom scripts, attackers also use open-source pre-made PowerShell-based attacks frameworks such as PowerShell Empire, PowerSploit, Nishang, PoschC2 and Posh-SecMod.
The second most common technique observed was OS Credential Dumping, which falls under the Credential Access tactic, with a prevalence of 25% of malware samples analyzed. This technique has risen in popularity since 2021 according to Picus when it was occupying rank 5 in the top 10 most commonly used techniques.
Obtaining local credentials is also a key component that enables lateral movement and it's common to see attackers deploy credential dumping tools like Mimikatz, gsecdump and ProcDump on compromised systems.
"Adversaries use the harvested credential information for, accessing restricted data and critical assets, moving laterally to other hosts in the network, creating new accounts and removing them to impede forensic analysis and figuring out password patterns and policies to harvest other credentials," the Picus researchers said.
On Windows, the OS credential dumping technique covers extracting credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS), the Security Account Manager (SAM) database, the Active Directory domain database (NTDS), the Local Security Authority (LSA), locally cached domain credentials, the Windows Domain Controller's application programming interface using a technique called DCSync. On Linux, common targets for account extraction are the Proc filesystem, the /etc/passwd file, the /etc/shadow file, the Pluggable Authentication Modules (PAM), the Name Service Switch (NSS) or Kerberos.
"The rise in credential dumping emphasizes the fact that traditional perimeter security is no longer enough to protect against cyberattacks," the researchers said. "Instead, organizations need to strengthen cyber resilience by preparing to defend against pre-compromise and post-compromise attacks."
The third technique seen in 23% of malware samples was data encrypted for impact. This is not unexpected as it's the primary feature of ransomware, which has exploded in recent years. Fourth was project injection, observed in 22% of malware and this includes 12 other sub-techniques that allow the injection of malicious files, modules, or code into running processes. Process injection enables the Defence Evasion and Privilege Escalation tactics.
The fifth most common technique observed by Picus was system information discovery, rising from rank 9 in 2021. While this falls under the very large Discovery tactic, it also facilitates lateral movement attacks because it involves the collection of data about not just the operating system, but the network and its configuration, the hardware and software applications that are used in an environment. This technique was observed in 20% of the analyzed malware samples and it also applies to cloud-virtualised environments, using the APIs those cloud services provide.
In sixth place was a new entry into the top 10: remote services. This technique was observed in 18% of malware and as previously noted, falls under the lateral movement tactic, because it enables attackers to access other systems, not just from the internet, but also on local networks, through a variety of protocols.
In seventh place, we have the Windows Management Instrumentation (WMI) technique, another new entry in the top 10 for 2022 that falls under the Execution tactic. The WMI is a built-in administration feature with its own command line that has been available by default in Windows since Windows NT, long before PowerShell was created. WMI is a powerful tool and can be used to execute commands both on the local system and remote systems. Attackers abuse it for a variety of purposes including command execution, defence evasion, discovery, credential harvesting and lateral movement. For example, the Conti ransomware was known for deploying a Cobalt Strike beacon using WMI and rundll32 on remote hosts.
The eighth most common technique is the abuse of the scheduled tasks/jobs mechanisms in various operating systems. While this falls under the Execution, Persistence and Privilege Escalation tactics, attackers commonly use scheduled tasks for remote code execution as well. Sub-techniques involve the Unix At the command, the Linux cron utility, the Windows Scheduled Task mechanism, system timers and container orchestration jobs.
At number 9 we have virtualization and sandbox evasion technique, which was observed in 9% of malware and enables the defence evasion tactic. Malware authors put mechanisms in their malware programs to detect if they're being executed inside virtual machines and sandboxes because such systems are typically used for malware analysis by researchers or by honeypot systems.
Finally, at rank 10 we have another new top 10 entry that enables lateral movement: remote system discovery. This technique falls under the Discovery tactic and is used by attackers to discover additional systems or networks they can exploit.
"Many operating systems have native commands and tools for networking that allow users to discover other hosts, networks, and services in their environment," the Picus researchers said. "Adversaries leverage these built-in utilities to discover remote systems and services. Using built-in utilities also has a low chance of being flagged as malicious operations and allows adversaries to appear legitimate."
In addition to the built-in system tools attackers also use third-party utilities such as NBTscan for NetBIOS, AdFind, BloodHound, SharpHound and AzureHound for Active Directory environments, SoftPerfect Network Scanner, and LadonGo.
Since Picus' analysis was done on already collected malware samples, there's a blind spot in the research when it comes to techniques under the Initial Access tactic, such as phishing or exploiting publicly facing applications. These are techniques that are widely used in attacks, but they couldn't be properly quantified by analysing offline malware samples.
Defences against detection evasion tactics
The Picus team recommends that organizations regularly test and optimize their security controls to be able to detect and prevent detection evasion attempts. To detect attackers' increased reliance on built-in and third-party legitimate tools and services, organizations should leverage behaviour detection techniques that identify malicious activity based on deviations from a normal behaviour rather than static indicators of compromise.
To counter lateral movement activity, organizations should analyze and uncover the attack paths that exist in their networks and which attackers could leverage and then prioritize the mitigations to close those gaps. Operationalizing the MITRE ATT&CK framework can help organizations better understand how attackers operate and where to prioritize their defensive efforts.
