The Exciting Journey to Annihilation: An Eclectic Garden Ripe for the Picking

The code is sown, the apps are grown, and your data is not your own.

My parents used to say to me, “You are going to get out of it what you put into it.” I’m sure they were referring to hard work, you know, blood, sweat, tears, and even being present or emotionally available. Ok, we tech people don’t always get that last part, and we don’t have to, do we?

In this cloud series I’ve explained, what many would refer to as, simple concepts like balancing out the time you spend on your phone, surfing, with physical activities in Confronting the Uncomfortable Truth About Ourselves, the risks of connecting and operating critical infrastructure from the Cloud in Revealing the Third Certainty in Life, and joint responsibility concepts for managing cloud technologies in Existence in the House that Jack Built. Now it is time to explain how bad actors may exploit infrastructure, data, and ultimately you, every time you interface with THE CLOUD.

In modern technology, there is no risk, a gradient of exploitation.

“To be, or not to be…” Exploited, “…that is the question.”

As a soliloquy, I quote William Shakespeare’s Hamlet, with a dedicated appropriateness, because in many ways, being exploited in today's technological world is akin to giving up one’s own life to the exploiter. This can occur through identity theft, criminal theft, or excessive time spent scrolling, day in and day out. These are all activities that drain the importance out of life. Without balance between online and offline activities, there is only pain, unhappiness, and a longing for something more fulfilling. And what you want, the exploiters are selling, offering, or algorithmically deriving based on your online activities for their gain. Their gain, not yours. You lose, they win, in every online game. Today, we will examine some of the most devastating cyberattacks that have occurred, utilizing technologies commonly found in cloud environments. I will provide simplified explanations of the technical tactics and techniques, their outcomes, and what could have been done to lessen or prevent these heinous acts from occurring.

According to Merriam Webster, to exploit means, “to make use of meanly or unfairly for one’s advantage.

These are the Tools of the Trade

Hackers, threat actors, adversaries, and cyber attackers all serve one purpose: to exploit vulnerabilities and gain access to their target's data by leveraging flaws in the technologies or in how those technologies are used. These are the exploiters, and our technologies are the vehicle with which they gain access to our data. We hear news of cyber attacks where journalists explain that sophisticated hackers used sophisticated means to breach fortified boundaries in ways that no ordinary humans could repeat. I’m here to tell you, this is well overplayed, and these days, exploiters don’t need to be that sophisticated at all. The most devastating cyberattacks, in most cases, utilize commonly available tools, features, and services, such as working credentials, remote administration gateways, and even a user's desire to click on an advertisement link, to accomplish their exploits. The most common way exploiters breach access control mechanisms is by taking advantage of the users themselves, rather than the technologies. Exploiters know that the key to gaining access to the highest-value targets is to pinpoint users with privileged access to those targets and use them to metaphorically open the door or share the keys to the kingdom, so to speak. Why am I focusing on people and not technologies?

You have to change your online and surfing habits and become unpredictable, as the first line of defense.

…after all, people are the exploiters.

People exploit people.

Have you ever wondered why online accounts require identity verification in addition to a username and password?  Consider this: in 2011, a company that sold home gaming consoles used by people of all ages to play amazing games with their friends worldwide suffered a major cloud-based cyber breach. The resulting consequences included the theft of home users’ account information, credit card details, physical addresses, and dates of birth for over 100 million users, as well as nearly three weeks of downtime and almost $200 million in reputation damage. At the time, Sony’s gaming services weren’t as widespread on mobile devices and apps as they are today. Still, that breach’s impacts cascaded out to all networked and online gaming services, which now require two-factor authentication (2FA) to gain access. Now, 2FA is just a fact of life, but Sony's breach, through investigations and government intervention, has driven it to become a new standard for securing online accounts.

This is a good cloud-based example because it impacted the public of all ages, including children; there were extremely high stakes for the company that suffered the breach, to the tune of hundreds of millions of dollars, and it was a targeted global attack.

So why did this happen, and how was it accomplished?

…using malware like this.

Let us use a real-world example of exploitation with the LightSpy malware and the MITRE ATT&CK framework.

LightSpy is a powerful and versatile surveillance tool that primarily targets mobile devices, but it has also expanded its capabilities to include macOS and Windows systems. With its intricate multi-stage infection process, LightSpy is designed to effectively capture a wide array of sensitive data, making it a serious threat to privacy and security.

Step 1. Exploit the user

While it may be debated whether helping others is inherent to human nature, people are likely more willing to offer assistance when they perceive a potential benefit for themselves. Fifteen years ago, when a gamer received a message about faster connections to game servers or additional game credits, there was a high likelihood—probably about nine times out of ten—that they would follow the hacker’s instructions. However, over time, we have become more aware of hacks and scams, and we now know not to trust these messages or click on any links they contain. To make their scheme more convincing, the exploiter adds this little enticement right to the site. Let me explain how this can happen.

Watering holes are websites that mimic commonly visited sites, such as Google, LinkedIn, Amazon, or Meta (these are just a few examples). Threat actors add a malicious web part to the website that delivers a payload to the victim through vulnerabilities often found in web browsers. Typically, that web part appears to be a legitimate advertisement or even replicas of login prompts, which bypasses our built-in reactions to close something down when it appears out of the norm.

LightSpy has been found to target iOS, Android, macOS, and Windows.

Step 2. Exploit the technology

Now that you’ve helped the exploiter to successfully establish a foothold, it’s time to establish command and control of the device and everything on it. These activities are masked through defense evasion techniques, which include appending LightSpy’s configuration to the end of a legitimate binary file, such as an AES encryption configuration file, also known as Binary Padding. In addition to hiding the configuration file, LightSpy also encrypts the file using an AES encryption key with rolling one-byte encoding obfuscation, making it difficult to detect.

This ensures that LightSpy is up and running behind the scenes while you continue your business, unaware.

Step 3. Take OWN the data

Malware like LightSpy is used by exploiters who want a ready-to-use package that allows them not only to access your data but also to monitor your activities, track your movements, evade your defenses, persist on your device, and own your digital persona. It all starts with your keychains. Your credentials and passwords are pulled out of system memory while LightSpy is running and continuously sent back to the exploiter. All of those accounts and logins, passwords, shared without even a peep from your security software. Then the rest is up for the taking, browsing information, files, networks and connections, software lists, system information, processes, and finally, the Pièce de résistance, audio and screen captures.

With Cloud, the only thing you have absolute control over is the decision to use it or not to connect your phone, tablet, computer, watch, TV, server, cameras, security system, door locks, and other devices.

…but can you decide?

What’s next?

Let's not conclude the Journey to Annihilation series on a negative note, even though the concept of annihilation may seem dire. This reflects the reality of what is happening behind the scenes in our virtual world. Amidst the games, shopping, entertainment, and social interactions, a contrasting and equally impressive darkness lurks beneath the surface. So, what can you do about it? To start, please read and check out articles 1, 2, and 3 of this series. Additionally, stay tuned for more information on CybersecureOT.info.