Phishing is the entry point for about 80% of cyberattacks. But it’s a fair question to ask why phishing or spear-phishing represents such a threat for a company? How does the compromission of the credentials of someone from the marketing or sales team pose a real threat ?
Of course, if the compromised account is the one of the system admin, it’s much easier for the hackers.
But in most cases, this isn’t what happens. So what occurs between initial infiltration and impact?
This article presents a relatively standard lifecycle for a cyberattack and some of the tactics and techniques used by hackers, from a phishing email to a ransomware in 4 steps :
The goal is not to be comprehensive in the description of the techniques and tactics used, but rather to propose an overview, from beginning to end, that is simple and understandable and can be shared with teams in order to highlight the importance of the initial phases of an attack.
The goal of the hackers is to recon their target in order to prepare their attack.
The idea is to gain an understanding of a target’s ecosystem (clients, software, suppliers, teams…) in order to increase their odds of successfully compromising an account. In order to do this, hackers rely on several techniques such:
OSINT (Open Source Intelligence): most people underestimate the amount of information available online, as soon as you spend some time looking. For example:
Data leaks: these occur regularly. Information can be found online afterwards, and it is possible to exploit compromised passwords that are reused or haven’t been changed.
Hackers now have a reasonable overview of who works in the target company, which software they use, who are their customers and suppliers and who are the C-level executives. It’s time for them to set up a first beachhead.
They will either seek to obtain credentials to compromise a user’s account, or to directly lead the user to download malware.
In order to do this, phishing (or rather spear-phishing, since it is improved with all the information gathered during the reconnaissance phase) and social engineering techniques are the easiest, cheapest and most simple to deploy weapons.
Hackers can replicate authentication pages to harvest credentials by using tools such as Evilginx, even enabling them to bypass with relative ease multi-factor authentication protections.
And if they want to deploy malware, the sequence can be as follows (for example):
Once the macro is activated, it will automatically launch the download of a loader : the beachhead is established.
And if the hackers really don’t want to go to the trouble of doing all this, they can just shell out some money and pay an Initial Access Broker (IAB). This is literally a third-party hacking group that sells initial access credentials. The more privileged the account is, the more expensive it is (the price can vary between $500 and $10,000 based on the company and privilege level of the account).
A loader is a type of malware whose goal is to collect initial information on the target network and, first and foremost, create a link between the compromised endpoint and the hackers’ command & control infrastructure, in order to share information with the hackers, to download additional malware… etc.
Among some loaders that have seen active use recently, one can name Qakbot or Hancitor. These malware are going to install code libraries and try and execute them, conduct a first preliminary mapping of the target network, and seek to establish a connection with the hackers’ command & control.
If all these steps go according to plan, they can download additional malware (like cobaltstrike) in order to move on to the next phase.
At this stage in the attack, hackers have a beachhead but not necessarily access to an account with sufficient privileges to actually do damage.
Goal: escalate privileges and lateral movement. In other words: obtain more power to act and deploy throughout the entire IT network.
Privilege escalation will enable hackers to take control of strategic servers. It can be done via a multitude of techniques, amongst which we can name the following:
Lateral movement is the hackers seeking to deploy on the entirety of the network (or at least to be in a position to take control of its crucial servers) : virtual machines, accounts and credentials of hackers, operating systems, servers…
Once they have mapped a network, hackers are indeed going to seek to deploy throughout in order to prepare the impact phase and to increase their chance of surviving if they are discovered on an endpoint. They can harvest credentials (with tools like Mimikatz, or keyloggers), use compromised accounts to send other, credible, phishing emails, or exploit the privileges acquired to deploy on the network.
If the hackers manage to complete these steps undetected, they are deployed throughout the network (or, at the very least, at its strategic points), with the privileges required to execute the next steps. They are in a position to strike.
With the privileges they have obtained and successful spread throughout, the network, deploying a ransomware can be done relatively easily via the malware already in place (like Cobalstrike), on a command from the hackers’ command & control.
Before acting, hackers will of course seek to compromise any backups they have gained access to.
In most cases, gangs have specialized. Initial access, exploitation, providing ransomware as a service (RaaS), the value chain is well split out. By relying on the latter, all one needs is an entry point (and payment), and the RaaS’s teams will provide a detailed guide on how to deploy the ransomware, and even customer support for those executing the attack.
As a side note, relying on a RaaS is not without risk: these hackers have been known to copy the data themselves and to beat their customers to the punch in asking for a ransom (who said their was honor among thieves?).
Hackers deploy a ransomware, and the attack will follow a relatively classic path:
From afar, phishing can seem relatively harmless (“at worst, a sales rep loses his or her credentials”). The problem is that any user can constitute an entry point into a network ahead of an in-depth attack. Of course, having a tiered network can limit certain risks and stop lateral movement from being easy. But that doesn’t change the fact that any account, even low-level, contains substantial information exploitable by hackers, enabling them to conduct sophisticated attacks later on.
What are SPF, DKIM and DMARC? How do they contribute to setting up protection against phishing attacks and how can you set them up for your company domain?
What is social engineering? How do hackers use this tactic in their phishing and spear-phishing attacks?