Euro Security Watch with Mathew J. Schwartz

Anti-Malware , Breach Preparedness , Data Breach

Top 5 Ways to Hack a Business Testing Networks With WannaCry, Petya and EternalRocks Finds Widespread Failures
Top 5 Ways to Hack a Business
How many enterprise networks today would survive a repeat WannaCry assault?

Want to hack lots and lots of enterprises? Just develop malware that looks like WannaCry, including the ability to target a now-patched server messaging block flaw in Windows (see Teardown: WannaCry Ransomware).

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

That's one takeaway from security firm SafeBreach's proactive study of how effective some of today's most-seen attack techniques are when applied to live enterprise networks.

"Instead of just focusing on whether attackers can get into my network, assume they can." 

Disclaimer: No enterprise networks or IT administrators were harmed during the course of these studies, SafeBreach says.

Rather, the firm maintains an attack simulation platform that organizations can use to test and quantify the types of cybersecurity risks they face to best optimize the tools and technologies they already own. "We simulate attackers and attacks on a network to prove that these attacks were blocked, and those attackers weren't. And we have thousands of different attack methods that real attackers use," Chris Webber, a security strategist at SafeBreach, tells me.

The organization isn't the only one to offer this type of functionality. It competes with AttackIQ, Cytegic, Ironscales, Skybox Security and Verodin, among others.

Top Infiltration Methods

Testing real-world enterprise networks using "ripped from the headlines" attack techniques can make for interesting findings.

For starters, SafeBreach has tested a number of techniques for infecting PCs, including using the vulnerabilities in Windows systems targeted by WannaCry, hiding malicious code into otherwise legitimate-looking packed executable files as well as the malicious capabilities included in the Carbanak banking Trojan developed by the cybercrime group known as "Anunak."

Based on 7.5 million simulations run by SafeBreach from January to November at its customers' sites, these were the top five most effective attacks it found and their rate of success:

  • WannaCry 2.0 ransomware: 63 percent;
  • Executable (.exe) file packed inside JavaScript: 61 percent;
  • Carbanak HTTP malware transfer: 60 percent;
  • Executable file inside a Visual Basic file (.vbs) using HTTP: 57 percent;
  • Executable file inside a Microsoft Compiled HTML Help (.chm) file: 56 percent

Top Lateral Movement Methods

The firm also tested how effective hypothetical attackers would be at moving around already penetrated networks.

The lateral movement techniques it studied included simulating EternalRocks, a worm that combines seven exploits leaked by the Shadow Brokers and developed by the Equation Group, which many information security experts believe is the National Security Agency's in-house hacking team.

The exploits included in EternalRocks are ArchiTouch, DoublePulsar, EternalBlue, EternalChampion, EternalRomance, EternalSynergy and SMBTouch. "This worm had widespread infection, but has not yet been weaponized," SafeBreach says. "The author claims to have backed away from the campaign, but an as-yet-unknown amount of machines remain infected, leaving the door open for later attacks."

The group also tested techniques that have been seen in other attacks, including attacks attributed to the Lazarus Group hacking team, which has been tied to North Korea.

Here were the top five most effective lateral movement techniques and their rate of success:

  • Malware transfer techniques from the NotPetya ransomware worm via HTTPS: 69 percent;
  • EternalRocks - transfer via HTTPS: 69 percent;
  • Executable inside Windows script file (.wsf) using HTTP: 67 percent;
  • EXE inside JAR [Java package file format] using HTTP: 67 percent;
  • Lazarus buffer transfer technique: 67 percent.

Infiltration Techniques on Repeat

Webber says many of the top lateral movement techniques used by today's attackers resemble "regular old infiltration attacks." In other words, the same straightforward techniques that give attackers access to enterprise systems are being reused to hop around corporate networks unimpeded (see Hackers Exploit Weak Remote Desktop Protocol Credentials).

"We often think of lateral movement as pure credential theft or privilege escalation - using techniques just like a system administrator - but we're seeing simple things like newer types malware, or ransomware, are able to move laterally and pretty easily with the same techniques that are used to infect PCs in the first phase of an attack," Webber says.

"Instead of just focusing on whether attackers can get into my network, assume they can, so stop them from traversing your network or stealing data from it."



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.