Living of the (Out)land

Living of the land (LOTL) has been a known hacking methodology for some time, the topic on how to covertly exfiltrate data via Ping and ICMP was up to discussion in the 49th issue of the hacker magazine Phrack in the early nineties.

  • Insight

The general idea is that by creatively using already accessible and legitimate tools and software to accomplish for example persistence or running reconnaissance within a lateral movement phase, an attacker could evade detection and don’t rouse unnecessary suspicion by swapping noisy hack-tools for the creative usage of built-in system tools. In case of detection, the activity could in some instances be mistaken for regular administrative work or normal user activity.

While the standard LOTL was in some cases contained to a single device or a network, an attacker would for example create persistency via a scheduled task, or creatively use windows binaries to move or exfiltrate files over or out from the network. In more recent days it could be argued that this kind of attack technique or “hacker mindset” is being applied in an external setting, and in most occasions these kind of attacks is defined and seen as supply chain attacks.

As the Threat Actor will not respect the borders of your infrastructure, and make no distinctions between applications running in the cloud or the Ping application running on bare metal it could be wise taking the eyes off the internal environment and instead looking wider. Today many organizations have created a dependency on external code repositories and have an environment that daily interact with external services or applications, the “land of tools” per se could metaphorically speaking have become a vast sea of opportunity for malicious actors applying this methodology.

Recent activities indicates that this is a relevant and continuous threat, ranging from advanced social engineering attacks targeting opensource projects like XZ1, the subversion of legitimate online services to store malware payloads2 and the case where Russian speaking threat actors where identified to created fake Github personas to serve malicious code3.

Recommendation

While this kind of living of the “outland” behavior is by default stealthy and tends to merge into the background noise, there are still several ways to detect and proactively protect against these types of attacks.

Educate employees, developers, and users about the risks associated with downloading code from untrusted sources. Train them to identify signs of suspicious code repositories such as lack of activity/history, unverified authors, and unusual file names.

Make sure that test environments dependent on collaborative code libraries such as Github are fully separated from production environments.

Maintain an up-to-date inventory of dependencies and libraries used in the organization’s codebase. Regularly audit dependencies for vulnerabilities and update them to patched versions to mitigate known security risks.

Deploy endpoint detection and response (EDR) solutions that don’t solely rely on artifacts such as suspicious binaries or network connections. Set a baseline for the usage of external applications and consider the possibility of implementing cloud application defenses.

References

  1. https://www.openwall.com/lists/oss-security/2024/03/29/4 ↩︎
  2. https://arstechnica.com/security/2024/01/ars-technica-used-in-malware-campaign-with-never-before-seen-obfuscation/ ↩︎
  3. https://www.recordedfuture.com/gitcaught-threat-actor-leverages-github-repository-for-malicious-infrastructure ↩︎