Living off the Land Attack

An Overview of Living off the Land Attack

A worrying pattern was uncovered in the Cyber Threatscape Report for 2020. At the outbreak's outset, experts in cyber security noticed a dramatic uptick in all forms of cybercrime. What's more worrying is that these analysts also found evidence of an increase in LOTL attacks launched by cybercriminals supported by national governments as well as independent entities.

The acronym "LOTL" refers to "Living Off the Land” techniques. In a LOTL attack, fraudsters employ seemingly innocuous administrative tools to penetrate a network without raising any red flags. In many cases, the hacking process begins with the hacker getting access to the network by another method, most commonly phishing, which has seen an alarming increase in popularity in recent years.

The fact that these attacks do not leave any trace behind is one of its distinguishing features. This is why these threats are sometimes referred to as fileless hazard. Many digital security packages will be unaware of any anomalous activity when there are no executable files or viruses to identify. 

‍

How Do LOTL Attacks Work?

These attacks are fileless, meaning that the attacker does not need to install any program or scripts within the target system in order to carry out the attack strategy. Instead, the attacker makes advantage of pre-installed tools like PowerShell, Windows Management Instrumentation (WMI), or Mimikatz to steal credentials.

When a company employs native technologies, it is much harder to identify its assaults, especially if the company is using conventional security solutions that look for predictable malware scripts or files. The hacker is typically able to remain unnoticed in the victim's environment for weeks, months, or even years because of this hole in the security toolset.

Why Are LOTL Attacks Attractive to Cybercriminals?

In the fourth quarter of 2021, adversaries used valid credentials and built-in tools—a hallmark of LOTL hazards—to extend the assault path.

LOTL risks are more successful than virus attacks and are growing increasingly widespread. They are harder to detect with traditional surveillance equipment, giving attackers more time to escalate rights, steal data, and set backdoors.

Some reasons cybercriminals like these threats are the following:

• WMI and PowerShell, frequent LOTL attack vectors, are in the victim channel's "allow" list, providing a great cover for adversaries as they commit malicious activities that the victim's SOC and other security measures often ignore.
• LOTL assaults cannot be contrasted or correlated because they do not employ files or signatures, making them harder to block and allowing the criminal to reuse tactics.
• LOTL strikes are hard to attribute due to legitimate tools and lack of signature, sustaining the attack cycle.
• The enemy can plan and execute complicated strikes throughout long dwell durations. When the victim becomes aware, there is frequently little time to respond.

‍

LOTL Tools 

Living off the land attackers don't have to upload code to begin a fileless malicious activity, so how do they reach the environment to manipulate its inherent tools? Access can be gained in numerous ways, including:

1. Exploit Kits

They contain exploits—code, commands, or data. These tools let intruders exploit OS or application obligations.

Exploits can be injected straight into memory without inscription to the disc, creating fileless adware attacks like LOTL attacks cost-effective. They let adversaries automate first compromises at scale.

File-less or malware outbreaks start the same way. Phishing emails or social engineering lure victims. The exploit kit includes exploits for multiple susceptibilities and a supervision console permitting the attacker to exercise the structure. The exploit kit may search the targeted system for susceptibilities and then create and deploy a custom exploit.

2. Hijacked Native Tools 

In a LOTL attack, the attacker takes control of a legitimate tool in order to perform a malicious action (elevate privileges, get access to new systems and networks, steal or encrypt data, install malware, set backdoor access points, etc.). Some native or multipurpose instruments are:

• FTP clients and system utilities like PsExec allow users to move files across computers.
• Tools used in forensics, such as Mimikatz, which is used to retrieve passwords.
• PowerShell is a scripting framework that may be used to launch scripts, providing a wide range of features for managing Windows devices.
• Windows Management Instrumentation, an API for manipulating various Windows parts.

3. Registry Resident Malware

Registry-resident malware fleeces in the Windows registry to escape recognition.

Dropper apps that download spyware infect Windows systems. Anti-malware software can perceive this active bug. File-less malware utilizes dropper packages but doesn't download unfavorable files. In its place, the dropper package writes spyware into the Windows registry.

The destructive code is hidden in native files and can be configured to start with the OS.

Poweliks was the first of this type of outbreak, although Kovter and GootKit followed. Registry-key-modifying malware can hide for a long time.

4. Memory-Only Malware

Memory-only virus lives in memory. The memory-only Duqu worm can go unnoticed. The initial version of Duqu 2.0 is a backdoor that lets the enemy enter a corporation. The adversary can then exploit Duqu 2.0's enhanced features including reconnaissance, lateral movement, and data exfiltration. Duqu 2.0 breached telecom and security software firms.

5. Fileless Ransomware

Opponents don't just use one method of assault. They employ whatever available means of capture to ensure that they get their loot. Ransomware hackers today often utilize fileless approaches, for instance writing malicious code straight into memory via an exploit or embedding it in documents using a native scripting language like a macro. Without ever writing to disc, the ransomware uses native tools like PowerShell to encrypt the hostage data.

6. Stolen Credentials

With compromised credentials, attackers can get access to their target without leaving any trace of their attack. Once inside, the hacker can employ the system's own tools, like WMI or PowerShell, to launch an assault. To remain undetected, they can insert malicious code into the system's registry or kernel, or create user accounts with full administrative privileges on any target machine.

‍

Example of LOTL Attack

In February 2018, it was announced that financial institutions all over the world had been the target of a broad fileless attack. The hackers used a wide variety of techniques to take over the banking systems. The hackers utilized Mimikatz to steal passwords and gain access to administrative functions. The attackers then used the Windows SC service to run PowerShell scripts they had stored in the registry and produced using Metasploit. In addition, the victim and the C2 were able to communicate with one another via the Windows NETSH program. The attackers used a wide variety of tools, allowing them to carry out a complex attack that went unnoticed for some time.

When combined with your current security infrastructure, the Deep Instinct Prevention Platform offers unparalleled defense against malware and other cyber threats in a hybrid setting. By detecting harmful files in just twenty milliseconds, Deep Instinct prevents attacks before they ever begin.

When it comes to known vulnerabilities and endpoint recognition and reaction, Deep Instinct is unrivaled.

‍

Detecting And Preventing Such Attacks

Fileless ransomware and LOTL assaults are difficult to detect using signature-based approaches, legacy AV, allowlisting, sandboxing, or pattern recognition. How can organizations prevent this common and potentially destructive assault type?

This is a short list of security steps that, when combined, can prevent and detect LOTL, fileless malware, unknown ransomware, and other attacks:

• Indicators of Attack (IOAs)

They can lower the risk of LOTL assaults more than indicators of compromise (IOCs).

Attack indicators detect attacks before they happen. Code execution, lateral motions, and gestures that conceal the intruder's objective are IOAs.

IOAs can identify fileless intrusions because they don't care how they're launched. The action's origin doesn't matter. Only the action, its sequence, and its dependent acts matter. These signs show the genuine intents and ambitions underlying their actions and events.

Signature-based approaches, allowlisting, and sandboxing cannot identify fileless attacks since they employ lawful programming languages like PowerShell and never write to disc. Deep learning cannot evaluate fileless ransomware. IOAs search for sequences that even fileless malware must follow to complete its objective.

Because IOAs assess purpose, context, and sequences, they can even catch and prohibit harmful operations performed using a legitimate account, which is common when an attacker uses stolen credentials or hijacks legitimate programs.

• Controlled Search for Dangers

Hazard investigation for fileless malware takes a lot of time and data collection and standardization. Nonetheless, it is a critical part of a fileless assault defense, hence most organizations should outsource threat hunting to an expert.

Controlled vulnerability management services constantly monitor the environment, look for intrusions, and detect subtle actions that normal security solutions miss.

Threat hunting is helping more companies stop sneaky attempts before they become big breaches. With managed risk hunting, you hire a team of skilled threat hunters to continuously comb through your corporate security data for the most complex assaults.

• Account Monitoring

Profile tracking and governance frameworks provide comprehensive insight into work environments to detect and prevent unwanted actions. It prevents data loss from such actions and credential breaches while letting resource owners control data access and indicate incorrect access.

• Application Inventory

This proactively detects obsolete and unpatched programs and operating systems to securely manage all your packages. IT hygiene streamlines app inventories, solving security and cost issues. Patch and system update exploits are prevented by IT hygiene exposure. It optimizes software setup. Real-time and historical app usage views highlight unwanted software that can be eliminated, saving your company thousands in licensing payments.

• Asset Inventory

It lets you see what computers are on your grid and efficiently implements your cybersecurity strategy to make sure no rogue systems are running. It helps security and IT ops identify controlled, unmanaged, and uncontrollable assets and improve reliability.

Protection Against Any Cyber Attacks from Wallarm

When using signature-based methods, sandboxing, allowlisting, or even pattern recognition protection techniques, it is exceedingly difficult to identify fileless techniques.

When it comes to shielding your web app architecture in any kind of cloud settings, Wallarm is the only answer that unites best-in-class API Security solution with WAAP facilities. Wallarm's platform offers a wide variety of prevention and detection practices that work in tandem to provide cloud-native, next-generation endpoint security. Ready to defend your APIs? Register for a free trial now.