Cybersecurity Advisory – China Using “Living off the Land” Attacks to Avoid Detection
The FBI, NSA, CISA, Australia, Canada, New Zealand and the UK (AKA the US and the Five-Eyes Countries) issued a joint advisory on Chinese cyber tactics in light of the Guam critical infrastructure attack.
Living off the Land means an attack that uses existing, already installed, vendor signed software to launch an attack and maintain it’s presence. These attacks have a much lower profile since there is no software that should not be on the system to detect and less unusual activities that should not be happening.
In particular, some of the tools that China is using in this recent attack include:
- WMIC – a Windows management tool
- NTDSUtil – a Windows Active Directory management tool
- Netsh – a Windows network admin tool and
- PowerShell – everyone’s favorite Windows Swiss Army knife tool
Since this software already exists, there is nothing to install and since it is being used or abused in a way that it already works, there is nothing to modify, hence very hard to detect.
The advisory is 24 pages long; if you need a copy, please contact us. The advisory is designed to help network defenders protect their networks.
Part of the strategy is to disguise their traffic. They do this by compromising your employee’s home networks and use those networks to attack your corporate network. That way the traffic looks “local” and does not seem out of place and is not automatically blocked.
The warning here is that your employees’ home networks are pretty easy to compromise. Since there is no monitoring or alerting software on home networks and also since most ISP’s have horrible security practices (since good practices cost money and increase tech support calls), that makes things a challenge.
Since you don’t (usually) control your employees’ (and contractors’) home network networks, the only thing you can do, besides trying to educate them on the risk, is to implement a zero trust security program to help protect your own assets.
The other problem is that even if your employees have outstanding cybersecurity practices, that doesn’t mean that other company’s employees also have great cybersecurity practices.
If you need help in this area, please contact us. Credit: FBI/CISA/NSA (contact us for a copy of the alert).