Living off the Land Attacks: The Underground Economy and Ransomware
‘Living off the land’ has traditionally meant a reliance on surviving through hunting, gathering, or subsistence farming. The meaning is much darker when we talk about cyber security.
What Are Living Off the Land Attacks?
In the cyber security world, living off the land attacks describe those attacks that make use of tools already installed on targeted computers or attacks that run simple scripts and shellcode directly in memory. Attackers use these tactics because they hide in plain sight and create fewer new files (or no new files) on the hard disk. There is less chance of being detected by traditional security tools and, ultimately, less risk of an attack being blocked.
Living off the land, non-malware, fileless, and memory-based attacks all describe the same tactic: using existing software, allowed applications, and authorized protocols to carry out malicious activities. Tools employed in living off the land attacks include operating system features, legitimate tools, and cloud services.
- A user visits a website using Firefox, perhaps driven there from a cleverly disguised spam message.
- On this page, Flash is loaded. Flash is a common attack vector due to its seemingly never-ending set of vulnerabilities.
- Flash invokes PowerShell, an OS tool that exists on every Windows machine, and feeds it instructions through the command line — all operating in memory.
- PowerShell connects to a stealth command and control server, where it downloads a malicious PowerShell script that finds sensitive data and sends it to the attacker.
The 2016 hacking of the Democratic Party was an example of a living off the land attack, relying on social engineering and a spear-phishing email.
Living Off the Land Attacks, the Underground Economy, and Ransomware
Living off the land attacks help to power the underground economy. Attackers use malicious office macros – hiding behind social engineering tactics – to convince users to launch the macro when opening an Office attachment. Such email compromise attacks can trick victims into giving up large sums of money or private information that can be sold in the underground economy. Malware is typically a component of these attacks, and malware can be productized and sold as a kit in the underground economy, as well.
Due to its prevalence and destructiveness, ransomware remains a very dangerous threat and one that can take advantage of living off the land tactics. The Ransom.Petya outbreak, which hit organizations in the Ukraine and many other countries in June 2017, is an example of an attack using living off the land tactics. The ransomware threat made use of a clever supply chain attack as its initial infection vector by compromising the update process of a widely used accounting software program.
Battling Living Off the Land Attacks
For users, thwarting living off the land attacks means following standard guidance: delete any suspicious-looking emails, especially if they contain links or attachments. Attachments advising you to enable macros should be avoided unless you are absolutely sure the email is from a trusted source.
For security professionals, battling these types of attacks requires a lot of contextual information, such as how differently a whitelisted tool is used by a threat actor as opposed to a system administrator. Symantec recommends several mitigation and best practice techniques including upgrading to PowerShell 5+ to enable logging, monitoring the use of dual-use tools in your network, and enabling better logging and processing of log information.