Malware-Free Intrusions: Exploitation of Built-in Pre-Authentication Services for APT Attack Vectors

Advanced Persistent Threat (APT) actors seek to maintain an undetected presence over a considerable duration and therefore use a myriad of techniques to achieve this requirement. This stealthy presence might be sought on the targeted victim or one of the victims used as pawns for further attacks. However, most of the techniques involve some malicious software leveraging the vulnerability induced by an exploit or leveraging the ignorance of the benign user. But then, malware generates a substantial amount of noise in form of suspicious network traffic or unusual system calls which usually do not go undetected by intrusion detection systems. Therefore, an attack vector that generates as little noise as possible or none at all is especially attractive to ATP threat actors as this perfectly suits the objective thereof. Malware-free intrusions present such attack vectors and indeed are difficult to detect because they mimic the behavior of normal applications and add no extra code for signature detection or anomaly behavior. This paper explores malware-free intrusions via backdoors created by leveraging the available at preauthentication system tools availed to the common user. We explore two attack vectors used to implant the backdoor and demonstrate how such is accessible over the network via remote access while providing the highest level of system access. We further look at prevention, detection and mitigation measures which can be implemented in the case of compromise.

[1]  Shengsheng Yu,et al.  Research and implementation of remote desktop protocol service over SSL VPN , 2004, IEEE International Conference onServices Computing, 2004. (SCC 2004). Proceedings. 2004.

[2]  Jeremy M. Kaplan,et al.  Cloud-Trust—a Security Assessment Model for Infrastructure as a Service (IaaS) Clouds , 2017, IEEE Transactions on Cloud Computing.

[3]  Dimitris Gritzalis,et al.  The Big Four - What We Did Wrong in Advanced Persistent Threat Detection? , 2013, 2013 International Conference on Availability, Reliability and Security.

[4]  Ahmad Al-Qerem,et al.  PNFEA: A Proposal Approach for Proactive Network Forensics Evidence Analysis to Resolve Cyber Crimes , 2015 .

[5]  Colin Tankard,et al.  Advanced Persistent threats and how to monitor and deter them , 2011, Netw. Secur..

[6]  Mamoun Alazab,et al.  Towards Understanding Malware Behaviour by the Extraction of API Calls , 2010, 2010 Second Cybercrime and Trustworthy Computing Workshop.

[7]  Carsten Willems,et al.  Automatic analysis of malware behavior using machine learning , 2011, J. Comput. Secur..

[8]  J. Alex Halderman,et al.  An Internet-Wide View of Internet-Wide Scanning , 2014, USENIX Security Symposium.

[9]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.