SHARED INTEL: Threat actors add a human touch to boost effectiveness of automated attacks

By Byron V. Acohido

Trends in fashion and entertainment come and go. The same holds true for the cyber underground.

Related: Leveraging botnets to scale attacks

For a long while now, criminal hackers have relied on leveraging low-cost botnet services to blast out cyber attacks as far and wide as they could, indiscriminately. Over the past 18 months or so, a fresh trend has come into vogue. It essentially involves applying hands-on human cleverness to the task of extracting highest value from assets gained in the automated sweeps.

British antimalware and network security vendor Sophos refers to this new tactic as “automated, active attacks.” Sophos Senior Security Advisor John Shier broke it down for me. We met at Black Hat 2019. For a full drill down, give a listen to the accompanying podcast. Here are the key takeaways:

Human touch

It has long been common practice to use botnets to blast out wave after wave of e-mails carrying tainted PDFs or Word docs, or a web link pointing to a booby-trapped page – and seeing who would bite. Lately, progressive criminal rings are taking a page out of the playbook of nation-state sponsored APT strikes — by adding more human nuances to their attacks.

“They may discover their targets through some sort of automated technique, which gets them a toehold into the company, or they might just simply go to Shodan (search engine) to discover open, available RDP hosts,” Shier told me. “Once they’re in the front door, now the humans get involved.”

Related: How ransomware became a scourge

Specialists get assigned to poke around, locate key servers and find stealthy paths to send in more malware. They’ll take more manual steps to encrypt servers, exfiltrate data – or do both.

“Cyber criminals are getting into the environment, elevating privileges as much as they can and moving laterally to other segments of the network,” Shier says. “And then, instead of encrypting one or two or ten machines, they’ll encrypt everything.”

The wave of catastrophic ransomware attacks that wrought tens of millions in recovery costs for the cities of Baltimore and Atlanta and prompted numerous small cities to pay six figure ransoms for decryption keys is a prime example of this, Shier says.

Upping the ransom


One ring Sophos researchers scrutinized was the notorious SamSam ransomware gang, responsible for methodically collecting close to $6 million in extortion payments.

The SamSam gang broke the mold of earlier, small-potatoes ransomware scams. Instead of encrypting the hard drives of individual victims, and demanding payments of a few hundred dollars, a skilled team collaborated to break into an organization’s network; surveil the network layout; and then embed the malware. Next, they encrypted servers in the most painful way possible, thus motivating companies to pay tens of thousands of dollars for a decryption key.

“The SamSam group were pioneers,” Shier says. “Once they were inside, they would turn off your antivirus software and the software responsible for online backups. They’d eventually get domain admin credentials and could lock out all the other domain administrators. And then they’d use your own software deployment tools against you to deploy the malware to the key assets.”

Nuanced hacks

Another ring honing automated, active techniques is the Baldr password stealing gang. Baldr malware is crafted to ransack web browsers, autocomplete saved information and pilfer saved PII, credit card account information, cookies and browsing histories, Sophos research shows.

To evade detection by malware analysts, Baldr leverages as many as nine sophisticated layers of obfuscation. It creates a detailed profile of the infected system, including specs on the CPU model, operating system, system language, screen resolution and all installed programs.

It also collects any FTP logins it finds, as well as any credentials associated with any instant messaging clients or VPNs it runs across. Baldr can also plunder any cryptocurrency being stored in a range of digital wallets.

Baldr leverages a delicate balance of automated spreading, combined with just the right measure of hands-on, human activity to find and steal key assets without being detected. The tactics so-successfully used by the SamSam and Baldr gangs suggest we’ll see increasing hands-on tweaking by skilled specialists as part of broad cyber attacks, going forward.

“When the criminals find a new, successful tactic, they’ll abuse it until the money dries up,” Shier told me. “This particular style of attack is going to continue until we collectively get better at doing the security basics.”

Lock your doors

A big part of security basics has to do with configuring business systems as securely as possible. However, companies have never done that well. And with the rise of cloud computing, hybrid networks and the Internet of things, the likelihood of poorly configuring something, or, in the same vein, procrastinating over patching software vulnerability is very high.

Even so, this isn’t a problem that’s going to be addressed overnight. Powerful technology can buy some time: Sophos’ Intercept X, for instance, is designed to protect companies from attackers seeking to exploit known vulnerabilities on servers that haven’t been patched quite yet.

There’s always something more companies can do to make themselves less of a juicy target. Shier likes to use the analogy of a car burglar walking down a darkened street yanking on car doorknobs, seeking unlocked vehicles.

“When they find one, they waltz in and grab whatever they can,” he says. “With a lot of these companies, it’s their servers. That’s where the important stuff lies, the personally identifiable information and their ERP databases. Your business is on those databases, so that’s what the bad guys are after.”

Daunting as cybersecurity has become, it’s more vital than ever, for everyone concerned, that organizations make daily progress toward improving their network security posture. Hopefully, we’re moving in that direction. I’ll keep watch.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone