APT fashion trend - carelessness and how to deal with it

Companies are divided into two categories: those that know that they have been compromised - and those that are not yet in the know.

The term APT (advanced persistent threat) was introduced by the United States Air Force in 2006 to describe a new type of attack. Then for the first time an attempt was made to analyze the attack, draw conclusions and try to counter the new threat. APT is not some sophisticated exploit or newfangled trojan. APT is the attack paradigm.

The general principles on which APT is built are well known. For example, the use of social engineering to provoke the user to open a link or an attached file. Or the use of vulnerabilities to gain access to the attacked system. What is so terrible APT? Let's try to figure it out.

Key Features of apt

• Attacks a group of several people, distributed roles depending on the level of knowledge.
• The attacks are aimed at specific companies or manufacturing sectors. Even within one sector, a differentiated approach is applied, the degree of security of each individual company is assessed; Attack of each victim is planned individually - depending on the goals pursued.
• The attackers seek complete control over the victim - and get it, because they use all the forces and means for this, despite the setbacks.
• The attackers will return - even if you can successfully confront them after hacking.
• Attackers carefully mask their presence, adapting to your countermeasures, to new means of protection, step by step covering your infrastructure, hiding the methods used. As practice has shown, signatures for detecting APT, - unlike trojans and botnets, - will be unavailable for a long time after the start of the attack, because the individual approach and secrecy deprive the anti-virus vendors of any information about intruders' methods.
• Despite the low return on investment, zero-day exploits are often used.
• Powerful thoughtful social attack. Before it is carried out, all possible data is collected about your company, personnel, infrastructure, software used.
• “Entry through the neighborhood gate”: attackers use your trusted recipients, counterparties and clients, and explore the limits of infrastructure.
• “What do these fuckers do today?”, The operators of the attackers are monitoring the victim in real time, checking if their attack has been detected, and collecting new information.

The main goal of attackers is to gain access to valuable data and keep it as long as possible. Under the valuable data does not mean your account "Vkontakte", and the intellectual property of the company (the source code of the product, algorithms, customer base, any other corporate secrets). A striking example of such a "long presence" - 10 years, during which hackers had access to the network of Nortel Networks (http://gcn.com/articles/2012/02/15/hackers-roamed-nortel-networks-for-over -10-years.aspx), downloading business plans and process schedules, reading the mail of top managers. Despite the fact that the company declared bankruptcy in 2009, the corporate network still has something to profit from - and the attackers returned in February 2012.

I highlight the following main stages of APT.
1) Collection of data on the victim. Attackers need to study as best as possible the systems and products used in the company, the means of protection, to obtain information about its employees, customers and partners.
2) Invasion. Armed with the obtained data, the attackers penetrate into the internal network, conducting a social attack, using system vulnerabilities and using zero-day exploits. The topology, infrastructure, all information systems of value are investigated.
3) Anchoring influence. The information obtained is used to hack and establish full control over the victim. The attackers will not be limited to the power users :)
4) Keeping influence. The purpose of the attackers is to go unnoticed for as long as possible, while retaining their powers. If you schedule an anti-virus scan with heuristic analysis, the files detected as “malware” will be deleted. If you move servers to a new subnet, measures will be taken to gain access to them at the new location.
A flurry of news about APT collapsed after a successful attack on Google. Google was the first company to openly declare an attack on January 12, 2010. This APT was later called Aurora, because this name appeared in two “binaries” as part of the file path on the attacker's computer.
')

Operation Aurora

At first, it was not clear from Google’s statement which exploit was used and what it was sent to. A week later, an emergency patch for Internet Explorer (MS10-002) was released.
It later emerged that the attacker's interest was initially directed at Chinese dissidents. Two accounts were hacked, one of which belonged to Ai Weiwei, a well-known fighter for human rights. Access to his account and account information was obtained, but this information was not very valuable.

How did you manage to hack Google, a giant who doesn’t spare information protection budgets? Many large companies are building an impenetrable outer perimeter, which often resembles a barrel without a lid: tall walls seem completely impenetrable, but if you need to put inside, say, a tennis ball, you can always transfer it from above.

In the case of Google, “throwing the ball” was allowed by a small group of employees who received letters from trustworthy recipients. The letters contained a link to a website located in Taiwan containing a Java script that exploited the vulnerability. A backdoor was installed on the user's computer, which completely controls the system. The infected system was connected to port 443 of the management server (C & C, command and control) via HTTPS with traffic encryption - and was awaiting commands from the operator. Step by step, control was established over other internal resources in this network (pivoting), which were also used by operators to achieve their goals.

In March 2011 (a year has passed!) Aurora’s attack was announced by several other companies, including Adobe Systems, Dow Chemical, Intel, Juniper Networks, Morgan Stanley, Northrop Grumman, RSA, Symantec, Yahoo.

In implementing APT Aurora, the attackers used software configuration management (SCM) for many months to secure their authority on the victim’s internal network. First, SCM servers were more stable than individual workstations. Secondly, they contained many vulnerabilities, which allowed attackers to hide their presence for a long time without much effort.

A small example is the Perforce system, in which:

• without authentication, it was possible to create a user, assign access rights to it, and this user by default had elevated privileges in the system;
• client-server session was not encrypted;
• with the help of URL manipulations, it was possible to edit the properties of another user (and even change his password without knowing the current one);
• user passwords were stored in unencrypted form;
• A third-party user, using cookies, could log in to the system.

Even if you do not touch upon such moments as a running service with system rights, it can be argued that such a set of vulnerabilities would be enough to subordinate the system.

RSA attack

In the case of RSA, the attack began with two small groups of employees who were sent phishing emails. They attached an .xls file that exploits a vulnerability in Adobe Flash (CVE 2011-069). When sending a letter, the spam filters installed in RSA were treated using simple manipulations: the exploit was used to install the RAT (remote access tool) that connected to port 3460 C & C.
The attackers consolidated valuable information on the internal servers, packed them into password-protected rar archives, and only then sent it to themselves.

Blow to the Tibetan community

In June 2008, an Information Warfare Monitor analyst detected an attack aimed at the Tibetan community. The victims of the attack were located in India, Europe and North America. The victims were the office of the Dalai Lama and the entire Tibetan infrastructure in London, New York, Brussels; experts in real time watched as intruders bite into it. The attack was controlled via a web interface with four C & C. 1295 computers in 103 countries were infected. According to experts, 30% of the cars contained important information. As in other cases of APT, the attackers had to “throw the ball in the barrel.” For this purpose, a phishing letter was used, allegedly from the address campaigns@freetibet.org. The letter contained either a link or a file in * .doc format with the name “Translation of Freedom Movement ID Book for Tibetans in Exile”.


The trick of the APT organizers should be noted: when clicking on a link or opening a file, the user should not suspect anything. Website page will not contain bright advertisements or pornographic pictures; the text file will not be empty and will not contain messages like Nigerian letters. It will be a simple, neutral message, a plain, unremarkable text. The user will read, close - and forget, without giving it meaning. There will be no offers to download a free antivirus, the cursor will not jump across the screen, there will be no pop-up banners: the attackers cannot give out their presence, the victim cannot be missed.

Operation “Shady RAT”

Shady RAT - this name McAfee experts gave APT, which lasted more than five years since 2006. In 2009, researchers at the University of Toronto discovered two large cyber espionage networks, called GhostNet and ShadowNet, which used the Enfal Trojan. It is noteworthy that some versions of Enfal were known as early as 2002 (at that time he was involved in the attacks of “Byzantine Hades”, “Byzantine Anchor”, “Byzantine Candor”, and “Byzantine Foothold”). At that time, McAfee had detected them for a year now as Generic Downloader.x and Generic BackDoor.t. Nevertheless, by 2008, according to McAfee experts, only 11 of 34 antiviruses detected Enfal.
Evolving, RAT ceased to leave traces during installation. The traces of the trojan are cleared, and the usual remote control software is installed that does not trigger the antivirus reaction.

Night dragon

This APT was aimed at the oil and gas industry; The first mentions of her appeared in November 2009. The attack tactics have been changed. Initially, by introducing the SQL code, external web servers of the companies were captured and the entrance to the corporate users portal with their passwords was expected. For hacking passwords and access to the intranet used common utilities gsecdump and Cain & Abel. Creating a remote connection under user names is, of course, risky. Therefore, the zwShell utility written in Delphi was used to generate a unique Trojan - especially for the current campaign - and then the victim was controlled, as usual, by means of RAT.

Lurid

It would seem, to whom are we here, in Russia, needed? But it was not there! In August 2010, a new attack was discovered, and among the infected were, among others, companies from Russia, Kazakhstan and Ukraine. According to McAfee, the attackers deployed a C & C infrastructure from 15 domains on 10 IP addresses. Russia ranks first in the number of victim companies: 1063 external IP addresses.
The attack was carried out in the classical way - using the attached file in * .pdf format, which exploited vulnerabilities in Adobe Reader (CVE-2009-4324, CVE-2010-2883). However, the attackers changed tactics. Lurid, affecting 61 countries, was divided into separate campaigns. To manage each of them, a separate URL was brought in, an Enfal individual Trojan was formed; attacks in each direction were carried out by various personnel. Commands on the RAT were not transmitted via push: the list of commands for each node was stored in a separate file on the C & C server.



Managing servers were located in the USA and England, but domain names were registered to owners from China.

How scary is everything

Read the news about Georbot. Googling how beautifully Lizamoon still lives. Think again about the fate of Nortel Networks. Recall Trojans in components for various programming environments, Trojans from manufacturers of flash drives, network equipment and operating systems.
Try to answer a few questions:

• Is anti-virus software installed everywhere? Does it work normally?
• Do you know if software is installed that does not comply with company policies?
• Can you detect abnormal traffic on your network? how soon?
• Will you notice if a user becomes a local administrator? and if a specific username will be used from multiple computers?
• Will your user open a document not related to his work?
• Are you sure about the encryption used?
• Do you know that your site is vulnerable?

By the way, as it turned out, only a few of those who attended the RusKrypto conference in 2012 asked themselves all these questions. As a result of the 15-minute survey, it was possible — with the simplest interception of traffic — to catch not only authentication data for such ordinary services as Blogspot, Google, Facebook, Twitter, but also passwords for remote connections! Alas, only a few people thought that they are connecting to an access point with encryption disabled. Few participants drew attention to the fact that the site of the hotel where the conference was held was hacked and sends mobile users to a page with a trojan ...
And here is the apt? Did you connect to access points? Return to the beginning of the article and reread the first phrase! What prevents to use the obtained data for access to your corporate network - and further, for targeted access to cryptographic developments? The role of the counterparty, who became the “base” for a separate attack campaign, may well be performed by the hotel, which brought together leading Russian information security specialists.

What are the mistakes of the victim companies?

• Not considered social engineering.
• Not taken into account that you need to protect not only the outer perimeter and not only "for show".
• We have relied on protection tools triggered after the fact (as a result, antiviruses, spam filters, IPS - “were silent”, not having signatures).
• It was rashly suggested that an attack on them could be too costly (with a low return on investment).
• Hoped for antivirus products, data leak prevention systems (DLP, Data Leak Prevention), two-factor authentication.
• They did not take into account the possible direction of attacks from trusted sources (counterparties, branches, corporate sites).

When people remember the death of Titanic, they always talk about lifeboats, about the need for more lifeboats - but they completely forget about the iceberg. In the same way, information security units snatch out separate points from standards, practices and recommendations - and willingly implement them. At the same time, despite the fact that the methods of conducting attacks are studied in detail, actual protection algorithms for some reason are not used in practice. Carelessness? Companies have focused on traditional means, and these funds are saving up to a certain point. But it is worth the attackers to make the next half-step ahead - and this is the result ...

The life of the attackers on the intranet is extended by the security officers themselves. It is necessary to get rid of excessive self-confidence and pay attention to the following aspects of protection.

• Vulnerability Management. Zero day exploits won't save you all, it's expensive. Even low-ROI APT operators are not able to constantly look for new opportunities; It’s easier to exploit old vulnerabilities that you didn’t manage to patch. However, many people forget (it is possible to replace “s” with another letter) to scan the outer and inner perimeters, not to mention penetration testing. We need not only a server with automatic installation of patches, but we also need running patch management and vulnerability management processes.
• Traffic analysis For most of the RAT, there are post-factum signatures written. However, few people use them, although adding a signature, and often even writing your own, takes no more than five minutes. Timely monitoring of threats allows you to construct your own description, which makes it possible to neutralize vulnerabilities, patches for which have not yet been released.
• Traps. Attackers will certainly explore your infrastructure. There is a chance that you will find an intruder using a honeypot and you will be able to study his tactics in a timely manner. (One day, while working in one of the companies, I posted a file with an attractive name on a shared network resource - and tracked attempts to open it or copy it. All users prescribed the information security policies. The employees did not decide to open such a file. The rare exception was attempts to cause damage and activity insiders. These simple steps will help you detect APT in a timely manner.)
• Control over antivirus software. It is not enough just to follow the update of signatures: it is also necessary to analyze the settings and performance of the antivirus, to study the facts of protection being disabled. It is known that in some cases, APT turned off anti-virus protection before installing remote control tools, but this remained unnoticed.
• Integrity control. This applies both to individual service files and components, as well as to configuration files.
• Control policies. Did you know that remote administration tools appeared on the computers of your network? Do you know about the new proxy server through which traffic goes to the Internet? Why did a new “shared” resource appear on the file server? The case with RSA is indicative: Internet access from servers has not been disabled! Cain & Abel has long been detected as a hack tool; the question arises: why is the utility not found?
• Event registration and incident management. Modern corporate networks have a huge number of sources of events, and these events need to be analyzed automatically. The event correlation methods implemented in SIEM systems will allow you to get a complete picture of what is happening in your infrastructure, down to the smallest deviations. Manual log analysis is utopia.
• Hardware and software. Let's go back to the APT methodology ... What did it hurt to limit the size of the POST request? Why dynamic DNS was not blocked, fast-flux requests were not detected? Why were the hits of requests on proxy servers not analyzed, although they are very indicative of viral activity?
• Awareness is a hot topic. And this is not only about ordinary clerks: the bait of well-known techniques, described as early as the 1990s, are still top managers of large companies.

If the information security specialists met the requirements of all the necessary standards, APT might not have become such a powerful trend.

In the next article, using the example of one of the existing banks, I will demonstrate an attack using social engineering methods as a stage of preparation for APT. Check - how protected our banking system;)