Joey on SQL Server

Why IT Should be Concerned with 'Living off the Land' Attacks

What was once a somewhat novel attack approach has gained popularity in the face of rising nation-state threat actors.

• By Joey D'Antoni
• 11/14/2023

Last Thursday, I traveled to the Washington, DC area to attend Cyberwarcon, a one-day conference "focused on the specter of destruction, disruption and malicious influence on our society through cyber capabilities." (For disclosure, I was a paid attendee and not attending as media.)

While most of my work focuses on data and cloud technologies, there is always a lot of overlap with security, and security has become a vital area of interest for me in recent years.

The content at the conference focused on the intersection of foreign policy, IT security, and technology and government. This conference focused explicitly on the concept of Advanced Persistent Threats (APT), which NIST refers to as "an adversary that possesses sophisticated levels of expertise and significant resources, which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical and deception)."

Many of the talks were related to current global affairs -- the conference intentionally has a very short call-for-papers process, which allows subjects to be as topical as possible. This year, that meant lots of topics around the way nation-state actors, like Russia and Iran, were going after targets in Ukraine and Israel, respectively.

Speakers came from several government agencies, including keynote speaker Viktor Zhora, who is the Deputy Chairman of the State Service of Special Communication and Information Protection of Ukraine on Digital Development, Digital Transformations and Digitalization (CDTO) and spoke against the many fronts, both technical and military that Ukraine is fighting Russia on.

Another subject was recent legislation in China around reporting software vulnerabilities and China’s series of vulnerability management systems. Typically, when a security researcher identifies a vulnerability, they notify the software company that owns the software or the open source project to which it belongs. It is then cataloged, and the process of mitigation can begin. China’s new process forces researchers to notify the government of the bug and the personal information of the researcher who identified the problem. This requirement, combined with a very unclear and hard-to-access vulnerability database, has led to speculation that the Chinese government may hold an extensive list of zero-day vulnerabilities that they are not sharing with the broader world.

One of the more interesting talks was from Morgan Adamski, the Director of NSA’s Cybersecurity Collaboration Center. Ms. Adamski talked about China and Volt Typhoon, a state-sponsored threat group, and recent attacks on utilities, communications, transportation and other areas of critical infrastructure. The most exciting part of the talk, referenced in this Microsoft blog posts, is the "living off the land" methodology the threat actors use. Finally, she posed a "call to action" for security professionals to assist and report these attacks, as they threaten our infrastructure tremendously.

Living off the land does not refer to hackers living on a farm. Still, the notion of gaining access to a network (typically through unsecured edge devices like VPN routers), gradually gaining and increasing access over time, and then beginning to launch attacks, is worrisome. Suppose this sounds like a typical ransomware attack to you. In that case, you aren’t wrong; however, the big difference is that the attacker does not write any files to disk, which would trigger antivirus, is loaded into the context of a normal executable, like wscript.exe or PowerShell.exe, and leaves minimal traces in logs or any other place on disk.

In the case of Volt Typhoon, Microsoft Security has observed some activities once they gain access to a network. They attempt to dump credentials from memory using the Local Security Authority Subsystem Service (LSASS). LSASS contains the hashes for the current user’s operating system credentials. Microsoft has also observed Volt Typhoon using the command-line tool Ntdsutil.exe, which creates installation media from domain controllers. Files in the installation media output from this tool contain username and password hashes that the threat actor can attempt to crack offline to provide additional valid credentials.

While most threat actors establish extensive communication with a command-and-control (C2) network once they access an environment, Volt Typhoon uses proxies created on compromised systems. After exfiltrating smaller, less apparent amounts of data, it quickly deletes them. The design of this attack minimizes the footprint; the only evidence you might see of these commands is successful sign-ins from unusual IP addresses.

"Living off of the land" poses several distinct challenges for security teams. Because traditional antivirus and security tools cannot protect against these attacks, teams must proactively monitor logs for suspicious activity. While SIEM (Security information and event management) tools can provide some assistance, they are not a panacea. An example of one of these attacks was against a utility company control system, which led to a power outage. The attackers used the uncommon native language of the control system and an API to take down parts of the power grid. While this attack was novel and creative, the software vendor had patched this vulnerability nearly ten years ago; however, the customer had not applied the patch.

It is a terrifying world for IT professionals -- you may wonder how to protect an organization in the face of these well-funded nation-state actors. It can be overwhelming to think of all the endpoints and vulnerabilities in your network; this is why CISO is not a fun job. However, there are some things you can do to mitigate risks. The first and most significant thing is requiring multi-factor authentication for privileged users. While not a panacea, it makes everything threat actors do that much harder. Microsoft also recommends blocking local access to the commonly used command line tools in attacks. Finally, please use modern tools like endpoint detection and response (EDR) and run them in block mode to block malicious artifacts that your antivirus might not otherwise block. Good luck out there.