What is APT?
November 01, 2022
The Advanced Persistent Threats are considered the most dangerous hazard, which requires a ton of effort to detect and prevent. The final target of this attack - the sensitive data - and the midpoint elements touched during the cyberattack must be protected at the highest level. Cybersecurity specialists who establish and assist with running the EDR solutions must foresee all possible attack vectors.
However, such an attack requires a lot of resources and work from the attackers’ side. The three main stages of APT usage - infiltration, expansion, and extraction - require way more effort than the “classic” attacks. They are likely worth it, but some gangs exist less than such an attack may last. An attack with an advanced persistent threat is definitely the competition of professionals.
Advanced persistent threats have a lot of edges to discuss. First, we want to define the difference between APTs and frequent cyberattacks. Advanced threats may look like just-more-advanced-virus, but it is more like a special operation rather than a common attack. APT attacks rely on many more programs - both used by crooks and ones in the attacked system. They’re also executed manually - unlike ransomware attacks that are usually automated. The word “persistent” in the naming means exactly what it should do - such threats are about long-term presence in the infected system. The target of such attacks is valuable data, and the more time the attack is on - the more data could be smuggled.
There are also several things to note. The precursor malware and tools for expanding the malware presence for such attacks are oftentimes the same as in more simple attacks. For example, when hackers establish the APT presence and activity in each network element, they may opt for the same exploits in server architecture and user applications. The bicycle does not need to reinvent, especially when it runs well. Another thing to remember is the typical targets of the attacks using advanced threats. Hackers rarely aim to receive the ransom and sometimes do not want any profit. The final target may be both leaking some critical information, deleting it, or taking control of the servers/websites hosted on those servers. Sure, such a task may take months to complete, but APT deployment and retention are not about a 5-minute walk at all.
APT stages. From infiltration to data extraction
As mentioned, attacks with advanced persistent threats have three main stages. During the attack, cybercriminals try to inject the malware, make it more sustainable (i.e., infiltrate all possible environments), and finally, begin the data extraction. All these stages require specific software and approaches. However, the final payload is more likely to be a backdoor, remote-access trojan, spyware, or their combinations. To have a more relevant explanation, we will make several remarks about the real case of a cyberattack with an advanced threat that happened at the beginning of 2023. North Korean hackers attacked the Russian diplomatic sector with Konni RAT.
Stage 1. Malware infiltration
There are tens of possible ways of malware infiltration into the corporate network. However, in the last two years, analysts witnessed a strict trend: almost 40% of the attacks are committed through RDP exploitation. And this figure is actual to all forms of cyberattack, not only APT-related ones. Nonetheless, other methods - SQL injections and social engineering, for example - are used as well. In some cases, primarily to distract the personnel's attention, crooks may additionally launch a DDoS attack. System administrators and cybersecurity masters will put their efforts into protecting the network, while the main action will happen behind their backs.
In the case of Konni RAT injection by the same-named cybercrime gang, they did not perform distracting maneuvers. Their approach was the encyclopedic example of spear phishing. Attackers disguised the email message to the Russian embassy in Indonesia with the attached malicious file as a New Year’s greeting. They managed to counterfeit the email address, so the domain looked like “@mid.ru” - different from the original “@mid.rf” but still similar enough to fool someone. In conjunction with the typical pre-holiday relaxation, that scattered the attention of embassy workers.
Malware injection steps
The exact thing cybercriminals try to inject into the targeted system or network is not always the same virus. It may be a script that will connect to the remote server for getting the payload or weaken the security system before the malware launches. A so-called precursor malware may be used - to show the phishing page or trick the staff into allowing the malware installation. However, most hackers try to avoid bearing on the human factor. Yet not all employees are reckless enough to ignore dubious behavior.
In the case of the Konni APT attack, the attachment mentioned above (exactly, the .zip archive) contained a script that connected to the command server and managed to download the installer for the remote-access trojan. After launching the поздравление.scr file, embassy workers were spectating the image while the main action was happening in the background. Such a multi-step scheme is required to obfuscate the log reading and wipe any paths. Additionally, such intermediary steps may be used to disable the security software. When the intrusion is concealed, and the payload malware is downloaded, crooks turn to the second step - expansion.
Stage 2. Malware expansion
Compromising a single computer in the network is never enough, even if it is a domain controller. Exactly, crooks usually aim at the DC or, at least, the computer with administrator privileges. If they initially extend their virus on the computer with user privileges, they will try to escalate the privileges to execute their malware as administrator. Hackers may do this on the profile of the user they have infected or by creating a separate, hidden administrator account. Escalating privileges is not an easy task and usually requires the use of exploits. However, if the attack is prepared properly, crooks already know which exploits to use, and have a malicious app that is ready to use this vulnerability.
Having the administrator account allows the crooks to create the same highly-privileged accounts on other devices and manage the network. Taking over the domain controller is an often practice, but it is harder to perform. That’s why crooks usually carry things like brute force utilities or hacktools - they serve as a crowbar when the picklock fails. Rude instruments are easier to detect - but usually, crooks manage to disable any protection on the separate computers at the stage of DC brute force.
Expanding the malware presence in the network has an obvious reason. The more computers are infected - the more data cybercriminals can access and extract. This simple and linear equation must be the guidance for system administrators. Network clustering, enhanced protection measures, and persistent control are essential when dealing with sensitive and valuable data. However, threat actors who dare to commit attacks with APT likely have fallback variants. That’s why it is better to have a well-done EDR solution. It is impossible to turn it off without taking over the DC and hard to avoid - it bears on heuristic detection, which is much harder to deceive.
Stage 3. Data extraction
As we mentioned before, APT threats are not called “persistent” just for the occasion. They try to last as long as they can in the corporate system, gathering all data that may potentially be valuable. However, they don’t send the data to their command server as they find it on the victim’s PC. Even when the security software is disabled, system administrators may notice multiple packages sent from the inside of the network to an unknown address. Such a case will set everyone on alarm, and the advanced threat will be uncovered at that point. To make it more silent, cybercriminals must apply some tricks.
Those tricks may be about creating a disguise for the extracted files, as well as distracting the attention. In the majority of cases, crooks opt for the second variant. It is not so easy to find a way to conceal the huge amount of traffic. How often do you send gigabyte-sized files through email? That will raise suspicion, even though that email will be successfully delivered at the moment of detection. The distraction crooks usually use is the DDoS attack, or a so-called white noise - a lot of pointless commands or requests that obfuscate the logs. Such a trick may circumvent the security solutions and create a lot of headaches for the analysts trying to figure out what’s happening.
However, when the APT attack operators decide to cease their presence in a certain network, they may even perform the final extraction “as is”. That would not be a common practice, especially if the information received from this company were sold for a good price. Crooks may then re-sell the way they infiltrated into the network to their colleagues, as well as infiltrate it once again. But when they decide to take French leave, things may be even more rigid. In some cases, crooks may deploy ransomware - as the icing on the cake.
How to protect your network from APT attacks?
As you can see by the paragraphs above, advanced persistent threats are extremely sophisticated and performed by qualified cybercriminals. APT deployment and counteraction may be compared to the game of chess between two grossmeisters - both are very skilled and have a lot of possible moves. It becomes even more interesting when they may only guess about each other's activity and perform some careful steps to understand what’s going on. Nonetheless, spectating this game already means that something went wrong. It does not mean that security measures must be able to prevent any intrusion. But when you do everything right, crooks will find their hands tied. Let’s see how to make your corporate network secure from attacks with advanced persistent threats.
Cease the human factor
Reckless personnel is one of the biggest security breaches that are impossible to eliminate. Yet you can teach them how to be safe and avoid potentially dangerous things, but you will never dispel this hazard completely. Out of 10 workers, nine will be diligent, and one - childish. That’s why besides boosting the cybersecurity knowledge among your employees, must be complemented with decreasing the overall damage that may happen because of human mistake.
- Explain the danger of the attached files. Many people think that attachments cannot be dangerous, so they open them without any doubts. Hackers thank them - a big share of attacks of any scale happens because of this false belief.
- Protect all tight places. MS Office macros and Visual Basic scripts may carry different codes. They could contain the downloader or the same malware when coming from outside. Forbidding their execution without the system administrator's permission prevents these injection ways.
- Set up the software hygiene. That advice is helpful against any malware since crooks use the same exploits for various attacks. Updating the apps regularly, avoiding the use of untrustworthy programs, and keeping an eye on applications that can collect information about their users - those pieces of advice are basic.
- Cluster the network. Even if hackers manage to infect a part of the network, it will fail to go further. At least you'd win some time to find a way to deal with the hackers.
- Apply the use of user privileges for most users. Most apps these days don’t require administrator privileges. They may still ask you to type the administrator password sometimes, but it is much easier to do it on-demand than solve the cyberattack.
Technical approaches against APT
Besides the advice that touches the employees and is more common, there are several things to do specifically against the APT. Those measures generally feel the network security and traffic control. Whitelisting and traffic monitoring are the two you must pay the most attention to.
This procedure means allowing access only to designated websites/IP addresses from the inside of the corporate network. Such a setup is useful for preventing the malware downloader from connecting to the external server. It also has a more “peaceful” purpose - stopping the employees from visiting various sites to minimize procrastination. However, using this method separately from the others is not 100% effective. “White” domains may be compromised with time, or the connection may be created through safe and legit software. Some programs may still be safe but outdated - that makes them vulnerable to exploitation. Keep all these problems in mind when establishing your network.
While whitelisting is more about passive protection, traffic control is an active countermeasure. Primarily, the most important thing to protect is the most vulnerable. In companies, such things are web application servers. They are exposed the most since everyone can connect them by design. Therefore, you must pay additional attention to protecting them with firewalls or other filters that may prevent the SQL or RFI injection attack. Moreover, firewalls are quite useful when it comes to traffic control. These tools can log network events, allowing you to see and analyze possible anomalies.
Frequently Asked Questions
- DNS modifications;
- Vulnerability exploits;
- Zero-day attacks;
- Internal attacks (compromising a target’s employee);
- Supply chain attacks;
- Pirated software.