MITRE ATT&CK: Drive-by compromise

Introduction

In this article, we will discuss drive-by compromise attacks: exactly what they are and the different forms they can take. We will also see examples of how they are executed, how to detect them and how they can be mitigated against. Finally, we will take a look at the common Advanced Persistent Threat (APT) groups that have employed different techniques to execute these attacks.

Overview of the MITRE ATT&CK

The MITRE ATT&CK is a publicly-accessible knowledge base of adversary tactics and techniques that are based on real-world observations. It is used as a foundation for the development of specific threat models and methodologies in the private sector, in government and in the cybersecurity product and service community.

The aim of the MITRE ATT&CK is to solve problems for a safer world by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.

What are drive-by compromise attacks?

Drive-by compromise attacks occur when hackers infect websites and rely on vulnerable users (targets) visiting these infected websites. Once these targets visit the infected websites, malware hosted on these vulnerable websites scans their browsers for vulnerable plugins and previously unidentified vulnerabilities known as zero-days. The hackers are then able to exploit these vulnerabilities to gain unauthorized access to targets’ systems.

How are drive-by compromise attacks executed?

Drive-by compromise attacks target a specific group of targets, such as government groups. The intention is to compromise an individual or entire group. These groups often have a common interest that tends to influence the attack in the first place. 

Drive-by compromise attacks typically follow a series of steps:

  1. Hackers host malicious content on a vulnerable website which users visit. Unknown to these users, the visited website is infected with malware. While (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Lester Obbayi. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/wibbjqV0uLo/