Only a month ago, researchers at TrendMicro discovered malware targeting financial institutions in the U.S. and Canada using Windows automation scripting language AutoHotKey for the better part of the year. Traditional attack methods are now often used as decoys to mask more sophisticated attacks using algorithms, automation, and machine learning to cause havoc to critical infrastructures worldwide. A majority of IT teams are understaffed and may have limited knowledge of how to use IT automation to battle cyber threats.
Over half of all IT organizations are at risk of cybercrime due to a shortage of skilled cybersecurity staff and need to grow their team’s capacity by over 85% in the coming year.
– The (ISC)2 2020 Workforce Study
Today’s successful threat actors have adopted automation in their ongoing attempts to steal data and compromise endpoints sitting on the network or IP address range of companies.
Here are 7 ways hackers are using automation to bypass standard cybersecurity firewalls and fail-safes:
1. Code Automation for Malware Distribution
Today, hackers can hide their attack path to make it difficult for incident responders to mitigate incidents in real-time. To do this, threat actors leverage code automation to distribute malware across multiple facets of a corporate network. This type of security bypassing technique can be traced back to fileless malware used to leverage trusted applications that already exist within a secure environment. Using advanced automation, hackers ensure that the architecture of distributed malware self-replicates and changes form upon detection. Hence, this ‘cat and mouse’ attack posture allows an attacker to exhaust the resources of an IT security team while compromising other portions of the network.
Therefore, IT teams must equip themselves with the proper tools to detect and respond to advanced automation-enabled cyber threats, especially those that rely on circumventing infrastructures that your corporate security controls can trust.
2. Credential Stuffing Automation
Credential stuffing is applying automation mechanisms to collect and match usernames with passwords to gain unauthorized access into user accounts. Credential stuffing attacks are one of the most prevalent ways hackers abuse stolen passwords and usernames.
Due to poor cyber hygiene in most organizations, social engineering compromises often result in the theft of system access credentials sold on the dark web. When threat actors purchase these stolen credentials, their goal is to achieve a ‘low risk and high reward’ outcome. Deploying advanced automation increases the probability of success much quicker.
The manual implementation of credential stuffing is exceptionally daunting because it entails categorizing billions of stolen usernames and passwords into correct pairs to crack otherwise protected systems. As such, this process requires billions of iterations, which is impossible for humans to achieve.
Therefore, to increase the probability of success while reducing the attack time, threat actors employ advanced automation in the form of botnets (robotic networks) capable of testing thousands of username-password pairs in minutes. This mass scalability level almost always guarantees that whenever an attacker employs automation in their credential stuffing attack, they will be successful. Simply put, there are no IT teams with the resources or capabilities to combat a botnet-powered credential stuffing process manually. In such cases, fighting automation with advanced automation becomes critical.
3. Brute Forcers and Checkers
Attackers deploy brute forcers and checkers that exploit data obtained in security breaches, often combined with automated access credential stuffing to facilitate large-scale unauthorized login attempts. Brute forcers and checkers tend to achieve tremendous success in password guessing when compared with traditional brute force techniques. Automated tools used by brute forcers and checkers help cybercriminals steal financial and personal data, deploy session sniffers and web shells, or auction corporate data to the highest bidder on the dark web
One popular tool used by brute forcers and checkers is called “Big Brute Forcer.” This strategically designed tool scans websites, web servers, customer relationship management systems, and network protocols, including File Transfer Protocol (FTP), for access control vulnerabilities. Additionally, the ‘Big Brute Forcer’ tool is developed for ease-of-use, to enable novice cybercriminals in their infrastructure intrusion and data theft efforts.
Therefore, to compete and beat hackers at their own game, companies must consider an automation-powered mechanism to ensure that better password hygiene is implemented and always maintained. As long as companies fail to leverage automation in their fight against brute forcers and checkers, hackers will continue to find that brute forcers and checkers provide an easier way to compromise your computing environment and steal your data.
4. Banking Web Injections
In this scenario, the attacker often attempts to authenticate themselves by rewriting newer functionality logic into original code trees. This strategy inevitably allows the attacker to read and write through the code, thus giving them the ability to turn off any network security controls. Therefore, by merely injecting a rogue command into an operating system or a software application, an attacker can remotely control and command a company’s entire network infrastructure.
Some examples of banking web injections used to manipulate and steal corporate datasets include Host header injection, Cross-site Scripting (XSS), Operation Systems (OS) command injection, SQL injection, XPath injection, etc.
5. Exploit Kits
Cybercriminals strategically developed exploit kits to exploit vulnerabilities automatically and quietly without being detected by IT teams. Threat actors use this stealth attack formula for automated web browser version detection and subsequent exploitation of known vulnerabilities.
Deployment by hackers of such precise and efficient payloads (these include trojans, ransomware, poisoned codes, etc.) are bound to successfully cause damages to a victims’ machine. This strategy is done by conducting attack reconnaissance and probing for the type of web browser running on a target’s corporate network,
Due to their extraordinarily automated and stealthy nature, exploit kits are now one of the most popular methods used by hackers to distribute remote access tools (RAT) at scale. Attackers rely on exploit kits with an end goal of automating the process required to commandeer devices within a network. Therefore, organizations that depend only on manual threat detection are incredibly vulnerable to the damages often caused by exploit kits – often, these damages include data wiping.
6. Loaders and Cryptors
Hackers leverage loaders and cryptors to hide their attack path while delivering malware, bypassing detective perimeter security controls such as antivirus and intrusion detection systems. Novel hackers frequently use loaders and cryptors who might lack the skills required to develop unique malware strains.
Most organizations assume that their security posture is healthy because of the presence of endpoint malware detection mechanisms on their network. However, by using loaders and cryptors, hackers can comfortably evade detection. Unfortunately, once hackers are inside a network, it is typically much more challenging to prevent them from creating backdoors. This is also true for rewriting software application logic, transporting sensitive data to rogue servers enrolling your system into a botnet for a cybercriminal, or even kickstarting a ransomware attack.
7. Payment Card Data Sniffers
Because of its entry-level attack capabilities and scalability opportunities using automation, payment card data sniffers are an IT security team’s worst nightmare – especially within the financial services and retail industry. This particular attack methodology is one of the significant reasons industry regulators instituted the Payment Card Industry-Data Security Standard (PCI-DSS) compliance regulation.
Using IT Automation to Fight Fire with Fire
Ultimately, the best way to control a threat is to adopt the same techniques used by the threat actors themselves. Potential cybersecurity risks can be identified and mitigated promptly using IT automation capabilities, which eliminate the need for the repetitive processes required to maintain a resilient security posture.
Curious about how to beat cybercriminals at their own game? Please read our guide: 5 Ways to Beat Sophisticated Threat Actors with IT Automation