Watch any Hollywood movie that contains a scene where a nerd is tasked with hacking some IT system and its a flurry of fingers across a keyboard and then a few seconds later, the immortal shout of “We’re in” – that’s it, it’s as easy as that – right?

Matthew Broderick – War games

weeeelllll – no. No it’s not like that at all.

Hacking in most cases involves multiple attempts to get a flaky script to run which inevitably fails due to some misconfigured setting, or sitting for ages waiting for a progress bar to inch forward (or in most cases, the script to appear to be doing absolutely nothing for 5 minutes before returning an error).

But that doesn’t make for an exciting movie, does it. Reality is rarely as exciting as Hollywood would have us believe.

In reality, when an attacker achieves a level of success, it’s only partial – Attacks generally take time – much more than a 5 second movie scene could ever portray. Attacks are often multi-stage, involving many different vectors, and tools. Attacks also, often fail completely.

So why is this the case?

To understand why hacking really isn’t like Hollywood would have us believe, we need to understand two key aspects – attack processes, and defence processes.

Lets examine the defence side of things first:

In the world of Information Security we heavily advocate the concept of Defence in Depth. The basic premise of which is that if you have a flat network – i.e. one with no layers of defensive techniques – then an attacker, once they breach your outer defence, will have full reign over your entire network. Defence in depth is all about adding multiple layers of defence strategies to either stop an attack completely, or at least waylay an adversary enough that they think twice about continuing their attack and look elsewhere.

This concept is nothing new though – castles and other fortified installations have used defence in depth techniques for hundreds of years.

Castles have high walls with vantage points for the defending troops to fire arrows, or pour boiling oil on an attacking army. Some have moats in front of the walls to hinder any attempts to batter the walls down.

Inside the boundary walls, you might add other defences such as as pits, portcullises, spiral staircases, dead-ends, narrow corridors, and more.

The prized possessions (jewels, royalty, etc.) would be kept safe inside a fortified keep which could be positioned upon a high, steep sided motte (mound of earth).

These layered defences make it much harder for an attacking hoard to be successful.

Many of these defensive features can be seen in one of the worlds most well known castles – the Tower of London

Image of the Tower of London taken by [Duncan] from Nottingham, UK - Tower of London from the Shard

In the world of IT, we can implement the concept of Defence in Depth in many ways including:

  • creating segmented networks
  • using multi-homed firewalls
  • implementing Network and Host Intrusion Detection systems (NIDS & HIDS)
  • implementing robust polices (password policies, software policies, user policies, removable media policies, ingress and egress policies, etc.)
  • using hardware from different vendors to minimise the risk of having the same vulnerabilities across the estate
  • implementing Host and Network anti-malware systems
  • using encryption technologies
  • defining user roles with limited access rights
  • categorising data

All of these strategies help to make an organisation a hard target, but not necessarily an impervious target.

Attackers are always seeking out devious ways to defeat the defences we put in place, so cyber security experts also have to keep up to date with the latest attack strategies.

So, now we have an understanding of how we defend an IT system, lets look at attacking processes.

Many years ago, Lockheed Martin conceptualised the stages of a typical attack, and produced the Cyber Kill Chain.

The Cyber Kill chain suggests that most attackers follow a series of seven steps when conducting an attack against a victim.

The Reconnaissance stage of an attack involves finding out as much as possible about a potential victim.

  • Who works for the company?
  • What are the email addresses?
  • What IT technologies do they use?
  • What security technologies do they use?
  • Where do they have offices?
  • Who are the directors?
  • Who are the IT staff?
  • What revenue does the company generate?
  • Who are the company customers?

The reconnaissance stage will (hopefully) identify vulnerabilities which can be targeted with an exploit – Vulnerabilities are most commonly found in technologies, but they can also be found in business processes, or in weaknesses in the staff – maybe a disgruntled staff member could be coerced into implanting some malware for the attacker?

The Weaponization stage of the attack is the stage where the threat actor readies their attack tools. This might utilise commodity attack tools – pre-built, readily available exploits – or it may necessitate the writing of new tools, or the customization of commodity tools. It will most likely involve a level of obfuscation – in an attempt to ensure the weapon goes un-noticed by security systems.

Closely aligned with the weaponization stage is the Delivery stage – this is where the attacker somehow gets their weaponized attack to the victim – this could be via a phishing email, a discarded USB stick, a manual exploit, an insider agent, etc.

Successful delivery of the weaponized exploit will hopefully lead to Exploitation of the target. From here on, the activities will differ depending on what the attacker finds.

They may be able to implant further malware in the Installation stage that allows them to call out to a Command & Control server (C2) that issues further commands, or allows for shell connectivity.

This shell access will now allow the attacker the ability to conduct various Actions on objectives, such as implanting ransomware, stealing data, altering data, creating persistence, and much more.

One thing that will most certainly happen once an attacker gains system access, is that the reconnaissance stage will start again, the difference being that now the fact-finding happens inside the victim network – so much more sensitive data can be revealed.

Cyber Kill chain in action

A recent blog by Microsoft that discusses a vulnerability in VMWare ESXi hypervisors (CVE-2024-37085) that allows an attacker the ability to obtain full administrative permissions on domain-joined ESXi hypervisors.

In that blog piece, Microsoft outline how one particular victim managed to become compromised, and its a great example of the cyber kill chain in action:

Earlier this year, an engineering firm in North America was affected by a Black Basta ransomware deployment by threat actors tracked as Storm-0506. During this attack, the threat actor used the CVE-2024-37085 vulnerability to gain elevated privileges to the ESXi hypervisors within the organization.

The threat actor gained initial access to the organization via a Qakbot infection, followed by the exploitation of a Windows CLFS vulnerability (CVE-2023-28252) to elevate their privileges on affected devices. The threat actor then used Cobalt Strike and Pypykatz (a Python version of Mimikatz) to steal the credentials of two domain administrators and to move laterally to four domain controllers.

Once on the compromised domain controllers, the threat actor(s) installed persistence mechanisms using custom tools and a SystemBC implant. The actor was also observed attempting to brute force Remote Desktop Protocol (RDP) connections to multiple devices as another method for lateral movement, and then again installing Cobalt Strike and SystemBC. The threat actor then tried to tamper with Microsoft Defender Antivirus using various tools to avoid detection.

Microsoft observed that the threat actor created the “ESX Admins” group in the domain and added a new user account to it, following these actions, Microsoft observed that this attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor. The actor was also observed to use PsExec to encrypt devices that are not hosted on the ESXi hypervisor. Microsoft Defender Antivirus and automatic attack disruption in Microsoft Defender for Endpoint were able to stop these encryption attempts in devices that had the unified agent for Defender for Endpoint installed.

It can been seen here that the threat actors would have to do much more than a simply flurry of fingers across a keyboard. The attack would have taken place over a number of days, as the attackers attempted to stay under the radar. I was only once the ransomware was deployed that the organisation targeted became aware of the attack.

Although I’m sure the attackers at some point said “Я в” (I’m In)…

Related Articles

AnyDesk hacked – code signing keys stolen
General blogs

AnyDesk hacked – code signing keys stolen

Mark
That BSOD might not have been Microsoft’s fault
General blogs

That BSOD might not have been Microsoft’s fault

Mark
Breached forum – update
General blogs

Breached forum – update

Mark
Cyber attack affects London hospitals
General blogs

Cyber attack affects London hospitals

Mark
Facebook’s outage
General blogs

Facebook’s outage

Mark