For this month’s Blackpoint Brief newsletter, the Adversary Pursuit Group (APG) examined different ways in which three top headlines from the past month showed how adversaries can break into top organizations that aren’t “just” another phishing email, by exploiting:

  • Social engineering at Ascension Health;
  • Product vulnerabilities at Checkpoint; and
  • Confusing network infrastructures, per Mandiant.

Intrusion Tactic #1: Social Engineering at Ascension Health

What Happened

Back in early May, Ascension Health suffered a major cybersecurity incident that shut down multiple of its internal processes, including MyChart patient portals, and interrupted care for thousands of patients (1).

However, it was only on June 12 that we learned how the attackers first entered the system: an Ascension Healthcare employee.

Per Ascension Health (emphasis APG):

“An individual working in one of our facilities accidentally downloaded a malicious file that they thought was legitimate. We have no reason to believe this was anything but an honest mistake.” (2)

Why This Matters


Even smart people can be tricked by cyber criminals, so it’s important to never assume criminals will never breach your network. You need a complete defense-in-depth strategy that answers the question, “What happens if an adversary breaches the environment?”

It takes a lot of education to work at a healthcare facility, and many users think they could be “too smart” to have attackers trick them.

However, while we don’t know the specifics of this attack – which is standard procedure, to avoid arming the enemy for future attacks – threat actors often trick intelligent and well-meaning people, such as this Ascension Health employee, into letting them in the front door.

This particular incident started when the employee “accidentally download[ed] a malicious file.” This download could have occurred in many ways beyond a simple mass phishing email hook, including:

  • SEO poisoning;
  • Malvertising;
  • A USB drive with malware; or
  • Abuse of a trusted digital relationship, such as through business email compromise (BEC) or a sweetheart scam over social media messages.

So, a proper security strategy should have failsafes for when the front line users fall victim to clever criminal social engineering tactics. Reconsider your current strategic planning and answer the question, “What can we do to stop cyber criminals before they harm to our data, users, and organization, even when they enter our environment?”

This answer will look very different at each organization, of course. Consider data loss prevention (DLP) solutions, network segmentation, and heuristics-based monitoring and alerting to catch compromised accounts before they managed to exfiltrate personally identifiable information (PII) and other sensitive data.

Intrusion Tactic #2: VPN Product Vulnerability Exploited at Checkpoint

What Happened

In late May, Checkpoint reported that its internal security team and certain customers had alerted to unauthorized attempts to access their virtual private network (VPN) products.

This initial investigation lead to the discovery of a critical vulnerability within a certain configuration of Security Gateways, CVE-2024-24919 (3).

Why This Matters


Threat actors will exploit vulnerabilities – critical or not – in products that increase their “credibility” within a managed environment for initial access, particularly VPNs. So, prioritize those patches as an operational imperative!

Threat actors will try to establish initial access and persistence in environments in ways that will add credibility to their malicious actions, increasing detection times and ultimately delaying defender responses.

Giving an adversary more time in a managed environment gives them more opportunities to move laterally to new machines, set up more robust persistence mechanisms, and cover their tracks for the eventual investigation.

Since VPNs are often part of an organization’s identification and authentication process for remote users, threat actors will therefore target VPNs and other tool sets that give them the veneer of legitimacy, hiding from AV and endpoint detection and remediation (EDR) tools.

So, if you see a vulnerability – particularly an actively exploited one! – in a system you use to identify and authenticate users, then move that patch or remediation up the priority cycle!

Intrusion Tactic #3: Proxy Network Used by Adversaries, per Mandiant

What Happened

Last Month, Mandiant security researcher Michael Raggi published new findings that describe how “China-nexus cyber espionage operations” leverage operational relay box (ORB) networks – essentially botnets used for malicious activities, rather than direct attacks on victim assets such as DDoS attacks (4).

To quote directly from Raggi (emphasis APG):

“By using these [ORB] networks to conduct espionage operations, actors can disguise external traffic between command and control (C2) infrastructure and victim environments including vulnerable edge devices that are being exploited via zero-day vulnerabilities. [… Ultimately, ORB networks] raise the cost of defending an enterprise’s network and shift the advantage toward espionage operators by evading detection and complicating attribution.” (4)

Why This Matters


Threat actors are hiding their initial intrusion methods and communication tactics, so relying on indicators of compromise alone to detect malicious activity within managed environments is no longer enough to keep organizations secure.

This particular bit of research focuses on the activities of elite advanced persistent threats (APTs) out of China, specifically for spy work on target organizations.

While the vast majority of organizations around the world are not priority targets for such sophisticated tradecraft, it’s only a matter of time until other criminal organizations – from elite ransomware gangs to the average “script kiddy” renting malware as a service off the dark web – begin to use this and similar tactics.

Therefore, to quote Raggi, these new internal communication tactics from threat actors require all defenders – enterprise and not, to the APG’s assessment – to move away from “treating adversary infrastructure like indicators of compromise (IOCs).”

That is, we can’t simply rely on knowing an exact, prescribed IP address that goes to this known enemy architecture, and thus the remediation steps are these and we need to isolate and stop those processes to secure everyone.

Tools that operate solely on IoC detection will be fooled by these ORB networks, until such time as their signatures are tracked by the major detection vendors. Even then, uncertainty on next steps will persist, as multiple threat actors can leverage ORB networks to obfuscate and disguise their activities.

And so, it may be time to consider moving your organization’s alerting to one that detects malicious activity, in addition to known malicious IoCs – before more threat actors begin to use ORB networks and similar innovations to completely scramble your intrusion detections.

Until next time, be safe and do good work.