top of page

2023 Cybersecurity Predictions: Hijacking Remote Access Could Be Trouble for OT Environments

This post is part of our 2023 cybersecurity prediction series.


Ian Pratt, HP Inc.

Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc.


Rise in hijacking remote access sessions could result in high-value domain servers and cloud admin portals – or even physical OT environments – being breached.


Session hijacking – where an attacker will commandeer a remote access session to access sensitive data and systems – will grow in popularity in 2023. Increased use of features like Windows Defender Credential Guard are forcing attackers to pivot – either capturing users’ passwords to enable lateral movement, or hi-jacking the remote session itself to access sensitive data and systems. The latter is particularly powerful.

By targeting users with elevated rights to data and systems – such as domain, IT, cloud, and system administrators – these attacks are more potent, harder to detect, and more difficult to remove. The user is typically unaware that anything has happened. It takes just milliseconds to inject key sequences and issue commands that create a backdoor for persistent access. And it works even if Privileged Access Management (PAM) systems are being used to employ Multi Factor Authentication (MFA), such as smart cards.

If such an attack connects to Operational Technology (OT) and Industrial Control Systems (ICS) running factories and industrial plants, there could also be a physical impact on operational availability and safety – potentially cutting off access to energy or water for entire areas.

Session hijacking does not rely on exploiting a fixable vulnerability; it is about abusing legitimate and necessary functionality of remote session protocols – like Remote Desktop Protocol (RDP), Independent Computing Architecture (ICA), and Secure Shell (SSH). Strong isolation is the only way of avoiding these kinds of attacks and break the attack chain. This can be done either through using a physically separate system, like a Privileged Access Workstation (PAW), or virtual separation, via hypervisor-based approaches.

Alex Holland, HP Inc.

Alex Holland, Senior Malware Analyst at HP Inc.


People may turn to ‘cyber hustling’ in the cybercrime gig economy to make quick cash during the economic downturn.


The 2009 recession saw surges in malware and online fraud. Since then, we’ve seen the rise of the cybercrime gig economy, where the shift to platform-based business models has made cybercrime easier, cheaper and more profitable. Cybercrime tools and mentoring services are readily available at low costs, enticing cyber hustlers – opportunists with relatively low levels of technical skill – to access what they need to turn a profit. As we face another global downturn, easy access to cybercrime tools and know-how could increase the number of attacks we see – especially attacks against home users by opportunistic cyber hustlers.

Home users may get caught in the firing line, as they are easier to compromise than enterprises. Cyber hustlers are likely to use simpler techniques, like scams and phishing – potentially capitalizing on the economic downturn by offering people fast ways to make money, like cryptocurrency and investment scams. The interconnected nature of the cybercrime gig economy means threat actors can easily monetize attacks. And if they strike gold and compromise a corporate device, they can also sell that access to bigger players, like ransomware gangs. This all feeds into the cybercrime engine, giving organized groups even more reach.

As attacks against users increase, having security baked into people’s PCs from the hardware up – so they can easily prevent, detect, and recover from attacks – will be essential. Our research shows that email is the most common attack vector, particularly for opportunists like cyber hustlers. Isolating risky activities is an effective way of eliminating entire classes of threats without relying on detection. Threat containment technology ensures that if a user opens a link or attachment and something nasty comes through, the malware can’t infect anything. This way organizations can reduce their attack surface and protect employees without hindering their workflows.


###

Comments


bottom of page