Low-tech attack vectors are being adapted by cyber criminals to overcome security defenses because they can often evade detection until it’s too late. USB-based attacks, QR codes in phishing emails, and social engineering, improved with the help of generative AI, are examples of relatively low-tech tactics being used to launch significant attacks.
This has been confirmed in the latest Verizon Data Breach Investigations Report (DBIR), which found tried-and-true attack tactics continue to be successful, underscoring the fact that organizations must remain vigilant against well-worn methods, even as the threats posed by generative AI shake things up.
USB-driven attacks on the rise
USB-based attacks, in which a physical USB drive is loaded with malicious payloads to infiltrate a company’s systems and networks upon connection, have garnered renewed interest of late. The attack vector most frequently relies on social engineering to get corporate end-users to plug infected drives into their company desktops and laptops. In recent years, bad actors have created fake company-branded drives, sent devices as part of fake promotions impersonating retail brands, and even resorted to sending toys like teddy bears with inbuilt USB drives as fake prizes or loyalty gifts.
Nation-state threat actors are also deploying USB-loaded infections to attack infrastructure, CheckPoint noted earlier this year.
The Raspberry Robin worm, a common malware variant, is ripe for this kind of attack and has been used in successful infections. As Mandiant noted last year, malware-loaded USB attacks continue to be a useful vector to gain initial access into organizations.
“With such a focus on new technologies like generative AI, or high-profile threats like state-affiliated advanced persistent threats, it’s easy to lose sight of the basics,” says Nick Hyatt, director of threat intelligence at Blackpoint Cyber.
Hyatt’s team recently identified a rogue USB drive used to install the Raspberry Robin malware, which acts as a launchpad for subsequent attacks and gives bad actors the ability to fulfil the three key elements of a successful attack — establish a presence, maintain access and enable lateral movement. “Because it has a loader capability, it can be set to download a cobalt strike beacon to establish that persistence that enables attackers to get initial access and start building that into an environment,” Hyatt tells CSO.
In other domains, he sees threats with malvertising, or malicious ads, that can be widely deployed. A browser not using an ad blocker leaves users vulnerable to clicking on what look like ads or sponsored banners but are actually malicious and can deliver malware to their devices.
The challenge with these kinds of attacks is trying to identify the malicious activity in the exploitation phase when it’s happening. “Post-exploit, there are far more opportunities to identify malicious activity,” he says.
Hyatt sees a risk of organizations placing too much focus on new and innovative attacks and overlooking less sophisticated methods. “By focusing on security hygiene rather than chasing the latest fad, they can be better positioned to prevent low-tech attacks that are often more effective.”
QR codes ripe for exploiting
QR code-based attacks is one area that needs more attention because they seek to exploit the human element that isn’t necessarily trained to be wary of them, according to Deral Heiland, principal security researcher IoT at Rapid7.
Re-emerging with Covid-19, they’re now commonly used in many settings such as freight, accessing Wi-Fi details, authenticating online accounts and transferring payment information and are ripe for exploitation.
Attacks via QR code phishing, also called quishing, are on the rise according to industry reports, with scammers sending well-constructed phishing emails or installing malicious QR codes in public leading people to click on them thinking it should be secure.
Even commonplace tasks such as generating a QR code to configure the Microsoft Authenticator app that’s used for two-factor authentication with Office 365 is open to exploitation, because it normalizes QR codes as a secure mechanism in the minds of users, Heiland says. “People have been trained not to click on links, but not when it comes to using QR codes for authentication,” Helland tells CSO.
The danger with a QR code is that it can be configured to launch almost any application on a device, download a file, or open a browser and go to a website, all without the user being aware of what it’s going to do.
They also often move people to mobile devices, which don’t usually have the same protections as other devices, thereby enabling bad actors to deploy malicious QR codes and steal sensitive data. This can pave the way for all sorts of attacks, yet they don’t tend to set off the same alarm bells as email links. “By themselves, the patching processes or the security environment may be less important because it’s still possible to trick people with QR codes, even if they’re well trained not to click on links in emails,” says Heiland.
What’s even more worrying for security leaders is the prevalence of QR code attacks aimed at the C-suite, with executives 42 times more likely to be on the receiving end of a malicious quishing attack, according to data from Abnormal’s latest email threat report. “We need to train people with QR codes not to click on anything, check the links and other text for misspelt words and use the phone settings to prevent it launching apps, a browser or anything,” Heiland adds.
Supercharging social engineering with AI
Human error continues to be a major component of incidents and comes up again and again in incident analysis reports. It’s one reason low-tech, low-barrier attacks remain a persistent danger — they target the human element, which can’t just be managed with technical controls alone.
It explains why social engineering-based fake help desk phone calls have been identified in major incidents including the GoDaddy and MGM Resorts breaches. It shows that with a bit of creativity and some generative AI tools, cyber criminals can overcome protections like two-factor authentication and encourage sharing credentials and changing passwords that open the way in for attackers.
In the MGM attack, which has come with a hefty $100-million price tag, a well-researched phone call to the help desk enabled the attackers to gain access by tricking someone into resetting a user’s multifactor authentication. The attackers used stolen usernames and passwords aided by supporting information collected from a high-value user’s LinkedIn profile and were able to steal customer information and disrupt many of its business operations.
“Cyber criminals can get quite far with very little technical know-how and we need to continue raising awareness about the low sophistication classic attacks that continue to work,” says Maria-Kristina Hayden, CEO and founder of Outfoxm, who specializes in cyber hygiene.
Whether it’s ‘classic’ social engineering such as walking into a building to gain physical access to a network, mailing a letter impersonating a charity fundraiser, making phone calls about fake issues or digital social engineering, the ability to manipulate someone into providing information or access is still a viable one.
Hayden says criminals are now going further and targeting people at home in a bid to use personal information to gain access to corporate accounts and networks. Typically reserved for targeting executives and those in leadership positions with access to sensitive business information, this threat is as criminals look to strengthen their social engineering tactics and scripts to counter employee education campaigns.
“Generally, all the boats are rising in terms of security awareness across organizations and most people are becoming more skeptical in the workplace, but at home, they’re less skeptical and less on guard,” she tells CSO. Criminals are taking advantage of this and targeting Gmail and Facebook accounts with the hopes of ultimately gaining access to organizations, she says.
As the MGM example showed, social media sites including Facebook and LinkedIn are a treasure trove of personal information. What makes these sites so valuable is the ability for criminals to establish links from one person to another, helping them build a rich picture of family, friends, interests and workplace that can be harvested for well-constructed social media attacks.
It’s not just executives who are in their sights. There are a whole range of roles cybercriminals are going after, such as software developers, HR staff, technology support staff, payments and finance, executive assistants, and client-facing staff because they have access to networks and systems attractive to cyber criminals. “It’s not just people at senior levels or in critical positions, we should also be providing those employees with resources to better protect themselves and help raise awareness,” she says.
Cyber criminals are also harnessing generative AI tools that can improve the language, style and design of social engineering and phishing campaigns and, as a result, they’re becoming more realistic and harder for people to identify.
By polishing their approach with better links, improving spelling and grammar, and incorporating other tactics like QR codes, these attacks draw far fewer red flags to people and systems trained to look out for classic tell-tale signs. “These social engineering tactics continue to be successful because attackers are persistent and getting creative with the help of AI, so they’re more persuasive than ever,” Hayden says.