7 Ways Hackers Will Steal Your Data Using Advanced Automation

Only a month ago, researchers at TrendMicro discovered malware targeting financial institutions in the U.S. and Canada using Windows automation scripting language AutoHotKey for the better part of the year. Traditional attack methods are now often used as decoys to mask more sophisticated attacks using algorithms, automation, and machine learning to cause havoc to critical infrastructures worldwide. A majority of IT teams are understaffed and may have limited knowledge of how to use IT automation to battle cyber threats.

Over half of all IT organizations are at risk of cybercrime due to a shortage of skilled cybersecurity staff and need to grow their team’s capacity by over 85% in the coming year.

– The (ISC)2 2020 Workforce Study    

 Today’s successful threat actors have adopted automation in their ongoing attempts to steal data and compromise endpoints sitting on the network or IP address range of companies.

Here are 7 ways hackers are using automation to bypass standard cybersecurity firewalls and fail-safes:

1. Code Automation for Malware Distribution

Today, hackers can hide their attack path to make it difficult for incident responders to mitigate incidents in real-time. To do this, threat actors leverage code automation to distribute malware across multiple facets of a corporate network. This type of security bypassing technique can be traced back to fileless malware used to leverage trusted applications that already exist within a secure environment. Using advanced automation, hackers ensure that the architecture of distributed malware self-replicates and changes form upon detection. Hence, this ‘cat and mouse’ attack posture allows an attacker to exhaust the resources of an IT security team while compromising other portions of the network.

Therefore, IT teams must equip themselves with the proper tools to detect and respond to advanced automation-enabled cyber threats, especially those that rely on circumventing infrastructures that your corporate security controls can trust.

2. Credential Stuffing Automation

Credential stuffing is applying automation mechanisms to collect and match usernames with passwords to gain unauthorized access into user accounts. Credential stuffing attacks are one of the most prevalent ways hackers abuse stolen passwords and usernames.

Due to poor cyber hygiene in most organizations, social engineering compromises often result in the theft of system access credentials sold on the dark web. When threat actors purchase these stolen credentials, their goal is to achieve a ‘low risk and high reward’ outcome. Deploying advanced automation increases the probability of success much quicker.

The manual implementation of credential stuffing is exceptionally daunting because it entails categorizing billions of stolen usernames and passwords into correct pairs to crack otherwise protected systems. As such, this process requires billions of iterations, which is impossible for humans to achieve.

Therefore, to increase the probability of success while reducing the attack time, threat actors employ advanced automation in the form of botnets (robotic networks) capable of testing thousands of username-password pairs in minutes. This mass scalability level almost always guarantees that whenever an attacker employs automation in their credential stuffing attack, they will be successful. Simply put, there are no IT teams with the resources or capabilities to combat a botnet-powered credential stuffing process manually. In such cases, fighting automation with advanced automation becomes critical.

3. Brute Forcers and Checkers 

Attackers deploy brute forcers and checkers that exploit data obtained in security breaches, often combined with automated access credential stuffing to facilitate large-scale unauthorized login attempts. Brute forcers and checkers tend to achieve tremendous success in password guessing when compared with traditional brute force techniques. Automated tools used by brute forcers and checkers help cybercriminals steal financial and personal data, deploy session sniffers and web shells, or auction corporate data to the highest bidder on the dark web

One popular tool used by brute forcers and checkers is called “Big Brute Forcer.” This strategically designed tool scans websites, web servers, customer relationship management systems, and network protocols, including File Transfer Protocol (FTP), for access control vulnerabilities. Additionally, the ‘Big Brute Forcer’ tool is developed for ease-of-use, to enable novice cybercriminals in their infrastructure intrusion and data theft efforts.

Therefore, to compete and beat hackers at their own game, companies must consider an automation-powered mechanism to ensure that better password hygiene is implemented and always maintained. As long as companies fail to leverage automation in their fight against brute forcers and checkers, hackers will continue to find that brute forcers and checkers provide an easier way to compromise your computing environment and steal your data.

4. Banking Web Injections

Banking web injections are one of the top cybersecurity threats facing the financial services industry today. Widely available attack tools on dark-web forums help facilitate the automation of banking web injections by leveraging HTML, JavaScript, or PowerShell scripts to redirect users to fake overlays and domains.

In this scenario, the attacker often attempts to authenticate themselves by rewriting newer functionality logic into original code trees. This strategy inevitably allows the attacker to read and write through the code, thus giving them the ability to turn off any network security controls. Therefore, by merely injecting a rogue command into an operating system or a software application, an attacker can remotely control and command a company’s entire network infrastructure.

Some examples of banking web injections used to manipulate and steal corporate datasets include Host header injection, Cross-site Scripting (XSS), Operation Systems (OS) command injection, SQL injection, XPath injection, etc.

5. Exploit Kits

Cybercriminals strategically developed exploit kits to exploit vulnerabilities automatically and quietly without being detected by IT teams. Threat actors use this stealth attack formula for automated web browser version detection and subsequent exploitation of known vulnerabilities.

Deployment by hackers of such precise and efficient payloads (these include trojans, ransomware, poisoned codes, etc.) are bound to successfully cause damages to a victims’ machine. This strategy is done by conducting attack reconnaissance and probing for the type of web browser running on a target’s corporate network,

Due to their extraordinarily automated and stealthy nature, exploit kits are now one of the most popular methods used by hackers to distribute remote access tools (RAT) at scale. Attackers rely on exploit kits with an end goal of automating the process required to commandeer devices within a network. Therefore, organizations that depend only on manual threat detection are incredibly vulnerable to the damages often caused by exploit kits – often, these damages include data wiping.

6. Loaders and Cryptors

Hackers leverage loaders and cryptors to hide their attack path while delivering malware, bypassing detective perimeter security controls such as antivirus and intrusion detection systems. Novel hackers frequently use loaders and cryptors who might lack the skills required to develop unique malware strains.

Downloaders are commonly available in Microsoft Office document macros, JavaScript, or PowerShell files and are popular on emails. There have been spam campaigns spreading ransomware that consistently attach downloaders to the spam emails. These campaigns trick users into running them, thereby deploying multiple payloads into thousands of systems within minutes – one payload could be ransomware, and another a keylogger.

Most organizations assume that their security posture is healthy because of the presence of endpoint malware detection mechanisms on their network. However, by using loaders and cryptors, hackers can comfortably evade detection. Unfortunately, once hackers are inside a network, it is typically much more challenging to prevent them from creating backdoors. This is also true for rewriting software application logic, transporting sensitive data to rogue servers enrolling your system into a botnet for a cybercriminal, or even kickstarting a ransomware attack.

7. Payment Card Data Sniffers

Because of its entry-level attack capabilities and scalability opportunities using automation, payment card data sniffers are an IT security team’s worst nightmare – especially within the financial services and retail industry. This particular attack methodology is one of the significant reasons industry regulators instituted the Payment Card Industry-Data Security Standard (PCI-DSS) compliance regulation.

Threat actors use automated payment card data sniffers, designed to detect and steal payment card data in transit (from e-commerce) shopping cart web interfaces and online banking web portals. To implement this data theft process, hackers employ automated JavaScript code that automatically scans a web interface for known payment card data points, such as expiration date; full payment card numbers (including the CVV/CVS codes); and number on the card. This sensitive payment card data is then collected and routed to a command-and-control center managed by the attacker—finally, the stolen data employed for follow-up cyberattacks or sold to criminals on the dark web.

Hackers carry out payment card data sniffing attacks via form-jacking. This tactic works when an attacker targets online stores that offer third-party applications or services with known vulnerabilities that can be easily exploited, such as chatbots. The attacker leverages then uses JavaScript to make changes to the forms used to collect customers’ payment details.

Using IT Automation to Fight Fire with Fire

Ultimately, the best way to control a threat is to adopt the same techniques used by the threat actors themselves. Potential cybersecurity risks can be identified and mitigated promptly using IT automation capabilities, which eliminate the need for the repetitive processes required to maintain a resilient security posture.

Curious about how to beat cybercriminals at their own game? Please read our guide: 5 Ways to Beat Sophisticated Threat Actors with IT Automation