Malicious Code

Self Replicating Malicious Code

Self-replicating malicious code in cybersecurity typically refers to

worms. Worms are a type of malware that can independently replicate and
spread to other computers without requiring user interaction. Unlike viruses,
which need to attach to a host program, worms can propagate themselves
through networks.

Here's a more detailed explanation:

What are self-replicating malicious codes?

 Worms:

These are standalone programs designed to replicate and spread to other

systems, often exploiting network vulnerabilities. They can consume system
resources, slow down or disrupt operations, and potentially install other
malware.

 Viruses:

While also malicious and self-replicating, viruses require a host program to

spread. They attach themselves to other executable files or documents, and
when the host file is executed, the virus is activated and can replicate.

 Trojan Horses:

Trojan horses are malicious programs disguised as legitimate software. They

don't self-replicate but can carry other malicious code, including viruses or
worms.

How do worms spread?

 Worms can exploit vulnerabilities in network protocols or operating

systems to spread automatically.

 They might use email, instant messaging, or other network services to

propagate.
  For instance, a worm could scan for open ports on a network and then
send a copy of itself to any vulnerable systems it finds.

What are the risks of malicious code?

 Data theft:

Malicious code can steal sensitive information like passwords, credit card
details, or personal data.

 System disruption:

Worms can consume resources, slow down or crash systems, and make them
unavailable to legitimate users.

 Financial loss:

Recovering from a malicious attack can be costly, especially for organizations.

 Reputational damage:

Security breaches can damage a company's reputation.

How to protect against malicious code:

 Keep software updated: Regularly update operating systems,

applications, and security software to patch vulnerabilities.

 Use strong passwords: Use strong, unique passwords for all accounts.

 Be cautious with email and downloads: Avoid clicking on suspicious

links or downloading files from untrusted sources.

 Install and update antivirus and anti-malware software: Use

reputable antivirus and anti-malware software to detect and remove
threats.

 Enable firewalls: Firewalls can help block unauthorized access to your

network.

 Implement network security measures: Use intrusion detection and

prevention systems, and monitor network traffic for suspicious activity.
Defensive Measures

 Firewalls and IDS/IPS

 Antivirus/EDR solutions
 Patch management – Keep systems up to date.
 Network segmentation – Limits spread.
 User training – Prevent social engineering attacks.

Evading detection and elevating privileges in cyber security

Privilege escalation in cybersecurity involves an attacker gaining higher-level access and

permissions within a system or network than initially granted, often by exploiting
vulnerabilities or misconfigurations. This allows them to access sensitive data, control critical
systems, and potentially cause significant damage. Successfully evading detection during this
process is crucial for attackers to carry out their objectives without being noticed.

Understanding Privilege Escalation:

 Vertical Privilege Escalation:

This involves gaining access to higher-level accounts, such as moving from a standard user to
an administrator or system-level account.

 Horizontal Privilege Escalation:

This involves gaining access to other accounts with similar privilege levels, such as moving
from one user account to another without increasing the overall privilege.

 Attack Vectors:
Attackers commonly exploit software vulnerabilities, misconfigured permissions, social
engineering tactics, and malware to achieve privilege escalation.

Evasion Techniques:

 Bypassing Detection Systems:

Attackers may use evasion techniques to avoid detection by intrusion detection systems
(IDS), intrusion prevention systems (IPS), and other security tools.

 Covering Tracks:

Attackers may attempt to cover their tracks by deleting logs, modifying system files, or using
other methods to conceal their activity.

 Abusing Permissions:

Attackers may exploit loose file permissions, improperly configured security settings, or
other misconfigurations to gain access to sensitive data or functions.

Prevention Strategies:

 Least Privilege:

Enforce the principle of least privilege, meaning users and applications should only have the
necessary access to perform their tasks.

 Vulnerability Scanning:

Regularly scan systems for vulnerabilities and apply security patches to address known
weaknesses.

 MFA:

Implement multi-factor authentication (MFA) to enhance security and reduce the risk of
credential theft.

 Network Segmentation:

Segment the network to limit the impact of a potential breach and prevent attackers from
moving laterally.

 Access Control:

Implement strong access controls, such as role-based access control (RBAC), to ensure that
users only have access to the resources they need.

 Regular Auditing:
Conduct regular audits of user activity and system configurations to detect suspicious
behavior and misconfigurations.

 Monitoring:

Implement robust network monitoring and security information and event management
(SIEM) solutions to detect and respond to suspicious activity.

 User Education:

Educate users about social engineering tactics and the importance of strong passwords and
security practices.

Obfuscation

In cyber security, obfuscation is the practice of disguising code, data, or other information to
make it difficult to understand, reverse engineer, or exploit by unauthorized parties. It's a
technique used to protect sensitive information, intellectual property, and to hinder malware
analysis. Think of it as making something harder to read, but not necessarily changing its
underlying functionality.

Key Aspects of Obfuscation in Cybersecurity:

 Code Obfuscation:

This involves transforming code into a functionally equivalent but harder-to-understand

form. Techniques include renaming variables, inserting dummy code, and control flow
obfuscation.

 Data Obfuscation:

This focuses on concealing sensitive data, such as passwords, encryption keys, or personal
information, by encoding, encrypting, or replacing it with other data. Data masking,
tokenization, and redaction are common methods.

 Malware Obfuscation:

Malware authors use obfuscation to evade detection by security tools, hide malicious code,
and make analysis more difficult.

 Obfuscation vs. Encryption:

While both aim to protect information, obfuscation does not necessarily require a key for
reversal, unlike encryption. Obfuscation makes information harder to understand, while
encryption scrambles it into an unreadable format.
Examples of Obfuscation Techniques:

 String Obfuscation: Encoding strings using hexadecimal or other methods to hide

their true meaning.
 Polymorphic Obfuscation: Constantly changing the code's structure while
maintaining its functionality.
 Metamorphic Obfuscation: Completely changing the code's structure and
appearance while keeping the same functionality.
 Dummy Code Insertion: Adding extra, non-functional code to increase the
complexity of analysis.
 Control Flow Obfuscation: Transforming code into a tangled, difficult-to-follow
structure.
 Renaming: Changing variable and function names to meaningless characters.

Purpose of Obfuscation:

 Protect Intellectual Property:

Obfuscation makes it harder for competitors to reverse engineer software and steal trade
secrets.

 Prevent Malware Analysis:

Obfuscation makes it harder for security researchers to analyze and understand malicious
code.

 Hinder Reverse Engineering:

Obfuscation makes it more challenging for attackers to understand how an application works
and exploit vulnerabilities.

 Protect Sensitive Data:

Obfuscation safeguards sensitive information from unauthorized access and misuse.

Limitations of Obfuscation:

 Doesn't guarantee security: Obfuscation can be bypassed, especially with advanced

techniques and tools.
 Can impact performance: Some obfuscation techniques can slow down the
application or require more resources.
 Can make debugging difficult: Obfuscated code can be harder to debug and
maintain.
Privilege escalation is often a top aim for cybercriminals as they traverse the attack chain to
exploit your IT crown jewels. It lets them achieve critical steps in the attack chain, like
maintaining persistence and moving laterally within an environment. Once they’ve initially
compromised a host, they will seek to acquire higher privileges to gain access to valuable
assets and create other mischief or damage.

This blog post explains why privilege escalation is a significant challenge for today’s
businesses. We also present five common techniques, along with brief examples of each. And
we offer a real-world example to underscore how bad actors use privilege escalation as a key
intermediary step to carry out attacks.

Understanding privilege escalation

In cybersecurity, privilege escalation is the process by which an attacker gains access or

permissions on a system that is at a higher level of privilege than what they had at the time of
the initial compromise.

Attackers look to escalate privileges in one of two ways. They either do this horizontally or
vertically.

Horizontal example

This approach involves an attacker moving laterally within a network by compromising

accounts at the same privilege level. As they move across the network, they can discover
more targets and find more valuable data or systems.

Here’s an example of how a horizontal privilege escalation attack might unfold:

 An attacker uses stolen credentials to access a host with regular privileges within a
company’s network.
 The attacker identifies a file server within the network that has sensitive data.
Multiple users can access it, but they can only read and write files.
 The attacker takes advantage of this shared access. They modify files within the
shared file system, injecting malicious code or replacing critical configuration files.

This activity may go unnoticed for a time because legitimate users regularly modify files on
the shared file server. As other users interact with the compromised files, the attacker can
increase the number of compromised accounts and hosts, collect sensitive data and prepare to
launch a more widescale attack.

Vertical example

In this approach, attackers exploit identity vulnerabilities within a system or application to

escalate their privileges from a basic user account to a privileged user. They might use social
engineering tactics like phishing at first to trick users into handing over their login
credentials.
Here is how a vertical privilege escalation attack might play out:

 An attacker uses a compromised user account to gain access to a targeted system.

 They identify a known vulnerability in an application or service that is running on the
system.
 The attacker creates and deploys an exploit to take advantage of this vulnerability. In
this case, they take advantage of a flaw in the code that allows a user to escalate
privileges without being authorized.
 The attacker can now change their privileges to a higher level, like system admin.

Now that they have a lot of control over the system, the attacker can carry out a range of
malicious actions. For example, they might change system configurations or steal data.

Why it is important to prevent privilege escalation attacks

The examples above make it clear that privilege escalation-enabled attacks can have a
significant impact on businesses. To underscore the risk further, here are several other
reasons these attacks are a cause for concern:

 Unauthorized access to and exposure of sensitive data

 Compromised user accounts and user identities
 Manipulated systems and configurations
 Disrupted business operations
 Data tampering and manipulation, such as with ransomware
 Legal and regulatory repercussions
 Reputational damage

5 Common privilege escalation attack techniques and examples

Now that you understand the two main categories of privilege escalation and why you must
be vigilant in defending against these techniques, let’s look at five tactics that bad actors
might use in such an attack.

1. Credential exploitation

With this approach, a bad actor takes advantage of a weak password or steals the credentials
of a known IT administrator. This allows them to perform malicious actions under the guise
of being a privileged user right at the point of the initial compromise.

One way attackers can gain access to credentials, in addition to social engineering, is
through brute-force attacks. Examples include:

 Credential stuffing. Attackers add pairs of compromised usernames and passwords

of likely privileged users to botnets that automate the process of trying to use those
stolen credentials.
 Password spraying. A bad actor attempts to gain unauthorized access to privileged
user accounts by systematically trying commonly used passwords against a list of
usernames.

2. Kernel exploits
Kernel exploits target vulnerabilities in a computer that are at the core of its operating system.
An attacker might discover a kernel vulnerability that allows them to execute code in kernel
mode that could allow them to gain higher privileges—and control over the entire system.

3. Exploitation of vulnerable software

Attackers can exploit vulnerabilities in software to gain unauthorized access. For example, a
malicious insider with low-level access privileges could take advantage of an unpatched
buffer overflow vulnerability on a hypervisor used to run virtual machines to gain root
privileges without authentication.

4. Abuse of weak service configurations

Weak configurations in services can be exploited in a privilege escalation attack, as well. For
example, when a database service is misconfigured, attackers might be able to execute
arbitrary code. If they do this, they could upload malicious software to gain elevated
privileges to that database.

5. Use of Mimikatz

Mimikatz is a widely used tool that automates the retrieval of credentials from endpoints that
are running Windows. As such, it is a highly effective tool for escalating privileges within a
compromised system. Here’s how:

 Credential dumping. It can extract plaintext passwords, hashes and Kerberos tickets
from memory—even if those systems are protected by the Windows Local Security
Authority.
 Pass-the-hash attacks. It can use stolen hashed passwords to authenticate and elevate
privileges without needing the actual underlying plaintext password from the hash.
 Golden ticket attack. It can create forged golden tickets (Kerberos tickets) that grant
access to a Windows domain, avoiding the normal authentication processes.

Example of threat actors that use privilege escalation attack methods

A cybercriminal group known as Scattered Spider is the focus of our real-world example. The
group is known to target large companies and their IT help desks with extortion and other
malicious activities.

In November 2023, the FBI and the Cybersecurity and Infrastructure Security Agency
(CISA) released a joint Cybersecurity Advisory (CSA) about Scattered Spider. The CSA
explained that the group has been focusing its attacks on sectors and subsectors of the
commercial facilities industry. It also noted that it expertly uses social engineering and an
array of techniques to obtain credentials, install remote access tools and bypass multifactor
authentication (MFA).

The FBI and CISA reported that Scattered Spider threat actors have posed as company IT
and/or help desk staff. They use phone calls or SMS messages to obtain credentials from
employees and gain access to networks. Or they direct employees to run commercial remote
access tools to enable initial access.
Other actions by Scattered Spider include:

 Posing as IT staff to convince employees to share one-time passwords (OTPs)

 Conducting MFA fatigue attacks that drive employees to press the “Accept” button
to stop being annoyed by requests.
 Monetizing access to victim networks, including extortion enabled by data theft

The FBI observed that Scattered Spider threat actors use legitimate and publicly available
tools once they gain access to networks, including Mimikatz. Methods they use to achieve
persistence and privilege escalation include:

 Registering their own MFA tokens after they compromise a user’s account
 Adding a federated identity provider to a victim’s single sign-on tenant and activating
automatic account linking so that they can sign into any account
 Using endpoint detection and response (EDR) tools installed on the victim networks
to take advantage of remote-shell capabilities and execute commands that enable
privilege escalation
 Deploy remote monitoring and management (RMM) tools to maintain persistence

To learn more about Scattered Spider’s attack methods, read the full CSA notice.

Tips to prevent privilege escalation techniques and attacks

The following strategies and best practices can help you reduce the risk of privilege
escalation. Note that this is not a comprehensive list. There are many other ways to shore up
your company’s defenses.

 Use MFA. While it’s not a surefire defense, MFA makes password cracking much
harder for attackers. Even if an attacker figures out a user’s password, they won’t
have access to the secondary authentication method, in most cases. MFA bypass
attacks are a concern. But targeted security awareness training for users can help
reduce the success of those attempts.
 Implement privileged access management (PAM). PAM is a security solution that
focuses on the authorization, monitoring and management of privileged accounts. By
using PAM, you make sure only authorized individuals can access privileged accounts
linked to your critical systems, data and resources.
 Follow the principle of least privilege (PoLP). Make sure that your users,
applications and systems only have access to the resources they need for their specific
roles. This is the idea behind the PoLP concept, and it can greatly reduce the potential
impact of a compromise.
 Update and patch systems regularly. Always keep your operating systems and apps
up to date with the latest security patches. When you take a proactive approach to
addressing known vulnerabilities, you can strengthen your security posture.
 Check your settings. Make sure that you have properly set the right system
configurations, permissions and access controls. To make sure nothing slips through
the cracks, you should also conduct regular access reviews.
 Encrypt sensitive data. When you encrypt sensitive data that is at rest and in motion,
it helps to fortify your security. If an attacker gains unauthorized access to your
network, systems or apps, they won’t be able to view the data without the proper
decryption keys.
 Monitor user activities. Keep an eye out for suspicious activities like sudden
changes in user behavior patterns or unusual system administrator activities.