How the ‘five most dangerous attack techniques’ of the year are evolving
With 2019 drawing to a close, the SANS Institute this week revisited its list of the five most dangerous attack techniques and discussed how these threats are evolving in order to evade security defenses.
The information security training organization’s 2019 threat list, published earlier this year, included predictions related to smartphone attacks, DNS manipulation, domain fronting, cloud-on-cloud attacks, and CPU flaws.
In a panel webcast hosted by the organizers of the RSA Conference this week, industry experts Ed Skoudis, Heather Mahalik, and Johannes Ullrich looked at how these threats are evolving – and how to beat them.
Kicking off the session, Ed Skoudis, director of SANS cyber ranges and team training, said Domain Name System hijacks were continuing, with attackers even reconfiguring a client to use a different DNS server.
SANS members outlined their top security threats at the RSA Conference earlier this year
“Some ISPs will actually manipulate DNS responders to insert ads inside of requests or to change ads,” he added.
“The bottom line here is that if you, as an organization, don’t have control over how your names are being resolved, you don’t have control of your infrastructure.”
Skoudis advises two-factor authentication for all management of infrastructure components, especially DNS configuration. He also reminded listeners to validate records as well as simply signing them.
Up in the clouds
Also highlighted at the RSA Conference earlier this year were a new raft of cloud attacks. Skoudis cited a Magecart campaign which saw card-skimming JavaScript added to code in unsecured Amazon S3 buckets.
“The Amazon S3 buckets were being used to serve up content for websites and skim credit cards if they were typed into those websites,” he said.
The SANS associate also warned: “With multi-tenant clouds, those tenants might be attacking you.”
LISTEN NOW SwigCast, Episode 4: MAGECART
Offering a sneak peek of 2020 threats, Skoudis highlighted Living off the Land Binaries and Scripts (LoLBaS): “The idea here is to use the components of the OS itself to attack the infrastructure,” he said.
And, citing the USB Rubber Ducky, he warned that keystroke injection techniques are being extended through ‘persistence in the wire’.
“With miniaturization, attackers are placing this functionality within the USB wires themselves,” he said. “It implements the keyboard just like Rubber Ducky and inserts a piece of malicious code.”
Targeted attacks
Heather Mahalik, a SANS Institute senior instructor, author, and senior director of digital intelligence at Cellebrite, said that targeted, individualized attacks were continuing, as were mobile ransomware attacks.
Weak access controls, reused passwords, and a lack of 2FA “are still an attack vector”, she said. “Things have really not got a lot better there”.
For 2020, predicted Mahalik, we’re likely to see more of the Checkrain and Checkmate mobile vulnerabilities.
“The issue is the vulnerability is on the chip, meaning people can’t patch that,” she pointed out. “Now, if you lose your phone, someone can definitely access your data.”
Fresh malware techniques
Johannes Ullrich, dean of research at SANS, discussed DNS-over-HTTPS, and how the technology is not just being explored by privacy-focused web users.
“It’s not just browsers and operating systems that have discovered DNS-over-HTTPS,” he said. “Probably one of the big updates here from this spring is that we now have malware that uses DNS-over-HTTPS in order to hide its DNS queries.”
As a case in point, Ullrich drew attention to Proofpoint’s exposé on PsiXBot, used for ‘sextortion’ and spam. Around the same time, Qihoo researchers identified GodLua as targeting IoT devices.
READ MORE A guide to DNS-over-HTTPS – how a new web protocol aims to protect your privacy online
Ullrich also mentioned the denial-of-service tool Red Cannon, currently making a comeback with the protests in Hong Kong. “It really weaponizes the Great Firewall of China,” he said.
“If a user downloads an HTML document and that HTML document includes JavaScript that is hosted within China, what’s happening is that this request is going through the Great Chinese Firewall and then it’s part of this Great Cannon or Red Cannon functionality, and they’re actually able to redirect that request and deliver malicious JavaScript in return.”
If websites are including remote content, he said, they should always use HTTPS and subresource integrity.
Summing up, the panelists agreed that efficient defense requires, above all, communication.
“The only thing where you will be able to survive and stay up to date is by sharing with your peers and staying part of your community,” said Ullrich, with Mahalik adding: “I think it’s so important that we use our voice, use our brain.”
YOU MIGHT ALSO LIKE IESG issues final call for comment on proposed vulnerability reporting standard
