Hackers are increasingly destroying logs to hide attacks

Hacker groups are increasingly turning to log file destruction and other destructive methods as a means to hide their tracks, according to a report released this week and containing information from 113 investigations performed by 37 Carbon Black incident response (IR) affiliate partners from across the globe.

According to the report, “politically motivated cyberattacks from nation-state actors have contributed to an ominous increase in destructive attacks: attacks that are tailored to specific targets, cause system outages and destroy data in ways designed to paralyze an organization’s operations.”

Carbon Black said that hacker groups are getting better at what the company calls “counter-incident response.”

They said that hackers attempted counter-incident response in 51 percent of all incidents the company and its partners investigated in the last 90 days.

“We’ve seen a lot of destruction of log data, very meticulous clean-up of antivirus logs, security logs, and denying IR teams the access to data they need to investigate,” an IR professional said.

In fact, according to the Carbon Black report, 72 percent of all its partner IR professionals saw counter-IR operations in the form of destruction of logs, which appears to have become a standard tactic in the arsenal of most hackers.

But in some cases, hackers took log destruction and other counter-incident response operations to a new level, and in some cases, their actions resulting in more lasting damage.

“Our respondents said victims experienced such attacks 32% of the time,” Carbon Black said in its report.

“We’ve seen a lot of destructive actions from Iran and North Korea lately, where they’ve effectively wiped machines they suspect of being forensically analyzed,” an IR professional said.

“Attackers want to cover their tracks because they’re feeling the pressure from law enforcement,” another IR professional said.

But Carbon Black also points out that the cyber-security industry, as a whole, has also gotten much better at incident response, hence attackers’ increased focus on removing logs and even wiping systems, just to be on the safe side.

Other key findings:

The same Carbon Black report also touches on many other interesting topics, such as the use of legitimate tools for lateral movements inside compromised networks, the concept of “island hoping,” and the increased focus on IoT devices as entry points into homes and companies. The summarized key findings are available below:

• China and Russia are responsible for nearly half of all cyberattacks. Of 113 investigations conducted by Carbon Black IR partners in the third quarter, 47 stemmed from those two countries alone, while Iran, North Korea, and Brazil were also the origin of a considerable amount of recent attacks.
• Half of today’s attacks leverage “island hopping,” whereby attackers target organizations with the intention of accessing an affiliate’s network.
• An alarming 38 percent of IR professionals saw attacks on enterprise IoT devices, which can be a point of entry to organizations’ primary networks, allowing island hopping.
• Around 54 percent of IR firms said they saw attacks on IoT consumer devices.
• Around 30 percent of respondents also saw victims’ websites converted into a watering hole.
• An alarming 41 percent of respondents encountered instances where network-based protections were circumvented.
• Powershell was the primary tool used for lateral movements inside a network by attackers, found in 89 percent of incidents, followed by WMI (Windows Management Instrumentation).
• Around 27 percent of respondents chose a shortage of skilled security experts was the top barrier to incident response.
• The industry most frequently targeted by cyberattacks was the financial sector, followed by healthcare, retail, and manufacturing.
• Two-thirds of IR professionals believe cyberattacks will influence the upcoming US elections.

Related coverage:

READ MORE HERE