Hackers have a wide range of hacking tools and techniques at their disposal. Vulnerabilities are constantly emerging, and attackers continue to come up with ways to exploit them and new, more sophisticated attack scenarios. We will talk about them in this article and consider not the most trivial, in our opinion, incidents.
Some of the attacker’s tricks are well known to a wider audience, such as social engineering attacks or phishing. But not everyone has heard of ghost account attacks.
At the end of January, Sophos investigated a large-scale attack on corporate resources, followed by infection with the ransomware Nemty. Sophos experts have determined that the intrusion occurred through a high-privileged administrator account. This account belonged to a former employee who passed away three months before the incident.
The company, instead of revoking access and closing the account, decided to keep it active and open because “there were services for which it was used” (c).
Morse code in emails
Phishing emails contain links to malicious sites disguised as safe ones. There, cybercriminals deceive our authentication data or bank card data. “Yes, yes, we know,” many will say. Are you aware of fake emails in which a malicious URL is protected by Morse code?
In February, it became known about a new method of fraud – attackers used Morse code to hide malicious content in email attachments. Below is a description of the attack from the source.
When the victim tries to open the file, a fake Excel spreadsheet appears stating that the login timed out and prompted to enter the password again. After the user enters their password, the form will send the password to a remote site where attackers collect credentials. In many cases, the authorization pop-up contains the victim’s company logo to build trust.
Smart and vulnerable
You may have heard the story of how, in 2017, hackers infected the computer network of a petrochemical plant using … a coffee machine. WannaCry, a dangerous ransomware virus, entered the company’s network via an insecure Wi-Fi connection of a smart coffee machine.
You may also know a case when the refrigerator helped hackers implement a MiTM attack and gain access to Gmail and Google account.
And in 2020, cybercriminals tested a new way to penetrate office and home networks – smart bulbs. Hackers, using specific vulnerabilities in them, can penetrate the target IP network to distribute ransomware or spyware.
How the attack takes place: Bulb owners can remotely control lighting and calibrate the color of each bulb through a mobile app.
The hacker discovers the light bulb and intercepts control, changes the color or brightness of the light bulb in order to trick the user into thinking that the light bulb is defective.
The light is displayed as “not available” in the user application. The only way to restart a smart device is to remove it from the app, then re-discover and add it to the network. At this stage, the hacker has already injected malware into the firmware of the light bulb, using the vulnerability of the data transfer protocol. Thus, the user adds the already hacked light bulb back to his network. Now a hacker-controlled lamp with updated firmware allows you to develop an attack on the network, distribute ransomware or spyware.
What conclusions can be drawn from the cases considered:
After an employee has left the company (for any reason), revoke account rights, change passwords from resources available to him and disable service accounts in key systems. Ghost accounts can be especially dangerous if an attacker uses brute force (brute force) and compromises such an account, because they are usually not controlled by anyone. Any ghost account that is allowed to remain connected to corporate resources should at least disable remote connectivity;
Following links from random emails is a bad idea. If in doubt, go directly to the source;
If you purchased a smart device, remember to change the factory password. Stay tuned for software updates, or better configure your av