Initial access in 2023: How are threat actors getting in?

Does everyone in your team know what a drive-by download attack is?

At Black Hat MEA 2022, Ciaran Luttrell (Senior Director of SOC Operations, EMEA) talked us through how threat actors are gaining initial access to his customers’ networks this year.

Most organisations are – hopefully – running security awareness training for their team members. But with threat activity shifting all the time, how do you know what that training should include?

Here are two key vulnerabilities that all companies should be aware of right now.

1. Remote access services

Increasingly, Luttrell is seeing threat actors using remote access services (software that enables employees to work on a network from anywhere) as an entry point to an organisation. They use it to action credential replay attacks – gaining access to a victim’s credentials and using that  to enter a network.

He described an attack that had happened to a customer very recently: the threat actor gained access to a user’s machine through a remote access tool, which hadn’t been configured correctly on the network.

“So a threat actor was able to gain access using a default shared secret; they were able to get an initial foothold in the network; and from there they started downloading a second-stage payload.”

With Luttrell’s team on their side, that particular customer was OK. When the download started the threat was detected and contained.

“We then obviously had to work with the customer to go through their incident handling process with them,” he said. And crucially, “it took a bit of convincing to get them to understand what had happened through this network support tool. We asked for their permission to prove our theory to them – one of our researchers was able to use that software to gain access themselves, take a screenshot of that user’s PC, and share it with the customer as proof that this was the initial attack vector.”

The customer took that proof on board and disabled the tool from their network.

But the difficulty in making them understand what had happened points to a wider lack of understanding about remote access services as initial entry points for threat actors.

And this is even more complex because remote access services can take a wide variety of forms – from third party contractors using VPN services, to publicly facing servers that cybercriminals can access through brute force: “That kind of stuff still goes on in order to get an initial foothold into a network,” Luttrell said.

2. Drive-by attacks

The second initial access point that Luttrell is seeing used by an increasing number of cybercriminals comes in the form of drive-by attacks.

“A victim – a user in an organisation – is browsing the web, searching for something relating to their role. The threat actors have created a fake landing page and they’ve been able to manipulate Google search results through SEO poisoning to rank that highly in the search results.”

So when a user is searching for something like a purchase order template, for example, they might come across that fake landing page, which appears high in search results because the threat actor has used SEO keyword generators and meta-information to make the page appear high-value to the search engine.

When the user clicks onto the page, it looks legitimate. But it contains malware; and when they download the file they were looking for, it installs that malware onto their account.

Users are much more likely to click on a malware-laced download on a webpage they’ve searched for than they are to click on a download in a phishing email that arrives in their inbox. Because there’s much less awareness about this type of attack.

But as Luttrell cautioned, “We’re seeing more and more of this.”

And drive-by attacks move fast: it can take as little as 20 minutes after a victim clicks on a download before the payload has been delivered, and ‘hands on keyboard’ criminal activity is underway.

So what can be done?

Teach the humans. Just like in an email phishing attack, if a user doesn’t know about these forms of initial access, or have the knowledge to recognise red flags, they’re far more likely to become a victim.

Client companies need to implement multi-factor authentication for their remote access services, in order to reduce the attack surface. And everyone in an organisation needs to know about drive-by attacks.