Even in the current era of digital evolution, malicious hackers continue to use attack vectors created decades ago. Research shows notable periods of resurgence in some methods considered obsolete. This indicates that, although the specifics of attacks may change over time, the points of infection, spread, and spread may remain and even lead to the most significant violations, writes the CSO publication.
"Cybercriminals tend to revert to their' old favorite ' attack methods, especially when new vectors are blocked or become more difficult to execute due to the efforts of law enforcement and security groups, "says Jack Chapman, vice president of Egress Threat Intelligence.
Peter Lee, a strategic security engineer at Cato Networks, agrees, pointing out two main reasons why cybercriminals use " old " attack vectors: economy and target capture. "The booming exploit market sets a price for everything that attackers throw at their targets, and prices vary widely, so attackers have a strong incentive to start cheap and move forward. No need to burn your iPhone for $ 2 million zero-day if you can compromise the same target by using an uncorrected 2017 CVE web server. Second, the widespread improvement of cyber defenses has made it harder for cybercriminals to get their message across to key targets, which sometimes forces them to resort to old vectors that have fallen out of the spotlight of many defenders."
Here are seven old attack vectors that cybercriminals still use, and practical tips for protecting against them.
1. Physical storage devices for infecting systems and distributing malware
The earliest computer viruses were spread via floppy disks, and the use of physical storage devices to infect systems and spread malware continues to this day. This became known in January 2022, when the FBI issued a public warning about BadUSB, a campaign of USB attacks in which numerous USB drives with malicious software were sent to employees of transport, defense and insurance organizations.
According to Liebenberg, attackers continue to use this attack method because it works, and use an increase in hybrid work combined with a lack of employee training. "Organizations that use USB or removable drives for legitimate business operations should limit and, where possible, restrict the use of USB in their environment. They should also have clear policies that restrict USB reuse or use of USB from home, and provide training to employees on the risks associated with connecting personal USB devices to corporate systems."
2. Macro viruses for using Microsoft Word and Outlook
Attackers continue to attack organizations using viruses written in the macro language and hidden in documents, which is an attack vector since the Melissa virus in 1999. This virus used systems based on Microsoft Word and Outlook, infecting computers via email and malicious attachments before mass mailing. show yourself to the first 50 people in the victim's contact list and disable several security features.
"Although organizations can protect themselves, as well as the management of organizations such as the NCSC in the UK, NIST in the US, and ACSC in Australia, it is still difficult to fully protect themselves from macros," says Piers Wilson, head of project management at Huntsman Security. - Many vectors around macros are based on social engineering. For example, a document may appear as random characters, while the cover email says that because it is a confidential document, users need to enable macros to decode it."
Attackers can use macros for cybercrime or more sophisticated exploitative attempts, but most of the protection comes down to educating users and installing technical controls on the gateway and endpoint, Wilson adds. "However, since many documents still use macros (including, ironically, vendor security questionnaires), there is always a risk that vigilance will fail and the attack will pass."
3. Use old, unpatched vulnerabilities to get attack points
Addressing previously identified vulnerabilities is a very common, time-tested tactic used by attackers, and known vulnerabilities can be exploited years later if they are not fixed, said Forrester analyst Ellie Mellen. "A classic example of this is the EternalBlue exploit. Although patches were released for this vulnerability in March 2017, the exploit was used in May 2017 by the WannaCry ransomware, and then again in June 2017 in the NotPetya cyberattack. That's why it's so important to install system fixes quickly and efficiently."
Ryan Linder, a risk and vulnerability engineer at Censys, agrees. "EternalBlue (CVE-2017-0144) still makes organizations vulnerable. The exploit affects the Server Message Block (SMB) protocol. According to Censys search data, more than 200,000 systems connected to the Internet support SMBv1, which was created in 1983, " he says. He adds that many companies fail to keep their software up-to-date, making them vulnerable to critical exploits, and even when exploits are disclosed publicly, many still fail to patch their systems.
Constantly installing patches is also very challenging in a large, complex enterprise, so it's important to prioritize these efforts and make them company-wide, Mellen says.
4. Implementing SQL for managing web applications/pages, accessing databases
SQL attacks are more than 20 years old, but hackers continue to use them to exploit web applications/web pages and gain access to the databases that are behind them, Chapman says. "It's not a new or innovative approach, but cybercriminals know they don't have to reinvent the wheel to get results." He adds that SQL injections still work because developers often shorten code without worrying about security.
Indeed, SQL injections rank 3rd in the OWASP top ten Web vulnerabilities, and in 2021, 718 SQL injections were recognized as CVE. "Organizations can prevent these attacks by performing dynamic application security testing (DAST) and static application security testing (SAST)," Chapman adds.
5. Prepaid Fraud for Fraudulent users
This method earned its reputation through the 419 scam, commonly known as the "rich lost relative who died and left you money"trick. Research shows that it dates back to the 19th century and is often used by scammers these days. This method uses a lack of time - for example: "You will miss the chance if you don't act quickly, and you will make a big profit for a small cost."
"Although' rich uncle ' email is still prevalent these days, this method is much more likely to be used in the context of cryptocurrency scams (invest a small amount for a large windfall), bank transfer scams/gift card scams (help your boss gain favor in the workplace), or fake scams with a lot of money, "says the report. with fines (pay the IRS some money to cancel the tax bill), " said Bugcrowd founder Casey Ellis. According to him, these scams are effective because they cause greed, loss aversion, and deficit bias.
"If the victim is successfully exploited, often the attacker exploits the non-returnable cost error and doubles the bid to get more out of it." Social isolation and shifts in social dynamics caused by the COVID-19 pandemic have led to an increase in this type of fraud, as the usual ability to double-check whether participation in an activity is reasonable or not is more difficult for a potential victim, Ellie reported. "Within a company, developing a' trust but verify ' culture, along with no blame (and zero criticism for double-checking whether something is legitimate or not), can be an effective way to strengthen staff against this type of attack, and if done well, they can share their lessons and active paranoia so that better protect your families and friends."
6. Remote Desktop Protocol attacks to expose systems
RDP vulnerabilities have been a problem for years, but about one-third of cyberattacks still start with Windows computers with RDP connected to the Internet, says Ray Canzanese, director of Netskope Threat Labs. "Attackers have fully automated their processes to detect and attack open services such as RDP."
Cansanese adds that RDP should never be connected to the internet, and if you need RDP access when you're out of your home or office, you should use one of the many Virtual Private Network (VPN) or zero-trust Network Access (ZTNA) solutions that allow you to use RDP without opening it. "You can use a VPN or ZTNA solution to ensure that no network services are available on the internet to become a target for intruders."
7. Casting phishing targeting groups of victims
Web-based email phishing attacks were named after a traditional fishing technique where a fisherman casts a relatively small net into a pond or other small area. They don't care what kind of fish they catch, but it will be from that small space. "Unlike targeted phishing, which is very tightly focused on attacking a specific person, or drift phishing, which can send out thousands to millions of emails in the hope of catching someone on the bait, casting grid targets anyone in a particular organization," says Mike Parkin, senior technical engineer at Vulcan Cyber. "An attacker doesn't care who in the organization takes the bait as long as they get someone in the target space."
Parkin adds that even though this is an attack method that has been around for many years, it is still used today because it is the most effective for cybercriminals. "These attacks can use a timely lead, such as a local sporting event or the opening of a new restaurant nearby, which the target organization deems plausible and can pass mass spam filters. Something like this requires much less research than creating a hook that can catch a single individual. Once an attacker gets a foothold, they can expand their foothold in the organization's environment."
Author: Michael Hill
"Cybercriminals tend to revert to their' old favorite ' attack methods, especially when new vectors are blocked or become more difficult to execute due to the efforts of law enforcement and security groups, "says Jack Chapman, vice president of Egress Threat Intelligence.
Peter Lee, a strategic security engineer at Cato Networks, agrees, pointing out two main reasons why cybercriminals use " old " attack vectors: economy and target capture. "The booming exploit market sets a price for everything that attackers throw at their targets, and prices vary widely, so attackers have a strong incentive to start cheap and move forward. No need to burn your iPhone for $ 2 million zero-day if you can compromise the same target by using an uncorrected 2017 CVE web server. Second, the widespread improvement of cyber defenses has made it harder for cybercriminals to get their message across to key targets, which sometimes forces them to resort to old vectors that have fallen out of the spotlight of many defenders."
Here are seven old attack vectors that cybercriminals still use, and practical tips for protecting against them.
1. Physical storage devices for infecting systems and distributing malware
The earliest computer viruses were spread via floppy disks, and the use of physical storage devices to infect systems and spread malware continues to this day. This became known in January 2022, when the FBI issued a public warning about BadUSB, a campaign of USB attacks in which numerous USB drives with malicious software were sent to employees of transport, defense and insurance organizations.
According to Liebenberg, attackers continue to use this attack method because it works, and use an increase in hybrid work combined with a lack of employee training. "Organizations that use USB or removable drives for legitimate business operations should limit and, where possible, restrict the use of USB in their environment. They should also have clear policies that restrict USB reuse or use of USB from home, and provide training to employees on the risks associated with connecting personal USB devices to corporate systems."
2. Macro viruses for using Microsoft Word and Outlook
Attackers continue to attack organizations using viruses written in the macro language and hidden in documents, which is an attack vector since the Melissa virus in 1999. This virus used systems based on Microsoft Word and Outlook, infecting computers via email and malicious attachments before mass mailing. show yourself to the first 50 people in the victim's contact list and disable several security features.
"Although organizations can protect themselves, as well as the management of organizations such as the NCSC in the UK, NIST in the US, and ACSC in Australia, it is still difficult to fully protect themselves from macros," says Piers Wilson, head of project management at Huntsman Security. - Many vectors around macros are based on social engineering. For example, a document may appear as random characters, while the cover email says that because it is a confidential document, users need to enable macros to decode it."
Attackers can use macros for cybercrime or more sophisticated exploitative attempts, but most of the protection comes down to educating users and installing technical controls on the gateway and endpoint, Wilson adds. "However, since many documents still use macros (including, ironically, vendor security questionnaires), there is always a risk that vigilance will fail and the attack will pass."
3. Use old, unpatched vulnerabilities to get attack points
Addressing previously identified vulnerabilities is a very common, time-tested tactic used by attackers, and known vulnerabilities can be exploited years later if they are not fixed, said Forrester analyst Ellie Mellen. "A classic example of this is the EternalBlue exploit. Although patches were released for this vulnerability in March 2017, the exploit was used in May 2017 by the WannaCry ransomware, and then again in June 2017 in the NotPetya cyberattack. That's why it's so important to install system fixes quickly and efficiently."
Ryan Linder, a risk and vulnerability engineer at Censys, agrees. "EternalBlue (CVE-2017-0144) still makes organizations vulnerable. The exploit affects the Server Message Block (SMB) protocol. According to Censys search data, more than 200,000 systems connected to the Internet support SMBv1, which was created in 1983, " he says. He adds that many companies fail to keep their software up-to-date, making them vulnerable to critical exploits, and even when exploits are disclosed publicly, many still fail to patch their systems.
Constantly installing patches is also very challenging in a large, complex enterprise, so it's important to prioritize these efforts and make them company-wide, Mellen says.
4. Implementing SQL for managing web applications/pages, accessing databases
SQL attacks are more than 20 years old, but hackers continue to use them to exploit web applications/web pages and gain access to the databases that are behind them, Chapman says. "It's not a new or innovative approach, but cybercriminals know they don't have to reinvent the wheel to get results." He adds that SQL injections still work because developers often shorten code without worrying about security.
Indeed, SQL injections rank 3rd in the OWASP top ten Web vulnerabilities, and in 2021, 718 SQL injections were recognized as CVE. "Organizations can prevent these attacks by performing dynamic application security testing (DAST) and static application security testing (SAST)," Chapman adds.
5. Prepaid Fraud for Fraudulent users
This method earned its reputation through the 419 scam, commonly known as the "rich lost relative who died and left you money"trick. Research shows that it dates back to the 19th century and is often used by scammers these days. This method uses a lack of time - for example: "You will miss the chance if you don't act quickly, and you will make a big profit for a small cost."
"Although' rich uncle ' email is still prevalent these days, this method is much more likely to be used in the context of cryptocurrency scams (invest a small amount for a large windfall), bank transfer scams/gift card scams (help your boss gain favor in the workplace), or fake scams with a lot of money, "says the report. with fines (pay the IRS some money to cancel the tax bill), " said Bugcrowd founder Casey Ellis. According to him, these scams are effective because they cause greed, loss aversion, and deficit bias.
"If the victim is successfully exploited, often the attacker exploits the non-returnable cost error and doubles the bid to get more out of it." Social isolation and shifts in social dynamics caused by the COVID-19 pandemic have led to an increase in this type of fraud, as the usual ability to double-check whether participation in an activity is reasonable or not is more difficult for a potential victim, Ellie reported. "Within a company, developing a' trust but verify ' culture, along with no blame (and zero criticism for double-checking whether something is legitimate or not), can be an effective way to strengthen staff against this type of attack, and if done well, they can share their lessons and active paranoia so that better protect your families and friends."
6. Remote Desktop Protocol attacks to expose systems
RDP vulnerabilities have been a problem for years, but about one-third of cyberattacks still start with Windows computers with RDP connected to the Internet, says Ray Canzanese, director of Netskope Threat Labs. "Attackers have fully automated their processes to detect and attack open services such as RDP."
Cansanese adds that RDP should never be connected to the internet, and if you need RDP access when you're out of your home or office, you should use one of the many Virtual Private Network (VPN) or zero-trust Network Access (ZTNA) solutions that allow you to use RDP without opening it. "You can use a VPN or ZTNA solution to ensure that no network services are available on the internet to become a target for intruders."
7. Casting phishing targeting groups of victims
Web-based email phishing attacks were named after a traditional fishing technique where a fisherman casts a relatively small net into a pond or other small area. They don't care what kind of fish they catch, but it will be from that small space. "Unlike targeted phishing, which is very tightly focused on attacking a specific person, or drift phishing, which can send out thousands to millions of emails in the hope of catching someone on the bait, casting grid targets anyone in a particular organization," says Mike Parkin, senior technical engineer at Vulcan Cyber. "An attacker doesn't care who in the organization takes the bait as long as they get someone in the target space."
Parkin adds that even though this is an attack method that has been around for many years, it is still used today because it is the most effective for cybercriminals. "These attacks can use a timely lead, such as a local sporting event or the opening of a new restaurant nearby, which the target organization deems plausible and can pass mass spam filters. Something like this requires much less research than creating a hook that can catch a single individual. Once an attacker gets a foothold, they can expand their foothold in the organization's environment."
Author: Michael Hill
