Malware-Free Intrusions: Exploitation of Built-in Pre-Authentication Services for APT Attack Vectors

Zimba, Aaron; Wang, Zhaoshun

doi:10.5815/ijcnis.2017.07.01

Cited by 7 publications

(8 citation statements)

References 3 publications

(4 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The thread seeks to establish a connection on port 445 to exploit CVE-2017-0143 if the SMB vulnerability is present on any host in the scanned IP addresses. In our use case, we infect a vulnerable host in the subnet with RDP backdoor vulnerability [27]. Based on the CVE values, we deduce = 0.430 and = 2 using the base score, where is the attack steps and the attack complexity.…”

Section: A Internal Subnetmentioning

confidence: 99%

Understanding the Evolution of Ransomware: Paradigm Shifts in Attack Structures

Zimba¹,

Chishimba²

2019

IJCNIS

Self Cite

View full text Add to dashboard Cite

The devasting effects of ransomware have continued to grow over the past two decades which have seen ransomware shift from just being opportunistic attacks to carefully orchestrated attacks. Individuals and business organizations alike have continued to fall prey to ransomware where victims have been forced to pay cybercriminals even up to $1 million in a single attack whilst others have incurred losses in hundreds of millions of dollars. Clearly, ransomware is an emerging cyber threat to enterprise systems that can no longer be ignored. In this paper, we address the evolution of the ransomware and the associated paradigm shifts in attack structures narrowing down to the technical and economic impacts. We formulate an attack model applicable to cascaded network design structures common in enterprise systems. We model the security state of the ransomware attack process as transitions of a finite state machine where state transitions depict breaches of confidentiality, integrity, and availability. We propose a ransomware categorization framework that classifies the virulence of a given ransomware based on a proposed classification algorithm that is based on data deletion and file encryption attack structures. The categories that increase in severity from CAT1 to CAT5 classify the technical prowess and the overall effectiveness of potential ways of retaining the data without paying the ransom demand. We evaluate our modeling approach with a WannaCry attack use case and suggest mitigation strategies and recommend best practices based on these models.

show abstract

Section: A Internal Subnetmentioning

confidence: 99%

Understanding the Evolution of Ransomware: Paradigm Shifts in Attack Structures

Zimba¹,

Chishimba²

2019

IJCNIS

Self Cite

View full text Add to dashboard Cite

show abstract

“…In light of the above, the attack scenarios of our experiments resume from the pivot nodes. Further, we use malware-free intrusions [19] as the infection vector.…”

Section: Figure 5 Illustrative Attack Graphmentioning

confidence: 99%

“…With conditions (cf. Equation 3) satisfied that actualize the pursued infection vector [19], we implant the ransomware on the targeted victim and perform dynamic analysis. For reverse engineering the ransomware code, we perform static code dissection on the binary using an interactive disassembler IDA Pro and a debugger Ollydbg.…”

Section: Figure 6 Ransomware Dynamic Analysis Test-bed Setupmentioning

confidence: 99%

Demystifying Ransomware Attacks: Reverse Engineering and Dynamic Malware Analysis of WannaCry for Network and Information Security

2017

Self Cite

View full text Add to dashboard Cite

Encryption has protected the Internet for some time now and it has come to raise user trust on the otherwise unsecure Internet. However, recent years have seen the use of robust encryption as stepping stone for cyber-criminal activities. Ransomware has not escaped the headlines even as it has attacked almost every sector of the society using a myriad of infection vectors. Mission critical data has been held to ransom and victims have had to part away with millions of dollars. The advent of the anonymous Bitcoin network has made matters worse where it’s been virtually infeasible to trace the perpetrators. In this paper, we endeavor to perform dynamic analysis of WannaCry ransomware samples based on malwarefree infection vectors. Further, we perform reverse-engineering to dissect the ransomware code for further analysis. Results show that despite the use of resilient encryption, the ransomware like other families in the wild uses the same attack structure and cryptographic primitives. Our analysis leads us to the conclusion that this ransomware strain isn't as complex as previously reported. This detailed practical analysis tries to raise awareness to the business community on the realities and importance of IT security whilst hinting on prevention, recovery and the limitations thereof.

show abstract

“…We assume all necessary preconditions for establishing a DNS tunnel have been implemented on the target host via a malware-free intrusion. In this model, we use a malware-free intrusion from our previous work [9] as an infection vector to implant an agent for facilitating a DNS tunnel.…”

Section: Figure 2 Illustrative Attack Graphmentioning

confidence: 99%

“…The attacker has a public IP address whereas the clients have private IP addresses from the local area network (LAN). We use Dnscat2 [10] for tunnel establishment on the serverside and we implant the client agent on the victim (client-side) using malware-free intrusion [9]. The attacker gains entry to the network, equivalent to accessing any of the entry nodes { 0 , 1 , 2 , … , + } in the attack model, using a cabled Ethernet connection with a public IP address.…”

Section: Figure 3 Dns Tunneling Experiments Setupmentioning

confidence: 99%

Exploitation of DNS Tunneling for Optimization of Data Exfiltration in Malware-free APT Intrusions

Zimba

Chishimba

2017

zictjournal

Self Cite

View full text Add to dashboard Cite

One of the main goals of targeted attacks include data exfiltration. Attackers penetrate systems using various forms of attack vectors but the hurdle comes in exfiltrating the data. APT attackers even reside in a host for long periods of time whilst seeking the best option to exfiltrate data. Most data exfiltration techniques are prone to detection by intrusion detection system. Therefore, data exfiltration methodologies that generate little noise if any at all are attractive to attackers and can go undetected for long periods owing the low threshold of generated noise in form network traffic and system calls. In this paper, we present malware-free intrusion, an attack methodology which does not explicitly use malware to exfiltrate data. Our attack structure exploits the use of system services and resources not limited to RDP, PowerShell, Windows accessibility backdoor and DNS tunneling. Results show that it’s possible to exfiltrate data from vulnerable hosts using malwarefree intrusion as an infection vector and DNS tunneling as a data exfiltration technique. We test the attack on both Windows and Linux system over different networks. Mitigation techniques are suggested based on traffic analysis captured from the established secure DNS tunnels on the network.

show abstract

Malware-Free Intrusions: Exploitation of Built-in Pre-Authentication Services for APT Attack Vectors

Cited by 7 publications

References 3 publications

Understanding the Evolution of Ransomware: Paradigm Shifts in Attack Structures

Understanding the Evolution of Ransomware: Paradigm Shifts in Attack Structures

Demystifying Ransomware Attacks: Reverse Engineering and Dynamic Malware Analysis of WannaCry for Network and Information Security

Exploitation of DNS Tunneling for Optimization of Data Exfiltration in Malware-free APT Intrusions

Contact Info

Product

Resources

About