www.csoonline.com
Open in
urlscan Pro
151.101.130.165
Public Scan
Submitted URL: http://edt.csoonline.com/c/16itZrWaSpKTSXIUMRNBm8QLQoU
Effective URL: https://www.csoonline.com/article/3617983/5-ways-hackers-hide-their-tracks.html?utm_source=Adestra&utm_medium=email&utm_co...
Submission: On April 12 via api from US — Scanned from DE
Effective URL: https://www.csoonline.com/article/3617983/5-ways-hackers-hide-their-tracks.html?utm_source=Adestra&utm_medium=email&utm_co...
Submission: On April 12 via api from US — Scanned from DE
Form analysis
1 forms found in the DOM<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" id="gsc-i-id1" dir="ltr" spellcheck="false" placeholder="Start Searching"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; background: url("https://www.google.com/cse/static/images/1x/en/branding.png") left center no-repeat rgb(255, 255, 255); outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>
Text Content
Close Ad cso online GERMANY * United States * ASEAN * Australia * India * United Kingdom * Germany Welcome! Here are the latest Insider stories. * How GDPR has inspired a global arms race on privacy regulations * The state of privacy regulations across Asia * Use zero trust to fight network technical debt * IBM service aims to secure multicloud operations More Insider Sign Out Sign In Register × search Sign Out Sign In Register NEW Insider PRO Learn More Latest Insider * Gartner: 5 ways to deal with network equipment shortages * TIAA boosts cybersecurity talent strategy with university partnership * Lessons learned from 2021 network security events * Your Microsoft network is only as secure as your oldest server NEW FROM IDG Learn More Welcome! Check out the latest Insider stories here. Sign Out Sign In Register More from the IDG Network * About Us | * Contact | * Republication Permissions | * Privacy Policy | * Cookie Policy | * Member Preferences | * Advertising | * IDG Careers | * Ad Choices | * E-commerce Links | * California: Do Not Sell My Personal Info | * Follow Us * * * × Close * 6 most common types of software supply chain attacks explained * RELATED STORIES * The worst and most notable ransomware: A quick guide for security pros * SPONSORED BY Advertiser Name Here Sponsored item title goes here as designed * Supply chain attacks show why you should be wary of third-party providers * Software composition analysis explained, and how it identifies open-source... * Home * Security * Hacking Feature 6 WAYS HACKERS HIDE THEIR TRACKS FROM TRUSTED PENTESTING TOOLS TO LOLBINS, ATTACKERS ABUSE TRUSTED PLATFORMS AND PROTOCOLS TO EVADE SECURITY CONTROLS. * * * * * * * By Ax Sharma Contributor, CSO | 3 January 2022 10:00 Pixabay / Gerd Altmann (CC0) CISOs have an array of ever-improving tools to help spot and stop malicious activity: network monitoring tools, virus scanners, software composition analysis (SCA) tools, digital forensics and incident response (DFIR) solutions, and more. But of course, cybersecurity is an ongoing battle between attack and defense, and the attackers continue to pose novel challenges. [ Keep up with 8 hot cyber security trends (and 4 going cold). Give your career a boost with top security certifications: Who they're for, what they cost, and which you need. | Sign up for CSO newsletters. ] Older techniques, such as steganography—the art of hiding information including malicious payloads in otherwise benign files, such as images—are evolving, leading to new possibilities. For example, recently a researcher demonstrated even Twitter wasn’t immune to steganography, and images on the platform could be abused to pack ZIP archives of up to 3MB within them. However, in my own research, I have noticed that in addition to using obfuscation, steganography, and malware packing techniques, threat actors today frequently take advantage of legitimate services, platforms, protocols, and tools to conduct their activities. This lets them blend in with traffic or activity that may look “clean” to human analysts and machines alike. Here are five tactics cybercriminals are using to cover their tracks today. ABUSING TRUSTED PLATFORMS THAT WON’T RAISE ALARMS This was a common theme seen by security professionals in 2020 that has crept into this year. From penetration testing services and tools such as Cobalt Strike and Ngrok, to established open-source code ecosystems like GitHub, to image and text sites like Imgur and Pastebin, attackers have targeted a wide array of trusted platforms in just the past few years. Typically, Ngrok is used by ethical hackers interested in collecting data or setting up mock tunnels for inbound connections as a part of bug bounty exercises or pen-testing engagements. But malicious actors have abused Ngrok to directly install botnet malware, or connect a legitimate communications service to a malicious server. In a more recent example, Xavier Mertens at SANS Institute spotted one such malware sample written in Python that contained base64-encoded code to plant a backdoor on the infected system that used Ngrok. Because Ngrok is widely trusted, the remote attacker could connect to the infected system via an Ngrok tunnel, which will likely bypass corporate firewalls or NAT protections. GitHub has also been abused to host malware from Octopus Scanner to Gitpaste-12. Recently, crafty attackers abused GitHub and Imgur combined using an open-source PowerShell script that made it possible for them to host a simple script on GitHub that calculates Cobalt Strike payload from a benign Imgur photo. Cobalt Strike is a popular pen-testing framework to simulate advanced real-world cyberattacks, but like any security software product, it can be misused by adversaries. Likewise, automation tools that developers rely on are not immune to being exploited. In April, attackers abused GitHub Actions to target hundreds of repositories in an automated attack that used GitHub’s server and resources for cryptocurrency mining. These examples show why attackers find value in targeting legitimate platforms that many firewalls and security monitoring tools may not block. UPSTREAM ATTACKS THAT CAPITALIZE ON A BRAND VALUE, REPUTATION OR POPULARITY Software supply chain security concerns may have gained public attention following the recent SolarWinds breach, but these attacks have been on the rise for some time. Whether in the form of typosquatting, brandjacking or dependency confusion (which initially came to light as a proof-of-concept research but was later abused for malicious purposes), “upstream” attacks exploit trust within known partner ecosystems and capitalize on the popularity or reputation of a brand or software component. The attackers aim to push malicious code upstream to a trusted codebase associated with a brand, which then gets distributed downstream to the ultimate target: that brand's partners, customers, or users. Any system that is open to everyone is also open to adversaries. So, many supply chain attacks target open-source ecosystems, some of which have lax validation in place to uphold the “open to all” principle. However, commercial organizations are also subject to these attacks. In a recent case that some have likened to the SolarWinds incident, software testing company Codecov disclosed an attack against its Bash Uploader script that had gone undetected for over two months. Codecov’s 29,000-plus clients include some prominent global brand names. In this attack, the uploader used by the company’s clients was altered to exfiltrate the system’s environment variables (keys, credentials, and tokens) to the attacker’s IP address. Protecting against supply chain attacks requires action on multiple fronts. Software providers will need to step up investment in keeping their development builds safe. AI and ML-based devops solutions capable of automatically detecting and blocking suspicious software components can help prevent typosquatting, brandjacking and dependency confusion attacks. Additionally, as more companies adopt Kubernetes or Docker containers to deploy their applications, container security solutions that have a built-in web application firewall and are capable of spotting simple misconfiguration errors early can help prevent a bigger compromise. FUNNELLING CRYPTOCURRENCY PAYMENTS VIA HARD-TO-TRACE METHODS Darknet marketplace sellers and ransomware operators frequently deal in cryptocurrency, given its decentralized and privacy-minded design. But, although not minted or controlled by government central banks, cryptocurrency still lacks the same level of anonymity as cash. Cybercriminals therefore find innovative ways to siphon funds between accounts. Most recently, over $760 million worth of Bitcoin linked to the 2016 Bitfinex hack were moved to new accounts in multiple, smaller transactions—in amounts ranging from 1 BTC to 1,200 BTC. Cryptocurrency isn't a completely foolproof way of hiding a money trail. On the night of the 2020 U.S. Presidential election, the U.S. government emptied out a $1 billion Bitcoin wallet which contained funds linked to the most notorious darknet marketplace, Silk Road, which itself had been shut down in 2013. Some other cryptocurrencies like Monero (XMR) and Zcash (ZEC) have more extensive privacy-preserving abilities than Bitcoin for anonymizing transactions. The back-and-forth between criminals and investigators will no doubt continue on this front as attackers keep looking for better ways to hide their tracks. USING COMMON CHANNELS AND PROTOCOLS Like trusted platforms and brands, encrypted channels, ports, and protocols used by legitimate applications provide another way for attackers to mask their footsteps. For example, HTTPS is a universally indispensable protocol for the Web today, and for that reason, port 443 (used by HTTPS/SSL) is very hard to block in a corporate environment. However, DNS over HTTPS (DoH)—a protocol for resolving domains—also uses port 443, and has been abused by malware authors to transmit their command-and-control (C2) commands to infected systems. There are two aspects to this problem. First, by abusing a commonly used protocol like HTTPS or DoH, attackers enjoy the same privacy benefits of end-to-end encrypted channels as legitimate users do. Second, this poses difficulties for network administrators. Blocking DNS in any form itself poses a challenge, but now, given the DNS requests and responses are encrypted over HTTPS, it becomes a nuisance for security professionals to intercept, single out, and analyze the suspicious traffic from many HTTPS requests moving inbound and outbound through the network. Researcher Alex Birsan, who demonstrated the dependency confusion technique to ethically hack into more than 35 big technology firms, was able to maximize his success rate by using DNS (port 53) to exfiltrate basic information. Birsan chose DNS because of the high likelihood of corporate firewalls not blocking DNS traffic, due to performance requirements and legitimate DNS uses. USING SIGNED BINARIES TO RUN OBFUSCATED MALWARE The familiar concept of fileless malware using living-off-the-land binaries (LOLBINs) remains a valid evasion technique. LOLBINs refer to legitimate, digitally signed executables, such as Windows executables signed by Microsoft, that can be misused by attackers to launch malicious code with elevated privileges, or to evade endpoint security products such as antivirus. Last month, Microsoft shared some guidance on defensive techniques that enterprises can adopt to prevent attackers from abusing Microsoft’s Azure LOLBINs. In another example, a recently discovered Linux and macOS malware I analyzed had a perfect zero-detection rate among all leading antivirus products. The binary did contain obfuscated code, which aided in evasion. However, further investigation also revealed the malware was built using hundreds of legitimate open-source components and conducted its malicious activities, such as gaining administrative privileges, in ways identical to how legitimate applications would do so. While obfuscated malware, runtime packers, VM evasion, or hiding malicious payload in images are known evasive techniques used by advanced threats, their true power comes from bypassing security products, or flying under their radar. And this is made possible when payloads are combined to some degree with trusted software components, protocols, channels, services or platforms. CODING MALWARE IN UNCOMMON PROGRAMMING LANGUAGES According to a recent report from the BlackBerry Research and Intelligence team, malware authors are making more use of uncommon programming languages to, in part, better evade detection. The main languages used were Go, D, Nim and Rust. These languages add obfuscation in a couple of ways. First, rewriting malware in a new language means that signature-based detection tools will no longer flag it (at least until new signatures are created). Second, the Blackberry researchers said the languages themselves act as an obfuscation layer. For example, first-stage malware used to decode, load and deploy other common malware is written in an uncommon language, and this can help evade detection on the endpoint. The Blackberry researchers noted that there are currently few custom obfuscations for malware written in these languages. One of the most common is Gobfuscate for malware coded with Go. It is capable of manipulating package, function, type, and method names, as well as global variables and strings. Editor's note: This article, originally published on May 18, 2021, has been updated to include information on malware authors using uncommon programming languages. Next read this * The 10 most powerful cybersecurity companies * 7 hot cybersecurity trends (and 2 going cold) * The Apache Log4j vulnerabilities: A timeline * Using the NIST Cybersecurity Framework to address organizational risk * 11 penetration testing tools the pros use Related: * Hacking * Hacker Groups * Security Ax Sharma is an experienced cybersecurity professional and technologist who loves to hack, ethically and write about technology to educate a wide range of audiences. Follow * * * * * Copyright © 2022 IDG Communications, Inc. 22 cybersecurity myths organizations need to stop believing in 2022 CSO Online CSO provides news, analysis and research on security and risk management Follow us * * * * About Us * Contact * Republication Permissions * Privacy Policy * Cookie Policy * Member Preferences * Advertising * IDG Careers * Ad Choices * E-commerce Links * California: Do Not Sell My Personal Info Copyright © 2022 IDG Communications, Inc. Explore the IDG Network descend * CIO * Computerworld * CSO Online * InfoWorld * Network World