The threat landscape of 2019 was dominated with worm-like activity, researchers report in a new analysis of confirmed threats from the past year. Attackers are growing more focused on lateral movement, with an emphasis on using remote administration network tools to execute it.
Red Canary’s “2020 Threat Detection Report” contains an analysis of 15,000 confirmed threats to appear in customer environments throughout 2019. Researchers used the equivalent MITRE ATT&CK data to determine which attack techniques were most prevalent over the past year. Their findings illustrate which methods are most common and how attackers are using them.
The popularity of automated lateral movement is largely driven by TrickBot, the data-stealing Trojan that contributed to thousands of detections. TrickBot, combined with the use of remote admin and network management tools, is not fully responsible for the frequency of common attack techniques, but the three play a major role in why cybercriminals choose specific tactics.
TrickBot is typically seen as part of a string of infections that starts with the Emotet Trojan and ends in a Ryuk ransomware infection. Emotet lands on a device and loads TrickBot, which steals credentials from infected devices as it moves laterally across a network. When TrickBot is done, it launches Ryuk, which encrypts the infected machines on a network and demands a ransom.
“Overwhelmingly, ransomware was the trend in 2019 in terms of payloads and what adversaries set out to do,” says Keith McCammon, co-founder and chief security officer at Red Canary, of a general pattern the research team noticed in analyzing the data. Another prominent trend is threats to confidentiality: Attackers will lock up target systems and demand money to return system access — or they threaten to publish the company’s data online.
“If someone takes system access away, you might not have great options for getting that access back, but you have some options,” says McCammon. This shift is “a different calculus” because organizations may not know what the adversary has. Without that insight, “you kind of have to assume the worst.” For many organizations, this data dump could pose an existential threat.
The most common attack technique researchers list is process injection, which TrickBot uses to run malicious code through Windows Server Host. Why isn’t an Emotet technique, used to land on a machine, more popular? As researchers explain in a blog post, a growing portion of their visibility comes from incident response, much of which brought them into environments where Emotet had completed its actions and TrickBot had arrived on a number of devices. As a result, they couldn’t detect initial access or early-stage payloads, only the threats left behind.
Many of the companies Red Canary worked with in incident response were “really large, well-established organizations with a high percentage of systems impacted,” says McCammon, noting this can be attributed to tactics, automation, and refinement that enable attackers to get into a complex enterprise and infect several systems at the same time. “We saw more big companies hit with very, very impactful attacks than we’ve seen before.”
Process injection, which makes up 17% of all threats analyzed, affects 35% of organizations and appeared in 2,734 confirmed threats in 2019, the researchers report. It was the top attack technique from 2018 into 2019 due to the widespread TrickBot and Emotet outbreaks that occurred throughout the same time frame. Using this method, attackers can conduct malicious activity in the context of a legitimate process, so they blend in.
The second-most-popular attack technique is scheduled task, which, like process injection, is seen in worm-like and TrickBot activity. This tactic, which schedules tasks to launch malicious binaries and persist on target devices, affects 33% of businesses and makes up 13% of threats overall. It’s handy for attackers because it allows them to schedule tasks remotely; it’s also useful for execution and persistence alongside common scripting languages such as PowerShell.
Tying with scheduled task is Windows Admin Shares, a technique that also made up 13% of total threats and affected 28% of organizations in 2019. This enables worm-like activity and falls under the category of remote/network admin tools. Self-propagating threats — in particular, those that used EternalBlue — drove Windows Admin Shares from the 10th-most-popular threat in 2018 to third place in 2019. Administrators often use them for remote host management, giving attackers a subtle means to move laterally throughout an environment.
Eight of the top 10 attack techniques involve features of a platform being misused, McCammon says. They’re not standout strategies that would normally put teams on alert.
“The [techniques] I think we are definitely starting to see more of, and will continue to see escalate and refined, are going to be a lot of the lateral movement techniques … almost entirely the ones that depend on living off the land,” says McCammon, listing PowerShell and WMI as examples. Attackers are “using the features of these platforms that businesses rely on to operate their network and can’t just turn off.” As it gets harder to put malware onto a system, the adversaries are getting better at using tools that are already there, he explains.