This past weekend, we alerted a client and initiated an incident response scenario at a small business where an infected endpoint, a Smartphone, was using UDP port 53 for data exfiltration. This is the same protocol and port that DNS uses by default. Except that this was no DNS. Think of it like hiding in plain sight, or appearing like something else.
What we know already, is that attackers are coming for every single small business. At blackhat we demonstrated how a simple attack via a vulnerable wireless bridge targeted a PLC. Since everything is connected, and so much of this type of equipment is running vulnerable firmware, any would-be attacker has a myriad of options.
Sometimes it’s the disruption of industry that is the ultimate target, but sometimes this kind of equipment is just a launch pad for lateral movement. To show how serious attackers are on this front, consider that:
81% of Malware Seen on USB Drives in Industrial Facilities Can Disrupt ICS: Honeywell.
The trend itself ought to get our attention and it shows how important a security policy and a security posture is.
Consider also that Weaponized PLCs Can Hack Engineering Workstations in Attacks on Industrial Orgs.
A significant percentage of the malware seen last year on USB drives used in industrial facilities was capable of targeting and disrupting industrial control systems (ICS), according to a report published this week by Honeywell.
The industrial giant has published its fourth annual report focusing on the malware found by one of its dedicated security products on the USB drives that were brought into its customers’ industrial environments.
Benzinga reports that Without Proper IT Protection, It’s Just A Matter Of Time Before SMBs Get Hacked.
“six out of 10 reporting at least one cyber attack in the past year resulting in at least eight hours of business shutdowns”.
For several years now, many small and medium-sized businesses (SMBs) have been under the assumption that if they just move their files and data to the cloud, they will be protected.
The hope is that cloud-based services like Amazon.com Inc. Web Services, Microsoft Corp.’s Azure and Cloud Services will provide a layer of protection for sensitive information and peace of mind.
But even cloud software providers can be subject to hackers and data breaches. Unfortunately, most SMBs are unaware their remote workers are creating even more opportunities by using unsecured systems to conduct business, further compromising whatever data protection they use.
However, in unprotected networks it’s sometimes even easier to access Active Directory using tricks like this:
Hackers Using Bumblebee Loader to Compromise Active Directory Services.
Once the endpoint is infected and remotely controlled, lateral movement is even more trivial.
The malware loader known as Bumblebee is being increasingly co-opted by threat actors associated with BazarLoader, TrickBot, and IcedID in their campaigns to breach target networks for post-exploitation activities.
“Bumblebee operators conduct intensive reconnaissance activities and redirect the output of executed commands to files for exfiltration,” Cybereason researchers Meroujan Antonyan and Alon Laufer said in a technical write-up.
Speaking of Domain Controllers and other attacks against them:
Detecting a Rogue Domain Controller – DCShadow Attack.
This one is worthwhile for network administrators to understand, but even more importantly, a domain controller should be protected behind zero trust so that it isn’t even reachable inbound for unverified devices, and has no way of reaching a command and control operator for outbound access.
In our earlier Protecting Against Active Directory DCSync Attacks blog post, we have seen how attackers can replicate permissions and completely control Active Directory (AD) infrastructure using DCSync attacks. Another devastating technique that attackers explore against AD is the DCShadow attack. It is a method of manipulating AD data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a legitimate Domain Controller (DC).
A DCShadow attack allows an attacker with domain or enterprise admin privileges to create rogue DC in the networks. Once registered, a rogue DC is used to inject domain objects (such as accounts, access control lists, schemas, credentials, or access keys) and replicate changes into AD infrastructure.
Read More: Detecting a Rogue Domain Controller – DCShadow Attack
PwC Survey Finds C-Level Execs View Cybersecurity as Biggest Risk.
Finally, we do see an increased awareness in cyber security risks, and sometimes this is the final and most important requirement to start taking a proactive stance.
A survey of 722 C-level executives published today by PwC finds 40% of business leaders now rank cybersecurity as being the number one serious risk their organizations face today.
In addition, 58% of corporate directors said they would benefit most from enhanced reporting around cybersecurity and technology.
Nearly half of respondents (49%) said as a result they are increasing investments in cybersecurity and privacy, while more than three quarters (79%) said they are revising or enhancing cyber risk management.