A common theme we’re observing is evasion: sophisticated methods used by attackers to stay under the radar. This includes evading detection software designed to flag malicious activities, targeting systems that aren’t closely monitored, using legitimate software to avoid raising suspicions, and exploiting cloud environments with limited logging. Our analysis, grounded in current threats and enhanced by our daily work of analyzing threat reports and customer cases, has led us to identify four major trends. These will be outlined in detail in the following sections of this post.
1. Supply Chain Attacks
Supply chain attacks pose a serious threat to all organizations, even those with advanced security measures. These attacks target trusted software or service suppliers, making them tough to defend against. They exploit the deep integration and trust placed in these services within an organization’s IT infrastructure.
What makes supply chain attacks particularly challenging is their ability to bypass standard defenses like firewalls and antivirus programs. They take advantage of the trust in software components, applications, or service provider accounts. To effectively detect these attacks, organizations must adopt an ‘assumed compromise’ mindset and strategize accordingly.
2. Token and Cloud API Abuse
In today’s digital landscape, session tokens have become a crucial element in maintaining secure access to various online services and applications. These tokens act as temporary access passes, allowing users to stay authenticated in a system without repeatedly entering their credentials. However, this convenience also makes them an attractive target for cyber attackers. Unlike traditional user credentials, tokens can be easier to steal and can provide access to secure sessions, even those protected by multi-factor authentication (MFA). Their theft can lead to unauthorized access to sensitive data and systems, making their security a top priority for organizations.
As attackers seek new ways to infiltrate systems and networks, the abuse of tokens and cloud APIs has become more prevalent. Tokens, which are often easier to steal than user credentials, can grant access to sessions established by multi-factor authentication (MFA). This makes them a valuable target for attackers.
Moreover, the lack of clarity on where tokens can be found in integrated ecosystems, such as Windows applications like Office 365, adds to the challenge of preventing unauthorized access. This obscurity makes it difficult to identify processes from which tokens can be extracted, rendering traditional defense mechanisms less effective.
When dealing with the risk of token and cloud API abuse, it’s essential for management to enforce strong security policies around these services. This includes closely monitoring for any unusual activity by using the service providers’ logging features. Look out for odd login patterns or any strange actions in managing users and devices.
Also, it’s important to carefully think about the risks when moving an internal service to the cloud. Ask yourselves, ‘What happens if a session token is stolen and someone gets access to our data that was once safely inside our company’s network?’ Being aware of these risks is crucial in protecting your organization.
3. Evading EDR by Using Unmonitored Systems and Devices
Attackers are increasingly focusing on systems that aren’t usually covered by common security tools like Endpoint Detection and Response (EDR) or Antivirus software. This includes everyday devices like appliances, routers, and IoT (Internet of Things) systems. Since these devices aren’t typically monitored by standard security software, they become easy targets for attackers looking to sneak into a network unnoticed. The fact that these systems don’t usually keep detailed security logs makes it even harder to spot and fix security breaches.
To keep up with this trend, it’s expected that attackers will start using more diverse tools. This includes tools designed for Linux systems, ones that create hidden paths in networks, tools made for the ARM architecture (common in many modern devices), and tools that work across multiple platforms.
4. Abuse of Legitimate Software
Remote access trojans are often detected by Antivirus software, leading attackers to turn to legitimate remote access software as an alternative.
These applications, which include ConnectWise Control, Anydesk, NetSupport, TeamViewer, Atera, LogMeIn, and Splashtop, are often not classified as possibly unwanted applications (PUA) by security solutions. As a result, their use by attackers often goes unnoticed, allowing them to establish persistence without raising suspicion.
But the use of legitimate remote access software is by far not the only way threat actors are trying to evade traditional threat detection solutions. They also use legitimate software for exploration and lateral movement as well as configuration backdoors to establish a foothold on the system without using malware. So-called “malware-less” attacks are very difficult to detect and pose a serious threat to organisations without a professional security monitoring team that frequently looks for uncommon software and baselines the findings to be able to detect these anomalies and react to them in a timely manner.
Nextron’s Solutions for Enhanced Cybersecurity
Nextron steps in where traditional security measures might miss threats. Our digital forensics tools conduct thorough analyses of systems that show signs of unusual behavior. They effectively identify risky software and expose a range of threats that could go unnoticed by standard methods.
Our signature collection is tailored to detect a variety of security concerns. This includes hacker tools, their remnants, unusual user activities, hidden configuration settings, and legitimate software that might be misused for attacks. Our approach is especially useful in detecting the tactics used in supply chain attacks and identifying tools that evade Antivirus and EDR systems.
Flexibility is a key aspect of our solutions. They allow for detailed examination of devices and systems not covered by typical EDRs, including appliances, network devices, and IoT and OT systems like printers or PBX systems. Nextron’s tools provide a comprehensive security view, enabling organizations to tackle the complex challenges of today’s cybersecurity environment.