+27 12 021 0103 ✉️ info@2ts.co.za

CYBER BREACH WARRANTY INCLUDED

5 Endpoint Attacks Your Antivirus Won’t Catch: Why EDR is Essential for Advanced Threat Detection

‘Endpoint’ is a buzzword that is often thrown around the cybersecurity industry, but what is it exactly? Endpoints are any devices that communicate with a network. They act as a point of entry into your organisation and can therefore serve as key vulnerabilities for cybercriminals to target.

Endpoints are where they will execute code and infiltrate the rest of your network to be compromised.

Some examples of endpoints include desktops, laptops, servers, and smartphones. In this article, we will be highlighting 5 of these endpoint attacks that your antivirus will most likely not pick up on.

The information contained within this article has been adapted from AT&T’s whitepaper, which you can find here.

5 Attacks Your Antivirus Won’t Catch

Cryptomining Malware

Cryptomining malware refers to a type of malware that uses your device’s computing power to mine for cryptocurrency. The malicious user allocates your computer’s CPU capacity towards sneakily stealing resources, which in turn drastically slows your device down. This can also be done by stealing account details and using cloud computing resources, also known as ‘cryptojacking.’

Another way this is executed is through a browser-based attack. You may be visiting a legitimate website, but it could be compromised. Social engineering is a prominent challenge in the cybersecurity industry, which means that phishing campaigns act as another vector for compromising your endpoint CPUs.

Cryptomining is the latest development in bot malware. Without a single alert, malicious users could have an entire army of compromised endpoints acting as cryptocurrency miners. If you do not have advanced threat detection, the only indication that this may be occurring is poor network or application performance.

Reverse PowerShell Attacks

According to Microsoft, PowerShell is a cross-platform task automation program that uses command lines, a scripting language, and a configuration management framework. With access to admin credentials, attackers can use PowerShell to execute what seems like ‘authorised activity.’ This approach does not require malware or exploit kits since PowerShell is a sanctioned service.

Remote Desktop Protocol (RDP) Session Jacking

A remote desktop protocol is a program that allows you to remotely access a Windows system. This typically requires a unique code and password before you can access the session. However, there is a known exploit that allows you to bypass the password. If you run the RDP client process as a system user, no password will be requested, and in turn your antivirus will not detect the attack. If your organisation has publicly available RDP services, then it is recommended that you set your gateway firewall policy to block these connections by default or set restrictions on authorised IP addresses.

Advanced Persistent Threats (APTs) / Rootkits

Rootkits are incredibly dangerous since they embed themselves deep in your device’s OS. APTs involve a number of steps that are known to evade traditional antivirus since they typically start with a phishing email. One method is that credentials are captured from the email and the rootkits are embedded. At this point, there is little that can be done, as your system will be entirely owned by the malicious user. At 2TS, we prevent and cure. In terms of prevention, we utilise a security information and event manager (SIEM) called Carbon Black.

Ransomware

Most people have heard about ransomware thanks to its prominence in the media. Recent innovations such as ransomware-as-a-service and the targeting of large corporate cloud apps have created a dangerous space for unprotected organisations. An example of ransomware that easily evades antivirus is the ShurL0ckr ransomware, which attacks cloud-based enterprise file-sharing platforms. In the case of ransomware-as-a-service, attackers pay the author a percentage of the ransom once the payload has been delivered.

Everybody, from large corporations to SMEs, needs to be mindful of ransomware and its implications. In May 2021, Colonial Pipeline was hit with a ransomware attack that infected some of its digital systems. It was later revealed that they gained access to Colonial Pipeline’s network through a compromised VPN account password. This one password leak led to over 100 gigabytes of data being stolen, along with a five-day shutdown of the east coast’s most important pipeline.

How These Attacks Evade Detection

Delivery

Your typical antivirus will utilise indicators such as downloads or executions to identify malicious files. This proves problematic as modern attacks can take place without any downloading or execution taking place. This comes full circle back to social engineering attacks such as phishing, exploiting OS vulnerabilities, and packaging malicious code into seemingly normal files.

Evasion

Defense is the best offense, but in this case the best offense is using native system components such as PowerShell against itself. Cyber attackers are able to execute attacks significantly faster while simultaneously evading antivirus detection.

Lateral Movement

Once a single endpoint has been compromised, it becomes easier for an attacker to move laterally within a network to other assets and targets. If an attacker were to get a hold of admin credentials, they would be able to access any part of a network without triggering any alerts.

Cover Tracks

An experienced attacker is able to cover their tracks after performing malicious activity. With the admin credentials mentioned earlier, they are able to delete log files within the domain to avoid leaving digital forensic evidence behind. One PowerShell script is capable of doing this.

Detecting Advanced Endpoint Threats with EDR

Prevention Alone is Not Enough

Endpoint detection and response in combination with your antivirus is an important consideration. Being able to detect threats at each of the above 4 stages is essential for a holistic view of the attack. For example, by collecting endpoint event logs off the endpoint, you would be able to capture key data around a potential breach.

Monitor More Than Just The Endpoint

As important as endpoint protection is, you should also monitor everything they interact with from cloud apps to authentication systems. This will ensure a holistic defense with a lower risk of being compromised.

Focus On Being Manageable and Scalable

Risks are almost always ahead of the technology that fights them. By simplifying your toolset and keeping automation front of mind, you can have a faster incident response time. A unified network will also allow you to stop some attacks the moment they are detected.

In conclusion, endpoints are crucial entry points that can expose your organization to various cyberattacks, and some of the most dangerous ones are often missed by traditional antivirus programs. This blog article highlighted five endpoint attacks that your antivirus may not pick up on, including cryptomining malware, reverse PowerShell attacks, RDP session jacking, APTs/rootkits, and ransomware.