Cyber incursions are becoming more sophisticated as attackers are now able to bury command and control (C&C) servers inside the networks they compromised – and they will then maintain the system, including applying patches.
It is all about covertly placing botnets on systems to launch advanced persistent threats (APTs) and then staying out of sight while stealing vital data, according to a report from Trend Micro.
There are dozens of incidents were these tactics come in play, Trend Micro officials said. In many cases, the servers used for C&C ended up compromised in previous attacks and hackers were able to maintain access, said Tom Kellermann, vice president of cybersecurity at Trend Micro. The technique helps attackers to stay stealthy as they exfiltrate data, as very little C&C traffic is leaving the network.
As it turns out, hackers can configure the internal C&C server to connect back to the attacker once per day, using standard Web traffic.
Any machine can become the C&C. The tactic adds two more steps to forensic investigation, as now investigators must conduct a penetration test from inside out in order and identify the service when a syscall proxy embeds in the memory space.
Attackers conducting these attacks also apply software patches to the compromised systems in an effort to ensure other attackers stay out and the systems do not get red-flagged. So the attackers help maintain the system they are attacking.
With this growing level of sophistication from attackers, it means organizations need to understand hackers are going to get in. Knowing that, organizations need to plan their defenses around minimizing the damage that can occur if a compromise occurs.