How Hackers "live off the land"

microsoft ^ | rodguy911

[rodguy911]

Living off the Land: How hackers blend into your environment

Cyber-criminals are increasingly ‘Living off the Land’, leveraging commonly-used tools to fly under the radar of conventional cyber defenses. Discover why Self-Learning AI is uniquely positioned to identify attacks leveraging this technique. What is Living off the Land attack? Living off the Land is a strategy which involves threat actors leveraging the utilities readily available within the target organization’s digital environment to move through the cyber kill chain. This is a popular method because It is often cheaper, easier, and more effective to make use of an organization’s own infrastructure in an attempt to attack rather than writing bespoke malware for every heist.

[rodguy911]

We are now experiencing major league hackers from all over the world trying to take down the country in conjunction with our current regime. Our current regime of obama/biden may well be working with these hackers for all we know. Volt Typhoon a hacking group run by the Chinese army is a rather well known hacking group that engages in the living off the land techniques and one example of how the chicoms hack into system after system.

One of the bigger questions remains was the ship that rammed the Francis Scott key bridge off Baltimore hacked by one of these groups? Its possible.

Since computer hacking is out of my technical range I need help in figuring out what goes on here.

Examinging the living off the land techniques may well put us in the game.

[rodguy911]

Here’s more:
https://www.reuters.com/technology/chinese-groups-accused-hacking-microsoft-us-others-2023-05-25/

Volt Typhoon and other Chinese groups accused of hacking the US and others By Reuters

May 25, 202311:59 AM EDTUpdated 10 months ago

Here’s what Reuters has on some possible hacking groups

NGAPORE, May 25 (Reuters) - Chinese hacking teams have been blamed by Western intelligence agencies and cybersecurity groups for digital intrusion campaigns across the world, targeting everything from government and military organizations to corporations and media groups.

Cybersecurity firms believe many of those groups are backed by China’s government. U.S.-based Mandiant has said some Chinese hacking groups are operated by units of China’s army. China’s authorities have consistently denied any form of state-sponsored hacking, saying China itself is a frequent target of cyberattacks. It has dubbed the U.S. National Security Agency (NSA) as “the world’s largest hacker organisation”.

Some of the biggest Chinese hacking teams identified by intelligence agencies and cybersecurity groups are:

1.’VOLT TYPHOON’

Western intelligence agencies and Microsoft (MSFT.O), opens new tab said on May 24 that Volt Typhoon, a group they described as state-sponsored, had been spying on a range of U.S. critical infrastructure organisations, from telecommunications to transportation hubs.

They described the attacks in 2023 as one of the largest known Chinese cyber-espionage campaigns against American critical infrastructure.

Volt is high on my list of hackers since they use the living off the land techniques.

China’s foreign ministry described the reports as part of a U.S. disinformation campaign.

‘BACKDOORDIPLOMACY’

Palo Alto Networks, a U.S. cybersecurity firm, says its research showed BackdoorDiplomacy has links to the Chinese state and is part of the APT15 hacking group.

A Reuters report in May identified BackdoorDiplomacy as being behind a widespread series of digital intrusions over several years against key Kenyan ministries and state institutions. The Chinese authorities said it was not aware of such hacking and described the accusations as baseless.

2. APT 41 Chinese hacking team APT 41, which is also known as Wintti, Double Dragon and Amoeba, has conducted a mix of government-backed cyber intrusions and financially motivated data breaches, according to U.S.-based cybersecurity firms FireEye and Mandiant.

The U.S secret service said the team had stolen U.S. COVID relief benefits worth tens of millions of dollars between 2020-2022.

Taiwan-based cybersecurity firm TeamT5 said the group had targeted government, telecoms, and media victims in Japan, Taiwan, Korea, the United States and Hong Kong.

APT 41 was named by the U.S Department Justice in September 2020 in relation to charges brought against seven hackers for allegedly compromising more than 100 companies around the world.

The Chinese authorities have described such reports as “groundless accusations”.

3. APT 27

Western intelligence agencies and cybersecurity researchers say Chinese hacking team APT 27 is sponsored by the state and has launched multiple attacks on Western and Taiwanese government agencies.

APT 27 claimed responsibility for cyber attacks against Taiwan in 2022 during a visit by then U.S House of Representatives Speaker Nancy Pelosi, saying it acted as a protest because Pelosi defied China’s warnings not to visit. Cybersecurity firm Mandiant said last year, opens new tab the group compromised the computer networks of at least six U.S. state governments between May 2021 and February of 2022, while the German authorities named blamed it for attacks against German pharmaceuticals, technology and other companies.

Reporting by Fanny Potkin; Editing by James Pearson and Edmund Blair

[sauropod]

From what I have read about the Baltimore incident, the container ship is an older boat. Maybe so old, that it is impervious to hacking because its functions aren’t computerized.

Worth asking the question.

[rodguy911]

That's always a possibility but would be difficult to navigate inside many hi-tech ports in today's world. Chances are its got some computer linked to navigation. I would be surprised if it didn't.

On the rundown Gateway gives a good report on what likely happened to the vessel.

It had a history of bad maintenance and appeared to be out of control in the channel of the Baltimore harbor headed in the direction of the bridge.

All contacts with coast guard,port law enforcement etc. were made and everything was done to limit injures to anyone on the bridge.

the anchor was put over the side and was dragging as the boat drifted toward the bridge.

The weight on the near 1000 foot vessel overloaded with containers made it difficult to stop start or steer.

One of my guess is that the anchor may have begun to stop the ship or force it to make a turn toward the super structure and it hit one of the vulnerable spots.

Or,it could have been hacked and at the very least had the engines shut down,hard to say.

[rodguy911]

https://www.reuters.com/technology/chinese-groups-accused-hacking-microsoft-us-others-2023-05-25/ ,p> SINGAPORE, May 25 (Reuters) - Chinese hacking teams have been blamed by Western intelligence agencies and cybersecurity groups for digital intrusion campaigns across the world, targeting everything from government and military organizations to corporations and media groups Cybersecurity firms believe many of those groups are backed by China's government. U.S.-based Mandiant has said some Chinese hacking groups are operated by units of China's army. China's authorities have consistently denied any form of state-sponsored hacking, saying China itself is a frequent target of cyberattacks. It has dubbed the U.S. National Security Agency (NSA) as "the world's largest hacker organization".

Some of the biggest Chinese hacking teams identified by intelligence agencies and cybersecurity groups are:

'VOLT TYPHOON'

Western intelligence agencies and Microsoft (MSFT.O), opens new tab said on May 24 that Volt Typhoon, a group they described as state-sponsored, had been spying on a range of U.S. critical infrastructure organizations, from telecommunications to transportation hubs.

They described the attacks in 2023 as one of the largest known Chinese cyber-espionage campaigns against American critical infrastructure.

China's foreign ministry described the reports as part of a U.S. disinformation campaign.

'BACKDOORDIPLOMACY'

Palo Alto Networks, a U.S. cybersecurity firm, says its research showed BackdoorDiplomacy has links to the Chinese state and is part of the APT15 hacking group.

A Reuters report in May identified Backdoor Diplomacy as being behind a widespread series of digital intrusions over several years against key Kenyan ministries and state institutions. The Chinese authorities said it was not aware of such hacking and described the accusations as baseless.

........................

These two hacking groups from china are high on my list,could have been either one of them that hacked the ship.

Even if they didn't the damage these two groups do can be enormous especially Volt Typhoon which uses the living off the land techniques which are difficult track back for those trying to catch the hackers.

[rodguy911]

looks like AI may be used more and more to find the hackers which is not an easy job:

https://darktrace.com/blog/living-off-the-land-how-hackers-blend-into-your-environment Self-Learning AI fights Living off the Land attacks

Living off the Land techniques have proven incredibly effective at enabling attackers to blend into organizations’ digital environments.

It is normal for millions of credentials, network tools, and processes to be logged each day across a single digital ecosystem. So how can defenders spot malicious use of legitimate tools amidst this digital noise?

As with most threats, basic network hygiene is the first step. This includes implementing the principle of least privilege, de-activating all unnecessary programs, setting up software whitelisting, and performing asset and application inventory checks. However, while these measures are a step in the right direction, with enough time a sophisticated attacker will always manage to work their way around them.

Self-Learning AI technology has become fundamental in shining a light on attackers using an organization’s own infrastructure against them. It learns any given unique digital environment from the ground up, understanding the ‘pattern of life’ for every device and user. Living off the Land attacks are therefore identified in real time from a series of subtle deviations. This might include a new credential or unusual SMB / DCE-RPC usage.

Its deep understanding of the business enables it to spot attacks that fly under the radar of other tools. With a Living off the Land attack, the AI will recognize that although usage of particular tool might be normal for an organization, the way in which that tool is used allows the AI to reveal seemingly benign behavior as unmistakably malicious.

For example, Self-Learning AI might observe the frequent usage of Powershell user-agents across multiple devices, but will only report an incident if the user agent is observed on a device at an unusual time.

Similarly, Darktrace might observe WMI commands being sent between thousands of combinations of devices each day, but will only alert on such activity if the commands are uncommon for both the source and the destination.

And even the subtle indicators of Mimikatz exploitation, like new credential usage or uncommon SMB traffic, will not be buried among the normal operations of the infrastructure.

Living off the Land techniques aren’t going away any time soon. Recognizing this, security teams are beginning to move away from ‘legacy’-based defenses that rely on historical attack data to catch the next attack, and towards AI that uses a bespoke and evolving understanding of its surroundings to detect subtle deviations indicative of a threat – even if that threat makes use of legitimate tools.

.........................

Thanks to Darktrace analysts Isabel Finn and Paul Jennings for their insights on the

[rodguy911]

https://www.thegatewaypundit.com/2024/03/developing-oklahoma-bridge-shut-down-after-being-struck/

Since few of us here believe in coincidence you gotta wonder about a barge hitting a bridge in Oklahoma only a few days after the Baltimore incident.

By the way in the Baltimore incident it appears some hazmat containers were on the barge and some may be leaking into the water at the Baltimore site as well as the ship being over a gas line buried below where the ship landed yet more "coincidences".

It appears something is going on.

Was it hacking or are some of our visitors getting into action early or WTH is going on.

Here's from the Baltimore Dali crash:

here's from the Oklahoma crash:

[rodguy911]

This from a poster at X:

Robert Ferris

@ConfoundedSoc

· 12h

I’m sure it’s just a coincidence. Nothing to see here. Like all the train derailments that suddenly happened altogether or the fires at food processing plants.

[rodguy911]

Just in case it cant get any more bizarre there's this:

At least 17 passengers hurt as cruise ship crashes into wall in River Danube Story by Stuti Mishra

Bulgarian cruise ship carrying over a hundred passengers has crashed into a concrete wall in a sluice on the River Danube in Austria.

The incident occurred overnight in the northern Austrian town of Aschach an der Donau, local police said on Saturday morning.

Eleven people were injured and taken to hospital as a result of the crash. Local media said another six people suffered less serious injuries that did not require hospital treatment.

Some 160 passengers were aboard the ship travelling from Bavaria in Germany to the Austrian city of Linz, a spokesperson for police in the nearby town of Eferding said.

The ship was able to continue onwards after the accident, the spokesperson said.

It was not immediately clear how serious the injuries were, the spokesperson added.

It was also unclear what led to the accident.

(Same in Oklahoma and Baltimore)

The River Danube is one of Europe’s most significant and iconic rivers, winding its way through multiple countries and cultures. Cruise ships over the river attract thousands of tourists every year.

Earlier in 2023, a Ukrainian captain of a cruise liner was sentenced to five years in prison in Hungary for his role in a 2019 accident when his boat hit and sank a smaller boat on the River Danube, killing 25 South Korean tourists and two crew.

Additional reporting by agencies

[Manuel OKelley]

That wasn’t a hack that caused that ship to collide

living off the land has been around for years it’s not new

[Manuel OKelley]

I’ll try to come back and expound more later but have a lot of personal experience with platforms like darktrace (including competition of theirs that spends money on dev instead of marketing) and it’s not so much AI but more ML based and once you have good baselines it’s very easy for machine learning to detect variances

This type of tech is extraordinarily useful but it’s pricey and requires a big lift financially and in labor to implement it correctly and usage is not widespread yet and far less common in the ot/scada/process control domain as budgets for industrial cybersecurity are measly until recently and the lift for industrial is even larger than for enterprise networks

[rodguy911]

So glad you know what happened please inform us all since you seem to know it all.

[bitt]

P

[bray]

Steve Bannon said it was around ten years old and hackable.

[sauropod]

I read it was much older than that.

[KrisKrinkle]

How does this affect my personal computer?

[bankwalker]

who the heck is darktrace?

[Manuel OKelley]

Lolz

I don’t know everything but I know a lot about cybersecurity and how especially how it relates to control systems

[rodguy911]

Thanks for that bud now we are getting somewhere.

[rodguy911]

got a link?