The ‘Be Right Back’ Attack: How Hackers Ensure They Never Really Leave Your Network
Imagine you’ve spent weeks hunting down and removing a threat from your network. You’ve closed the vulnerability, deleted the malicious files, and restored your systems. You breathe a sigh of relief, thinking the battle is won. But what if the attacker planned for this all along? What if they left behind hidden backdoors designed to reactivate their access the moment you look away?
This is the reality of a sophisticated attack strategy cybersecurity experts are tracking, one where attackers don’t just break in—they plan for a comeback. These campaigns are long-term operations, or “marathons,” designed to maintain persistent access to a target’s environment, even after being discovered. The core of their strategy is simple and terrifying: they will “be right back.”
Understanding how these persistent threats operate is the first step toward building a more resilient defense.
The Initial Breach: Exploiting the Path of Least Resistance
Like many cyberattacks, these campaigns often begin by exploiting known, unpatched vulnerabilities. The primary entry points are frequently internet-facing servers, with a heavy focus on exploiting flaws in Microsoft Exchange Server, such as the infamous ProxyShell and ProxyLogon vulnerabilities.
This initial access is just the first step in a long game. The attackers know that these vulnerabilities will eventually be patched, so their immediate priority is to establish a deeper, more permanent foothold inside the network before their original entry point is closed off.
How Attackers Establish Redundant Persistence
The hallmark of the “Be Right Back” strategy is establishing multiple, redundant methods of persistence. The goal is to ensure that even if a security team discovers and removes one backdoor, several others remain active and ready to be used.
Here are the primary tactics used to achieve this unwavering persistence:
Illegitimate Use of Legitimate Tools: Attackers have become masters of “living off the land,” using tools that are already on your system to avoid detection. They frequently install legitimate remote access software like ScreenConnect, AnyDesk, or Atera for easy access. To hide their tracks, they rename the executable files to mimic common system processes, such as
svchost.exeorwinlogon.exe, making them difficult to spot in a task manager.Hijacking Scheduled Tasks: The Windows Task Scheduler is a favorite tool for attackers. They create new scheduled tasks programmed to run periodically (e.g., every few hours). These tasks execute a command to download and run the malware again, effectively re-infecting the system automatically if the original malicious files are deleted.
Creating Rogue Administrator Accounts: A simple but highly effective technique is to create a new user account with administrative privileges. This gives the attacker a permanent key to the kingdom. Even if their malware is wiped, they can simply log back in through their hidden admin account and redeploy their tools.
Advanced Evasion with DLL Side-Loading: For more advanced persistence, attackers use a technique called DLL side-loading. They place a malicious DLL file in the same directory as a legitimate, trusted application. When that application is launched, it inadvertently loads the malicious DLL, executing the attacker’s code under the guise of a legitimate process and bypassing many security controls.
Once inside, the objective is almost always data exfiltration. The attackers move laterally across the network, escalating privileges and searching for valuable information. They often use tools like 7-Zip to compress and encrypt stolen data into a single archive before quietly sending it out of the network.
How to Defend Against Persistent Threats
Defending against an attacker who plans for their own eviction requires a shift from reactive to proactive security. You must assume they are already planning their return.
Here are actionable security tips to protect your organization:
Prioritize Proactive Patch Management: The initial breach often relies on an unpatched system. Immediately apply security patches for all internet-facing software and hardware, especially for critical systems like Microsoft Exchange.
Monitor for Anomalous Legitimate Activity: Don’t just look for malware. Actively monitor for the installation of new remote access tools, the creation of unexpected scheduled tasks, or the appearance of new user accounts with high privileges. Scrutinize processes with common names (
svchost.exe, etc.) that are running from unusual file paths.Implement the Principle of Least Privilege: Ensure that user and service accounts only have the permissions necessary to perform their roles. This limits an attacker’s ability to move laterally and create new admin accounts if they compromise a low-level user.
Conduct Comprehensive Incident Response: When you find one indicator of compromise (IOC), don’t stop there. Assume there are other, hidden persistence mechanisms. A thorough incident response must involve hunting for all potential backdoors—rogue accounts, scheduled tasks, and unauthorized software—not just deleting the initial malware file.
Ultimately, modern cyber defense is a marathon, not a sprint. By understanding the tactics of persistent attackers and adopting a security posture built on vigilance and proactive threat hunting, you can ensure that when you kick an attacker out, they stay out for good.
Source: https://blog.talosintelligence.com/brb-pausing-for-a-sanctuary-moon-marathon/
