Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:55 PM
Connect Directly

Process Injection Tops Attacker Techniques for 2019

Attackers commonly use remote administration and network management tools for lateral movement, a new pool of threat data shows.

The threat landscape of 2019 was dominated with worm-like activity, researchers report in a new analysis of confirmed threats from the past year. Attackers are growing more focused on lateral movement, with an emphasis on using remote administration network tools to execute it.

Red Canary's "2020 Threat Detection Report" contains an analysis of 15,000 confirmed threats to appear in customer environments throughout 2019. Researchers used the equivalent MITRE ATT&CK data to determine which attack techniques were most prevalent over the past year. Their findings illustrate which methods are most common and how attackers are using them.

The popularity of automated lateral movement is largely driven by TrickBot, the data-stealing Trojan that contributed to thousands of detections. TrickBot, combined with the use of remote admin and network management tools, is not fully responsible for the frequency of common attack techniques, but the three play a major role in why cybercriminals choose specific tactics.

TrickBot is typically seen as part of a string of infections that starts with the Emotet Trojan and ends in a Ryuk ransomware infection. Emotet lands on a device and loads TrickBot, which steals credentials from infected devices as it moves laterally across a network. When TrickBot is done, it launches Ryuk, which encrypts the infected machines on a network and demands a ransom.

"Overwhelmingly, ransomware was the trend in 2019 in terms of payloads and what adversaries set out to do," says Keith McCammon, co-founder and chief security officer at Red Canary, of a general pattern the research team noticed in analyzing the data. Another prominent trend is threats to confidentiality: Attackers will lock up target systems and demand money to return system access — or they threaten to publish the company's data online.

"If someone takes system access away, you might not have great options for getting that access back, but you have some options," says McCammon. This shift is "a different calculus" because organizations may not know what the adversary has. Without that insight, "you kind of have to assume the worst." For many organizations, this data dump could pose an existential threat.

The most common attack technique researchers list is process injection, which TrickBot uses to run malicious code through Windows Server Host. Why isn't an Emotet technique, used to land on a machine, more popular? As researchers explain in a blog post, a growing portion of their visibility comes from incident response, much of which brought them into environments where Emotet had completed its actions and TrickBot had arrived on a number of devices. As a result, they couldn't detect initial access or early-stage payloads, only the threats left behind.

Many of the companies Red Canary worked with in incident response were "really large, well-established organizations with a high percentage of systems impacted," says McCammon, noting this can be attributed to tactics, automation, and refinement that enable attackers to get into a complex enterprise and infect several systems at the same time. "We saw more big companies hit with very, very impactful attacks than we've seen before."

Process injection, which makes up 17% of all threats analyzed, affects 35% of organizations and appeared in 2,734 confirmed threats in 2019, the researchers report. It was the top attack technique from 2018 into 2019 due to the widespread TrickBot and Emotet outbreaks that occurred throughout the same time frame. Using this method, attackers can conduct malicious activity in the context of a legitimate process, so they blend in.

The second-most-popular attack technique is scheduled task, which, like process injection, is seen in worm-like and TrickBot activity. This tactic, which schedules tasks to launch malicious binaries and persist on target devices, affects 33% of businesses and makes up 13% of threats overall. It's handy for attackers because it allows them to schedule tasks remotely; it's also useful for execution and persistence alongside common scripting languages such as PowerShell.

Tying with scheduled task is Windows Admin Shares, a technique that also made up 13% of total threats and affected 28% of organizations in 2019. This enables worm-like activity and falls under the category of remote/network admin tools. Self-propagating threats — in particular, those that used EternalBlue — drove Windows Admin Shares from the 10th-most-popular threat in 2018 to third place in 2019. Administrators often use them for remote host management, giving attackers a subtle means to move laterally throughout an environment.

Eight of the top 10 attack techniques involve features of a platform being misused, McCammon says. They're not standout strategies that would normally put teams on alert.

"The [techniques] I think we are definitely starting to see more of, and will continue to see escalate and refined, are going to be a lot of the lateral movement techniques … almost entirely the ones that depend on living off the land," says McCammon, listing PowerShell and WMI as examples. Attackers are "using the features of these platforms that businesses rely on to operate their network and can't just turn off." As it gets harder to put malware onto a system, the adversaries are getting better at using tools that are already there, he explains.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.