MITRE ATT&CK: Drive-by compromise
Introduction
In this article, we will discuss drive-by compromise attacks: exactly what they are and the different forms they can take. We will also see examples of how they are executed, how to detect them and how they can be mitigated against. Finally, we will take a look at the common Advanced Persistent Threat (APT) groups that have employed different techniques to execute these attacks.
Overview of the MITRE ATT&CK
The MITRE ATT&CK is a publicly-accessible knowledge base of adversary tactics and techniques that are based on real-world observations. It is used as a foundation for the development of specific threat models and methodologies in the private sector, in government and in the cybersecurity product and service community.
The aim of the MITRE ATT&CK is to solve problems for a safer world by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.
What are drive-by compromise attacks?
Drive-by compromise attacks occur when hackers infect websites and rely on vulnerable users (targets) visiting these infected websites. Once these targets visit the infected websites, malware hosted on these vulnerable websites scans their browsers for vulnerable plugins and previously unidentified vulnerabilities known as zero-days. The hackers are then able to exploit these vulnerabilities to gain unauthorized access to targets’ systems.
How are drive-by compromise attacks executed?
Drive-by compromise attacks target a specific group of targets, such as government groups. The intention is to compromise an individual or entire group. These groups often have a common interest that tends to influence the attack in the first place.
Drive-by compromise attacks typically follow a series of steps:
- Hackers host malicious content on a vulnerable website which users visit. Unknown to these users, the visited website is infected with malware. While users are visiting these websites, they may be persuaded to enable scripting within the browser or install third-party extensions
- The malicious scripts then scan the visiting users’ browsers for vulnerabilities. Most of these vulnerabilities are known. Some are previously unknown, and these are referred to as zero-days
- Once vulnerabilities are discovered, malware present within the compromised website exploits the target’s browser
- Once the exploit has run, it will allow the attacker to have remote code execution on the target machine
A couple of hacker groups are notorious for drive-by compromise attacks:
- APT19: This is a Chinese-based malicious hacker group that specializes in a variety of attacks that have plagued multiple industries including finance, energy, defense, education, manufacturing and legal services. APT19 were responsible for a watering hole attack against forbes.com. The team used an Adobe zero-day exploit to infect visitors of forbes.com.
- APT32: This team also goes by the names SeaLotus, OceanLotus and PAT-C-00. It has infected victims by tricking them into visiting compromised watering hole websites. APT32 uses a two-stage attack where a dropper compromises the target system then downloads the backdoor that is used in the attack.
- APT37: This malicious North Korean hacker group is fond of using strategic web application compromises targeting South Korean websites to distribute malware. They have also used torrent sites to distribute malware. The team has a known attack method that uses a JavaScript-based profiler by the name RICECURRY, which profiles the target’s browser in order to deliver malicious code.
- APT38: This is a North Korean malicious hacker group that is financially motivated. It targets banks and financial institutions. This group has previously attempted to steal more than $1.1 billion. APT38 also operates espionage operations, unlike other financially-motivated hacker groups that would rather just make financial transfers as fast as possible after a compromise.
- Lazarus Group: This is a North Korean government-sponsored malicious hacker group. They have been linked to attacks such as the destructive 2014 wiper attack against Sony Pictures Entertainment, a campaign named Operation Blockbuster by Novetta. They are fond of reusing malware in order to execute new operations.
When executing drive-by compromise attacks, the attacker’s goal is usually to get exploit code running within the target system (endpoint) within the internal network. If these can be detected, then they can be prevented in the future through various mitigation methods.
How are drive-by compromise attacks detected?
The detection of drive-by compromise attacks is largely automated. Here, intelligent solutions are used to detect anomalies. The following are some examples:
- Firewalls: Some firewalls can identify potentially known-bad domains or parameters within URLs being visited. Some solutions are intelligent enough to determine information such as how old the domain being visited is, who performed its registration and owns it, the domain’s presence in a known bad list and who has connected to it in the past.
- Intrusion Detection Systems: Some IDSes have the ability to perform SSL/TLS MITM inspection. These IDS solutions can detect malicious scripts such as heap spray, reconnaissance and browser identification scripts. They are also able to identify exploit code as well as common script obfuscation techniques available today.
- Antivirus: Antivirus solutions are capable of detecting suspicious behavior on endpoints within the network. Abnormal behavior may include suspicious files written to disk, evidence of process injection with the intent of hiding execution. Browser process inspection can also be done in order to identify abnormal browser processes that are running.
Detection of drive-by compromise attacks can be difficult, since as newer methods are constantly being developed, attackers are also developing methods of evading detection
How does one mitigate against drive-by compromise attacks?
Mitigating against drive-by compromise attacks ensures that organizations are able to prevent losses suffered from such attacks or develop a response plan in the event of an attack. There are a couple of mitigations that can be implemented by organizations.
- Application isolation and sandboxing: Browsers contain sandboxes that may contain malware before malicious activities are performed. This, however, does not fully guarantee security, since sandbox escapes have been demonstrated to be possible. Application isolation through virtualization is also a technique that can be used. This, however, has been proven to suffer from virtual machine escapes.
- Exploit protection: Some solutions can be used to keep watch for activities that take place during exploitation. Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) are some of the example solutions.
- Restriction of web-based content: This is perhaps one of the most common approaches to preventing malicious attacks. Tools such as adblockers can help restrict the execution of malicious code automatically when visiting websites. Some extensions can also be used to block JavaScript which is commonly used for such attacks.
- Software updates: It is important to ensure that browsers as well as the operating systems in use are up to date. Up-to-date software detects the existence of and prevents the execution of malicious software.
It is important to note that the combination of these mitigation techniques is important where possible, since one single method is not enough.
Conclusion
Drive-by compromise attacks are increasingly becoming a problem due to the numerous malicious hacker groups that are emerging. Even though these groups are rapidly springing up, more intelligent solutions are being designed that can quickly detect and identify drive-by compromise attacks.
Sources
- New Attacks Linked to C0d0so0 Group, Palo Alto
- OceanLotus ships new backdoor using old tricks, WeLiveSecurity
- APT38, FireEye
- Strengthening the Microsoft Edge Sandbox, Microsoft
- Virtual machine escape fetches $105,000 at Pwn2Own hacking contest [updated], Ars Technica