Have you heard of Living off the Land (LotL)? You'd be forgiven for thinking this may be a type of farming philosophy. However, it actually has nothing to do with growing veggies in the backyard. LotL is a stealthy type of cyber attack posing an increasing risk to businesses globally. It is a technique wherein attackers basically use your own systems against you.
Picture this: Your home is broken into. The robber breaks a window to enter. This is similar to how a traditional cyber attack occurs. Living off the Land techniques are different, sneakier, scarier. To use the same analogy, the robber would observe you, determine where your spare key is hidden, and enter your home using the legitimate method of unlocking the door.
That's what happens when a LotL cyber attack occurs. Metaphorically, anyway.
In more technical terms, LotL refers to a set of strategies and tactics employed by attackers to utilise legitimate tools and resources already present in a targeted system or network for their malicious activities.
The primary objective of a LotL technique is to minimise the use of malicious code or software that could trigger detection and raise suspicion.
What sort of techniques are used in LotL attacks?
The key aspect of Living off the Land techniques is that attackers utilise legitimate tools and resources, which can make it challenging for traditional security measures to detect their activities.
Image source: Wallarm
A summary of the attack:
Image Source: crowdstrike
The massive cyber attack known as NotPetya wreaked havoc worldwide, targeting companies primarily in Ukraine but also around the globe.
NotPetya was a destructive ransomware attack that employed Living off the Land techniques to propagate and cause extensive damage.
It all kicked off when a Ukrainian accounting software company, M.E.Doc, was compromised. Attackers infiltrated M.E.Doc's systems and planted malicious code within a software update. As M.E.Doc's software was widely used by various organisations for tax reporting purposes, the attackers exploited the trust associated with the legitimate software and distribution channels.
When organisations downloaded and installed the compromised software update, the malicious code embedded in it triggered the NotPetya ransomware. NotPetya was designed to spread rapidly within networks by exploiting multiple vulnerabilities, primarily through administrative tools and Windows Management Instrumentation (WMI).
Once inside a network, NotPetya employed Living off the Land techniques to move laterally and escalate privileges. It used legitimate tools like PsExec and Windows Management Instrumentation Command-line (WMIC) to execute malicious commands and gain control over other systems within the network.
The attackers also exploited a known vulnerability in the Microsoft Windows Server Message Block (SMB) protocol called EternalBlue, which was previously utilized in the WannaCry ransomware attack. EternalBlue allowed NotPetya to propagate across the network without user interaction.
NotPetya's primary objective was to cause widespread disruption and destruction. The ransomware encrypted critical files and master boot records, rendering infected systems inoperable. It also modified the Windows' Master Boot Record (MBR) to make the infected machines unbootable.
The attack had a significant impact on organisations worldwide, causing financial losses, operational disruptions, and damage to critical infrastructure. Companies such as Maersk, FedEx, Merck, and numerous Ukrainian government agencies were among the victims, experiencing widespread system outages and disruptions to their operations.
How do I protect my company against LotL cyber attacks?
Defending against LotL attacks typically requires a multi-layered security approach, including monitoring and analysis of system logs, network traffic, user behaviour and the deployment of advanced threat detection solutions that can identify anomalous or suspicious activities.
Remember that no security measure is foolproof, so it is crucial to adopt a layered defence approach that combines multiple security controls, regular monitoring, and employee vigilance to mitigate the risks associated with LotL cyber attacks.
Do you need help protecting your business from the ever-increasing and evolving threat of cyber attack? The Diamond IT team specialises in reviewing cyber security strategies to ensure they are fit-for-purpose, align with government recommendations and include the necessary defences required to best protect your business from malicious threats.
We can support you by establishing your Essential Eight maturity level and improving your overall cyber security posture through our range of Managed IT Services options which are aligned to the Essential Eight mitigation strategies.
Our endpoint and application management offering is designed to help you protect your devices and applications from cyber attacks, including application patching which ensures that all of your applications are consistently patched to reduce the risk of vulnerabilities.
Our services also include controlling application installation and execution to prevent malware and unauthorised software, securing Office Macros to authorised users only, and restricting access to functions vulnerable to cyber-attacks through application and endpoint hardening.
Finally, our mobile device management (MDM) service allows you to control applications, settings, and track devices, giving you the ability to reset them in the case of theft.
Our Business Technology Managers (BTMs) and Business Technology Consulting team are specialists in improving your internal cybersecurity and are ready to speak with you. Contact our team on 1300 307 907 today.