What is APT?GRIDINSOFT TEAM
The advanced persistent threats are considered the most dangerous hazard, which requires a ton of effort to detect and prevent. The final target of this attack - the sensitive data - as well as the midpoint elements which are touched during the cyberattack must be protected at the highest level. Cybersecurity specialists who establish and assist with running the EDR solutions must foresee all possible attack vectors.
However, such an attack requires a lot of resources and work from the attackers’ side. The three main stages of APT usage - infiltration, expansion and extraction - require way more effort than the “classic” attacks. They are likely worth it, but some of the gangs exist less than such an attack may last. An attack with an advanced persistent threat is definitely the competition of professionals.
Advanced persistent threats have a lot of edges to discuss. First of all we want to define the difference between APTs and regular cyberattacks. Advanced threats may look like just-more-advanced-virus, but it is more like a special operation rather than a common attack. APT attacks rely on much more programs - both used by crooks and ones present in the attacked system. They’re also executed manually - in contrast to ransomware attacks that are usually automated. The word “persistent” in the naming means exactly what it should do - such threats are about long-term presence in the infected system. The target of such attacks is the valuable data, and the more time the attack is on - the more data could be smuggled.
There are also several things to note. The precursor malware and tools for expanding the malware presence for such attacks are oftentimes the same as in more simple attacks. For example, when hackers establish the APT presence and activity in each network element, they may opt for the same exploits in server architecture and user applications. There is no need to reinvent the bicycle, especially when it runs so well. Another thing to remember is the typical targets of the attacks with the use of advanced threats. Hackers rarely aim at receiving the ransom, and sometimes does not want any profit at all. The final target may be both leaking some critical information, deleting it, or taking control of the servers/websites hosted on those servers. Sure, such a task may take months to complete, but APT deployment and retention is not about a 5-minute walk at all.
APT stages. From infiltration to data extraction
As it was mentioned before, attacks with advanced persistent threats have three main stages. During the attack, cybercriminals try to inject the malware, make it more sustainable (i.e. infiltrate all possible environments) and finally begin the data extraction. All these stages require specific software and approaches. However, the final payload is more likely to be a backdoor, remote-access trojan, spyware, or their combinations. To have a more relevant explanation, we will make several remarks about the real case of a cyberattack with an advanced threat, that happened at the beginning of 2022. North Korean hackers attacked the Russian diplomatic sector with Konni RAT.
Stage 1. Malware infiltration
There are tens of possible ways of malware infiltration into the corporate network. However, in the last two years, analysts witnessed a strict trend: almost 40% of the attacks are committed through RDP exploitation. And this figure is actual to all forms of cyberattack, not only APT-related ones. Nonetheless, other methods - SQL injections and social engineering, for example - are used as well. In some cases, primarily to distract the personnel's attention, crooks may additionally launch a DDoS attack. System administrators and cybersecurity masters will put their efforts to protect the network, while the main action will happen behind their backs.
In the case of Konni RAT injection by the same-named cybercrime gang, they did not perform any distracting manoeuvres. Their approach was the encyclopaedic example of spear phishing. Attackers disguised the email message to the Russian embassy in Indonesia with the attached malicious file as a New Year’s greeting. They managed to counterfeit the email address, so the domain looked like “@mid.ru” - different from the original “@mid.rf”, but still similar enough to fool someone. In conjunction with the typical pre-holiday relaxation, that scattered the attention of embassy workers.
Malware injection steps
The exact thing cybercriminals try to inject into the targeted system or network is not always the exact virus. It may be a script that will connect to the remote server for getting the payload, or weaken the security system before the malware launches. A so-called precursor malware may be used - to show the phishing page, or trick the staff to allow the malware installation. However, the vast majority of the hackers try to avoid bearing on the human factor. Yet not all employees are reckless enough to ignore dubious behaviour.
In the case of the Konni APT attack, the aforementioned attachment (exactly, the .zip archive) contained a script that connected to the command server and managed to download the installer for the remote-access trojan. After launching the поздравление.scr file, embassy workers were spectating the image below, while the main action was happening in the background. Such a multi-step scheme is required to obfuscate the log reading, as well as to wipe any paths. Additionally, such intermediary steps may be used for disabling the security software. When the intrusion is concealed, and the payload malware is downloaded, crooks turn to the second step - expansion.
Stage 2. Malware expansion
Compromising a single computer in the network is never enough, even if it is a domain controller. Exactly, crooks usually aim at the DC, or, at least, the computer with administrator privileges. If they initially extend their virus on the computer with user privileges, they will try to escalate the privileges to execute their malware as administrator. Hackers may do this on the profile of the user they have infected, or by creating a separate, hidden administrator account. Escalating privileges is not an easy task, and usually requires the use of exploits. However, if the attack is prepared properly, crooks already know which exploits to use, and have a malicious app that is ready to use this vulnerability.
Having the administrator account allows the crooks to create the same highly-privileged accounts on other devices, and manage the network. Taking over the domain controller is an often practice, but it is harder to perform. That’s why crooks usually carry things like brute force utilities or hacktools - they serve as a crowbar when the picklock fails. Rude instruments are easier to detect - but usually crooks manage to disable any kind of protection on the separate computers at the stage of DC brute force.
Expanding the malware presence in the network has an obvious reason. The more computers are infected - the more data cybercriminals can access and extract. This simple and linear equation must be the guidance for system administrators. Network clustering, enhanced protection measures, persistent control - all these things are just essential when you have to deal with sensitive and valuable data. However, threat actors who dare to commit the attacks with APT likely have the fallback variants. That’s why it is better to have a well-done EDR solution. It is impossible to turn it off without taking over the DC, and hard to avoid - it bears on heuristic detection, which is much harder to deceive.
Stage 3. Data extraction
As we mentioned before, APT threats are not called “persistent” just for the occasion. They try to last as long as they can in the corporate system, gathering all data that may potentially be valuable. However, they don’t send the data to their command server as they find it on the victim’s PC. Even when the security software is disabled, system administrators may notice multiple packages sent from the inside of the network to an unknown address. Such a case will definitely set everyone on alarm, and the advanced threat will be uncovered at that point. To make it more silent, cybercriminals must apply some tricks.
Those tricks may be about creating a disguise for the extracted files, as well as distracting the attention. In the majority of cases, crooks opt for the second variant. It is not so easy to find a way to conceal the huge amount of traffic. How often do you send the gigabyte-sized files through the email? That will definitely raise suspicion, even though that email will be successfully delivered to the moment of detection. The distraction crooks usually use is the DDoS attack, or a so-called white noise - a lot of pointless commands or requests that obfuscate the logs. Such a trick may possibly circumvent the security solutions, and will definitely create a lot of headache to the analysts who will try to figure out what’s happening.
However, when the APT attack operators decide to cease their presence in the certain network, they may even perform the final extraction “as is”. That is not a common practice, especially if the information received from this company was sold for a good price. Crooks may then re-sell the way they infiltrated into the network to their colleagues, as well as just infiltrate it once again. But when they decide to take French leave, things may be even more rigid. In some cases, crooks may deploy ransomware - as the icing on the cake.
How to protect your network from APT attacks?
As you can see by the paragraphs above, advanced persistent threats are extremely sophisticated and performed by qualified cybercriminals. APT deployment and counteraction may be compared to the game of chess between two grossmeisters - both are very skilled and have a lot of possible moves. It becomes even more interesting when they may only guess about each other's activity and perform some careful steps to understand what’s going on. Nonetheless, spectating this game already means that something went wrong. It does not mean that the security measures must be able to prevent any sort of intrusion. But when you do everything right, crooks will find their hands tied. Let’s see how to make your corporate network secure from attacks with advanced persistent threats.
Cease the human factor
One of the biggest security breaches that is impossible to get rid of completely is reckless personnel. Yet you can teach them how to be safe and avoid potentially hazardous things, but you will never dispel this hazard completely. Out of 10 workers, 9 will be diligent, and one - childish. That’s why besides boosting the cybersecurity knowledge among your employees must be complemented with decreasing the overall damage that may happen because of human mistake.
- Explain the danger of attached files. A lot of people think that attachments cannot be dangerous, so they open them without any doubts. Hackers thank them - a big share of attacks of any scale happen because of this false belief.
- Protect all tight places. MS Office macros, Visual Basic scripts - these things may carry different code. When coming from outside, they could contain the downloader, or even the exact malware. Forbidding their execution without the permission of the system administrator - just to prevent these injection ways.
- Set up the software hygiene. That advice is helpful against any malware, since crooks use the same exploits for various attacks. Updating the apps regularly, avoiding the use of untrustworthy programs, keeping an eye on applications that can collect the information about their users - those pieces of advice are basic.
- Cluster the network. Even if hackers manage to infect a part of the network, it will fail to go further.
- Apply the use of user’s privileges for most of the users. The vast majority of apps these days don’t require administrator privileges. They still may ask you to type the administrator password in some cases, but it is much easier to do it on demand than to solve the cyberattack.
Technical approaches against APT
Besides the advice that touches the employees and is more common, there are several things to do specifically against the APT. Those measures generally touch the network security and traffic controlling. Whitelisting and traffic monitoring are the two you must pay the most attention to.
This procedure means allowing access only to designated websites/IP-addresses from the inside of the corporate network. Such a setup is useful for preventing the malware downloader connection to the external server. It also has a more “peaceful” purpose - stopping the employees from visiting various sites to minimise procrastination. However, using this method separately from the others is not 100% effective. “White” domains may be compromised with time, or the connection may be created through the software that is considered safe and legit. Some programs may still be safe, but outdated - that makes them vulnerable for exploitation. Keep all these problems in mind when establishing your network.
While whitelisting is more about passive protection, traffic control is rather an active countermeasure. Primarily, the most important thing to protect is the most vulnerable. In companies, such things are web application servers. They are exposed the most, since everyone can connect them by design. Therefore, you must pay additional attention to protecting them with firewalls, or other filters that may prevent the SQL or RFI injection attack. Moreover, firewalls are quite useful when it comes to traffic control. These tools can log the network events, giving you the ability to see and analyse the possible anomalies.