PoolParty Process Injection Exploits Windows Mechanisms

The initial presentation of the techniques, along with further analysis, reveals a chain or simple yet genius tricks. As it comes from the name, PoolParty plays with Windows thread pool. It is an internal mechanism that orchestrates system functions execution during the application runtime. Let’s dig into the details a little bit.

There is an object in Windows called “worker factory” – a thing responsible for managing the number of worker threads. The latter, as I’ve said above, are used to execute system functions needed for the programs to operate. Each process running in the system eventually gets its own worker factory, with a set of worker threads needed to run it.

The system itself offers the ability to dump the info of a chosen worker factory, including the start routine value. It is possible to simply substitute this value with the one needed to run the malware, for example – a malicious shellcode. Through the same worker factory calls, it is possible to speed up the process by initiating the start routine execution when needed rather than waiting when the system runs it.

Thread Pool Attacks

Another edge of the attack targets not the workers and worker factories, but thread pools. Those are, essentially, strings of tasks the system should perform; a to-do list for the workers, one may say. Through playing with specific properties of work item types, it is possible to feed a malicious task to the task list for workers.

As there are separate types of queue for regular, timer and asynchronous jobs, devs can fine-tune the execution flow of the program. Or, in the case of malicious exploitation, the fine-tuning is applied to malware execution. Depending on the type of job, the way of injection differs, becoming the most complicated on timer jobs. But nonetheless, all three types of jobs remain the attack surface – and there is not much EDR solutions can do about it.

Are PoolParty Injects Dangerous?

Indeed, they are. Process injection is a bread and butter of pretty much every malware launching procedure. A malicious program in the form of an executable file is nowadays a rare sight: they mostly come as DLLs or portable executable files. But to the moment all the techniques used to launch such malware were researched to the last tiny bit. Hollowing, duplicating, thread hijacking – we know not only its mechanism, but also the ways to counteract it.

The latter, however, is not the story about PoolParty injection methods. This vile eight is researched, but is successfully ignored even by top-rated EDR solutions. And those are security solutions called to protect enterprises and have the biggest protective capabilities – leave alone the effectiveness of user-oriented antivirus programs.

Therehence, it is extremely important to follow the preventive techniques against malware injection. Giving it zero chances to even appear in your system means it cannot do such tricks as PoolParty are. Among such are effective network protection, content disarming utilities, firewalls, and email protection solutions. However, security essentials like privileges limitation or access control will work out as well. Even having the way to detect such threats, it will be great to avoid their appearance in the first place.

The post PoolParty Injection Techniques Circumvent EDR Solutions appeared first on Gridinsoft Blog.

Key vectors of cyberattacks

History knows dozens of possible ways to attack the organization. Though, among others, there are four most prevalent ones, at least in the modern environment:

Social Engineering

Cybercriminals use psychological tactics to manipulate employees and gain access to sensitive information. They often pretend to be trustworthy figures and communicate through phone calls or emails to obtain valuable information.
Hackers aim to acquire confidential data, carry out fraudulent activities, or take unauthorized control of computer networks or systems. To appear authentic, they often contextualize their messages or impersonate recognizable individuals. Social engineering has several ways: Phishing, Vishing, Baiting, Malware, and Pretexting.

SQL Injection

Cybercriminals can exploit a company’s website or application vulnerabilities by injecting malicious SQL code. This enables them to manipulate the backend database and gain unauthorized access to confidential information.

SQL injection has various ways of being used, which can lead to significant issues. An attacker can use SQL injection to bypass authentication, gain access to databases, and alter or delete their contents. Additionally, SQL injection can even be used to execute commands in the Operating system. That enables the attacker to cause even more extensive damage, even if the network is behind a firewall. Generally, SQL injection can categorize into three main types – In-band SQLi, Inferential SQLi, and Out-of-band SQLi.

Insider Threats

Sometimes, cybercriminals team up with insiders or take advantage of unhappy employees who can access company data. These individuals might deliberately share or steal confidential information for their benefit or to sell on the dark web.
Internal threats are distinct from external ones because they can operate without detection. They can integrate themselves into the daily workings of the organization. And their actions may remain unnoticed for an extended period. Furthermore, they can perform their tasks without setting off the standard security protocols. It making it hard to recognize and counteract internal threats. Organizations must comprehensively comprehend human behavior, proactive monitoring systems, and a security-conscious mindset to overcome this difficulty.

Vulnerability exploitation

Attackers can create new methods or use existing ones to exploit weaknesses when discovers a vulnerability. They may execute code, bypass access controls, gain higher privileges, launch denial-of-service attacks, or remotely take over the targeted system.
Taking advantage of vulnerabilities can lead to severe outcomes, including unauthorized access to data, theft, modification, or destruction of sensitive information, disruption of services, unauthorized account access, or installing malware or backdoors for continuous access.

Why do hackers attack companies?

• Financial gain is a significant motivation for hackers who steal sensitive information like credit card details, bank account credentials, or customer data to sell on the dark web or use for fraudulent activities. They use ransomware to encrypt a company’s critical data, demanding a ransom for access and threatening to delete or release the data if the victim doesn’t pay.
• One of the primary reasons is to steal intellectual property. Hackers may target a company’s valuable intellectual property, such as trade secrets, patents, or proprietary technology, for theft. Intellectual property theft enables the perpetrator to acquire a competitive edge or trade it to rival entities for financial gain.
• Political motivation has been prevalent recently. This is often referred to as "Hacktivism". Hacktivists may oppose groups whose ideologies do not coincide with their own. Some state-sponsored actors conduct devastating cyber attacks and claim that their cyber espionage activities are legitimate activities on behalf of the state.
• Some hackers are motivated by anger and feelings of revenge. They use their skills to directly affect a person, group, or company without fear of repercussions. Unauthorized sharing or distributing private explicit images or videos to cause distress to the person depicted is considered a criminal act. Despite this, cybercriminals continue to blackmail or take revenge on their victims.

Depending on the hackers’ goals, they can conduct various activities, such as encrypting data and extortion, installing a back door for later access, disrupting systems, or even destroying data.

Biggest cyberattacks of recent time

It is not uncommon to experience an attack in a similar manner to a previous one. It happens frequently. And here are examples of significant attacks:

• A Lithuanian national perpetrated the most significant social engineering attack against two of the world’s biggest companies: Google and Facebook, in 2015. He cheated these companies out of over $100 million.
• Acer, the extensive technical company, was hit twice in one week by the same hacker. Acer confirmed a security breach but reassured that only employee data suffered by the hacks in Taiwan.

• Following the attack on MailChimp, there were subsequent cyberattacks, including one on DigitalOcean, a customer of MailChimp, and a cloud service provider. Due to the attack, DigitalOcean experienced communication issues with their customers for a few days and had to ask them to reset their passwords.

Recoveries after an attack often lead to new episodes.

When internal tools become vulnerable and allow for customer data theft, cybercriminals are incentivized to target them. This means the next attack will likely exploit the same vulnerabilities as the previous one. When a cyber incident is made public, the countdown to a copycat attack begins.

Cyberattacks will first use the same methods they used in the first attack. And sometimes, simple password changes are not enough to keep companies safe from sophisticated attacks.

How to prevent companies from impending attacks?

Companies must prioritize protection against cyberattacks, especially the ones that have already happened. In a significant cyberattack, the appropriate response is to reset the organization’s cybersecurity approach and posture completely. Following a powerful attack, every organization must reflect on its actions and decisions.

1. The organizational chart must change by hiring senior-level security specialists like a CISO, rearranging reporting structures, or adding cybersecurity experts to the board of directors.
2. You must entirely revamp your employee cybersecurity training to ensure better security measures.
3. By adopting Zero Trust principles, the security posture can be completely transformed.
4. Regularly update the systems. It is essential to regularly update your operating systems, software, and applications with the latest security patches and updates to fix known vulnerabilities.
5. Enforce strict access controls, including strong passwords, multi-factor authentication (MFA), and role-based access control (RBAC), to limit unauthorized access to sensitive data and systems.
6. Perform regular backups of critical data and ensure that backups are stored securely offline to mitigate the impact of potential ransomware attacks or data breaches.

By adopting robust security strategies, embracing the Zero Trust model, regularly updating and patching systems, providing comprehensive security awareness training, implementing strong access controls, employing network segmentation, using advanced threat detection tools, regularly backing up data, conducting security assessments, and leveraging third-party security services, companies can significantly reduce their vulnerability to cyberattacks.

Organizations must prioritize cybersecurity and continuously adapt their defenses to stay ahead of evolving threats. By doing so, they can safeguard their assets, protect personal data, and keep the trust of their stakeholders in an increasingly digital and interconnected world.

The post How Can Companies Be Secure Against Cyberattacks? appeared first on Gridinsoft Blog.

What is Remote Desktop Protocol (RDP)?

Remote Desktop Protocol (RDP) – a technical standard that enables remote use of desktop computers. Among the protocols available for remote desktop software, RDP, Independent Computing Architecture (ICA), and virtual network computing (VNC) are the most commonly used. Microsoft initially released RDP, which is compatible with most Windows operating systems. But can also be used with Mac operating systems.

What is a Honeypot?

Honeypot – is a system set up at the endpoint to monitor incoming connections and application activities. It mimics the original endpoint to detect potential malicious activities and enable security systems and experts to take countermeasures. Examples of honeypots include internal servers, network computers, and website servers that can attract cyber criminals.

The purpose of a honeypot is to divert and distract attackers away from actual critical systems while providing valuable insights into their behavior, techniques, and motives. Organizations can enhance their security by examining the tactics, techniques, and procedures (TTPs) used by attackers. It helps them recognize potential threats. As you may suppose by the name, RDP honeypot is one that resemples a normal connection through the remote desktop protocol.

Hackers’ Attacks on RDP Honeypot

Through an experiment using high-interaction honeypots with an RDP connection accessible from the public web, GoSecure, a threat hunting and response company with headquarters in the U.S. and Canada, they have discovered that attackers operate within a daily schedule, much like working office hours. Over three months, the researchers recorded nearly 3.5 million login attempts to their RDP honeypot system, highlighting the relentless nature of these attackers.

What do the experts say?

Cybersecurity researchers inform that the honeypots are directly linked to a research program to expose criminals’ strategies that could help prevent them in the future. Between July 1 and September 30, 2022, the honeypot attacked 3,427,611 times from over 1,500 IP addresses. The researchers named the system to entice attackers so criminals would think it was part of the bank’s network.

The attempts to compromise the system were predictable, involving brute-force attacks that relied on multiple dictionaries. The most commonly used username was "Administrator", along with variations such as shortened versions, different languages, or letter cases. In roughly 60,000 instances, the perpetrator conducted preliminary research before attempting to discover the correct login information and tested usernames that did not belong in the given set.

In the image above, researchers found three unique usernames associated with the honeypot system – the names of the RDP certificate, the host, and the hosting provider. These usernames appeared among the top 12 attempted login names, indicating that some hackers were not unthinkingly testing login credentials but were gathering information about the victim beforehand.

The researchers also discovered that the system had collected password hashes and was able to decrypt weaker ones. Their findings revealed that the most common strategy used by the hackers was to create variations of the RDP certificate, followed by variations of the word "password" and simple strings of up to ten digits.

Interesting RDP Honeypot statistics

It’s worth noting that the RDP certificate name was only used in RDP honeypot attack attempts from IP addresses in China (98%) and Russia (2%). However, this doesn’t necessarily imply that the attackers are from these countries but that they utilize infrastructure in these regions. Another observation is that a significant number of attackers (15%) employed thousands of passwords in combination with just five usernames.

What then?

All this information gives quite a view of what is happening in a modern threat landscape. Despite the numerous other ways to infect the system, hackers still prefer RDP. The technology is easy to exploit, so even unskilled attackers will perform the attack fine. Brute force utilities and the databases with credentials are easily accessible. And such popularity is a straightforward reason to ensure your RDP connections are safe.

There are several ways to mitigate known RDP vulnerabilities, and the easiest among them is to close the vulnerable port of this networking protocol. Though there could be more convenient and flexible solutions – consider reading our research on securing RDP protocol.

The post RDP Honeypot Was Attacked 3.5 Million Times appeared first on Gridinsoft Blog.