SANS arrives at RSA with list of 5 ‘dangerous’ new attacks

If you heard “spooky,” “oogie-boogie,” or even “ghost" at RSA 2022 last week, you didn’t miss a Halloween party.

In a presentation titled “The Five Most Dangerous New Attack Techniques,” SANS Institute experts reviewed a list of semi-scary hacks, including authentication bypasses, backup breaches, and stalkerware.

Living off the cloud

A “living off the land” cyberattack uses legitimate programs. Katie Nickels, director of intelligence at SANS Institute, demonstrated how adversaries are, similarly, finding a home on familiar clouds.

Take Ngrok—a cross-platform service that allows developers to share code often via URL. That URL can lead to trouble. “Ngrok sets up a tunnel, or reverse proxy, that goes right through that firewall, making it really easy for adversaries to send their malicious payload right through,” Nickels said.

“Know normal, find evil,” Nickels told the RSA crowd, encouraging alertness for suspicious links.

An MFA sidestep

Nickels also presented a “bypass” for multi-factor authentication. An organization successfully detected a brute-force attack, Nickels showed, but did not disable the compromised account in Active Directory. The adversary reenrolled in the multi-factor authentication service, using their own device.

Don’t stop using MFA, however, said Nickels; ensure inactive accounts are disabled uniformly—from the authentication service and AD.

Attacking backups

The spooky-sounding “ghost backup” is a maneuver where an adversary messes with backup management software, according to Johannes Ullrich, dean of research at SANS Institute: A hacker breaches a controller; adds a malicious backup job; and exfiltrates data to a second destination.

Inventory your backups, said Ullrich, secure access to the central management console, and encrypt everywhere, especially off-site locations.

‘Enter the flying horse’

Heather Mahalik, senior director of digital intelligence at SANS, highlighted Pegasus—stalkerware code that installs with zero clicks. “This attack literally flies through the air, lands on your iOS or Android device, you don’t click, and it immediately self-installs,” Mahalik told the RSA audience.

Prepare, said Mahalik, with good old cybersecurity hygiene: use passcodes, backups, update your devices, and “lower your attack surface.”

Satellites!

Weeks after news that SpaceX sent 12,000 Starlink terminals to Ukraine, Rob T. Lee, SANS chief curriculum director, wondered if warfighters’ targets may soon involve the satellite Internet.

“If it’s sitting up in space, there’s no nation that truly controls that,” said Lee.

Be ready for the outage, added Ullrich. “How do your systems fail if connectivity disappears? Try to think that through before you deploy something like this.”—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.