The term APT (Advanced Persistent Threat) was introduced by the US air forces in 2006 to describe a new type of attacks. For the first time they attempted to analyze an attack that had been conducted, make conclusions, and resist the new threat. APT is neither a sophisticated exploit nor a new-fashioned Trojan. APT is an attack paradigm.
Its general principles are well known. For instance, social engineering provokes users to open a link or an attached file; or exploitation of vulnerabilities is used to access the system under attack. Why is the APT so scary? Let's try to sort it out.
Main APT characteristics:
- An attack is conducted by a group of people with specific roles assigned according to the level of knowledge.
- Such attacks are aimed at particular companies or industries. The differentiated approach is applied even within the same sector, each company is evaluated in terms of its security level; attacks are worked out specifically for each victim depending on the aims.
- Malware users strive for and obtain total control over their victims since they use all their efforts and means not paying attention to any failures.
- They will come back, even if you've succeeded in struggling against them after your system was hacked.
- Such users disguise their presence thoroughly, adjusting to your countermeasures and new security tools, capturing your infrastructure step by step, concealing used methods. As practice shows, signatures for APT detecting, as opposed to Trojans and botnets, will be unavailable for a long time after the beginning of an attack, because the individual approach and constant hiding deprive antivirus vendors of any information about malware methods.
- In spite of the low return on investments, 0-day vulnerabilities are often exploited.
- It is an effective thought-out social attack. All possible data on your company, personnel, infrastructure and used software is gathered prior to attacking.
- 'Entrance through a neighboring gate': attackers use your authorized addressees, contractors, and clients, study infrastructure borders.
- 'What are these oafs doing today?' — attackers watch their victims in a real-time mode, checking whether their attacks have been detected and collecting new data.
Their main aim is to gain access to valuable information and retain it as long as possible. Valuable information does not mean your account on Vkontakte, but intellectual property of your company (product source codes, algorithms, client base, any other corporate secrets).
A vivid example of such long-term presence is 10 years, during which hackers were able to access the network of Nortel Networks, downloading business plans and process regulations, reading mail of top managers. Despite the company's notification of bankruptcy in 2009, one can still make a hand of the corporate network, and attackers returned in February 2012.
I distinguish the following main APT stages:
- Collecting data about a victim. Attackers need to study systems, products, and security tools used by the company, gather information about its employees, clients, and partners.
- Penetration. Armed with the collected data, the attackers penetrate to the intranet, conducting a social attack, using system vulnerabilities, and applying 0-day exploits. They study topology, infrastructure, all information systems of any value.
- Consolidating positions. Received information is used to hack and establish control over the victim. The attackers will not be satisfied with power user privileges :)
- Holding positions. The attackers' aim is to stay unnoticed as long as possible keeping their powers. If you start antivirus check with the heuristic analysis, files detected as malware will be removed. If you transfer servers to a new subnet, the attackers will take measures to access the new place.
News about the APT stormed after a successful attack on Google. It was the first company that publicly announced the attack on January 12, 2010. This APT was later called Aurora, because this name was part of the file path on the attacker’s machine that was included in two of the malware binaries.
At first it wasn't clear from Google's statement, which vulnerability was exploited and what the attack was aimed at. In a week a fix for Internet Explorer (MS10-002) was urgently issued.
It turned out later that the attackers were interested in Chinese dissidents. Two accounts were hacked, one of them belonged to Ai Weiwei, a well-known human rights activist. They obtained access to his user account and bank accounts information, but this data was not so valuable.
How could they hack Google, a gigantic company spending huge budgets on information protection? Many large companies build up an inaccessible outside perimeter, which usually reminds of a barrel without a lid: extremely high walls seem absolutely impenetrable, but if you need to place, for example, a ball inside, you can always throw it over.
In case of Google, this ball was embodied in a group of employees, who received mail from trusted addresses. Letters contained a link to a website located in Taiwan and maintaining a Java script, which exploited a vulnerability. A backdoor, controlling the whole system, was installed on a user computer. The infected system connected to port 443 of the controlling server (С&C, command and control) using HTTPS with traffic encoding and waited for the operator's commands.
Step by step the attackers established control over other internal resources in the network (pivoting) and used them to achieve their goals. In March 2011 (in a whole year!) several other companies declared the Aurora attack. Adobe Systems, Dow Chemical, Intel, Juniper Networks, Morgan Stanley, Northrop Grumman, RSA, Symantec, and Yahoo were among them.
To consolidate their powers in victim's intranet, the attackers used SCM (Software Configuration Management) systems in the course of this attack. First of all, SCM servers were more stable than any specific working station. Secondly, they contained a lot of vulnerabilities, which allowed the attackers to easily hide their presence for a long time.
A good example is the Perforce system:
- it allowed creating users and assigning them access rights without authorization, besides such users possessed high system privileges by default;
- the client - server session was not encrypted;
- it was possible to modify other users' properties (and even change their passwords without knowing the current ones) using URL;
- user passwords were stored unencrypted;
- a third-party user could authorize in the system using cookie files.
Even if we ignore such issues as a running service with system rights, it can be stated that this set of vulnerabilities is more than enough to hold down a system.
Attack on RSA
In case of RSA, the attack started with two small groups of employees, to whom phishing letters were sent. An .xls file, exploiting a vulnerability in Adobe Flash (CVE 2011-069), was attached to them. Such letters avoided RSA spam filters very easily — a RAT (Remote Access Tool) was set via an exploit, and then it connected to port 3460 C&C.
The attackers consolidated valuable information on internal servers, packed it into passworded RAR-archives and then sent it to themselves.
Striking Tibetan Community
In June 2008 the analysts of Information Warfare Monitor detected an attack aimed at the Tibetan community. The attack victims were in India, Europe, and North America. They were Dalai Lama's office and the whole Tibetan infrastructure in London, New York, and Brussels; experts watched in a real-time mode how malware users sank their teeth into it. The attack was managed via a web interface with four C&C servers. 1295 computers in 103 countries were infected. According to experts, 30% of machines contained important information. As in other cases with APTs, the attackers only needed to 'throw the ball into the barrel'. They used a phishing letter from email@example.com. This letter contained either a link or a file in the *.doc format named 'Translation of Freedom Movement ID Book for Tibetans in Exile.'
It is worth noting how cunning the APT organizers were – clicking the link or opening the file, a user would not suspect anything wrong. The page of the website would not contain any bright ads or porno pictures; the text file would not be empty or contain messages like Nigerian letters. It would be a simple neutral message or a commonplace text. A user would read, close it and then forget not paying attention. There wouldn't be any suggestions to download free antivirus software, a cursor would not bounce around a screen, banners would not pop up – attackers could not disclose their presence or lose their victim.
Operation Shady RAT
Shady RAT is a name given by McAfee specialists to the APT, which had lasted for more than five years since 2006. In 2009 researches from the University of Toronto detected two big networks of cyber espionage, named GhostNet and ShadowNet, which used the malware Enfal. It is worth noting that several versions of Enfal were known in 2002 (it was applied in such attacks as Byzantine Hades, Byzantine Anchor, Byzantine Candor, and Byzantine Foothold). By that moment McAfee had been detecting them as Generic Downloader.x and Generic BackDoor.t for a year already. Nevertheless, according to McAfee experts, only 11 of 34 antiviruses had been detecting Enfal by 2008.
In the course of development, RAT ceased to leave traces upon installation. Trojan's traces are removed and common software for remote control is installed not causing any antivirus reaction.
This APT was aimed at the oil and gas industry; it was firstly mentioned in November 2009. Attack tactics were changed. At first malware users captured companies' external web servers by means of SQL Injection and then waited for corporate users to log onto the portal. They used such popular utilities as gsecdump and Cain & Abel to hack passwords and access an intranet. Of course it is very risky to establish remote connection under user names. That is why the zwShell utility written in Delphi was used to generate a unique Trojan (specially for the current campaign) and then the victim was controlled by means of RAT as usual.
It would seem nobody needs to have anything with Russians. Nothing of the kind! In August 2010 a new attack was detected, which infected companies in Russia, Kazakhstan, Ukraine, and other countries. According to McAfee, the attackers deployed the C&C infrastructure consisting of 15 domains at 10 IP addresses. Russia was leading in the number of suffered companies: 1063 external IP addresses.
The attack was conducted in a classical way – using an attached file in the *.pdf format, which exploited the Adobe Reader vulnerabilities (CVE-2009-4324, CVE-2010-2883). However, the attackers changed their tactics. Lurid, affected 61 countries, was divided into separate campaigns. A particular URL and Enfal were created for each of them; different personnel attacked different areas. Commands were transferred to RAT not via push — list of commands for each host was stored in a particular file on the C&C server.
Control servers were placed in the USA and England, but domain names were registered with Chinese owners.
How dangerous is all this
Read news about Georbot. Google how comfortable Lizamoon still feels. Remember Nortel Networks fate once again. Remember Trojans in components of various programming environments, Trojans from vendors of USB drivers, network equipment, and operating systems.
Try to answer several questions:
- Is antivirus software installed everywhere? Is it running in a normal mode?
- Will you know if software not complying with the company's policy is installed?
- Will you be able to detect abnormal traffic in your network? How soon?
- Will you notice if a user becomes a local administrator? And if a particular name is used from several computers?
- Will your user open a document not relating to his or her work?
- Are you sure in encryption used by you?
- Do you know your website is vulnerable?
By the way, it turned out that only a few visitors of the RusCrypto conference in 2012 posed these questions to themselves. Only 15 minutes were needed to fish (by simple traffic interception) not only authentication data to such common services as Blogspot, Google, Facebook, or Twitter, but passwords to remote connections as well. Unfortunately, the idea that the connection to an access point was unencrypted occurred only to a few people. Few participants paid attention to the fact that the website of the hotel, where the conference took place, was hacked and transmitted mobile users to an infected page.
What has this to do with an APT? Have you ever connected to access points? Return to the beginning of the article and reread the first sentence. What can prevent attackers from using received data to access your corporate network and then your cryptographic practices? Even a hotel gathering leading IS specialists of Russia can perform a role of a base for a particular attack campaign.
What mistakes did the suffered companies make?
- They did not take social engineering into account.
- They did not bear in mind that not only external perimeters should be protected and not only as a pure formality.
- They staked on protection tools acting post factum (as a result, antiviruses, spam filters, and IPSs kept silent without any signatures).
- It was a reckless idea that attacking them would be too expensive (with low return on investments).
- They relied on antivirus products, DLP (Data Leak Prevention) systems, and two-factor authentication.
- However, they did not consider attacks from trusted resources (contractors, branches, corporate websites).
When people remember Titanic's wreck, they always talk about the lack of rescue boats, but the iceberg is always totally forgotten. The same with IS subdivisions, which take specific clauses out of standards, practices, and recommendations and readily imply them. Moreover, despite the fact that the attack methods have been studied in detail, up-to-date protection algorithms are not used in practice. Is it carelessness? Companies have concentrated on conventional defenses helping up to a particular moment. However, once malware users move a little bit further, here's the result...
IS specialists prolong attackers' lives in intranets by themselves. It is necessary to get rid of overconfidence and pay attention to the following security aspects:
- Control over vulnerabilities. Zero-day exploits cannot be supplied to everybody — it is too unprofitable. Even APT operators with low return on investments can't look for new opportunities all the time; it is much easier to exploit known vulnerabilities you haven't had time to fix. However, a lot of people forget or do not want to scan external and internal perimeters, to say nothing of pentesting.
- Not only is a server with patch auto setup needed, but properly functioning patch management and vulnerability management as well. Traffic analysis. There are signatures written post factum for the most part of RATs. However, very few people use them, though not more than five minutes are needed to add a signature or write your own one. Timely threat monitoring allows constructing your own description that makes it possible to eliminate vulnerabilities, patches for which have not been issued yet.
- Traps. Attackers will certainly study your infrastructure. There is a chance that you will detect a malware user with the help of honeypot and be able to study his or her tactics in time. (Once, being an employee of a company, I placed a file with an attractive name on a shared network resource and monitored attempts to open or copy it. All users knew the company's information security policy. Employees did not dare to open this file, except for rare attempts to cause damage and insiders' activity. Similar simple actions will help you to timely detect an APT).
- Antivirus software control. It is not enough to monitor signature updates – you need to analyze antivirus settings and workability, study facts of security shutdown. It is well known, that in several cases with an APT, prior to remote control installation antivirus protection was disabled but it stayed unnoticed.
- Integrity control. It relates both to specific service files and components and to configuration files.
- Policies control. Do you know that remote administration tools appeared on the computers in your network? Do you know about a new proxy, through which information is transmitted to the Internet? Why has a new shared resource appeared on your file server? RSA experience is very demonstrative – the Internet could be accessed from servers! Cain & Abel has been long detected as a hack tool; here is a question appears: why wasn't this utility detected?
- Event registration and incident management. Modern corporate networks have a huge number of event resources, and these events need to be analyzed automatically. Event correlation methods implemented in the SIEM systems will allow you to have the full view of your infrastructure up to the most insignificant deviations. A manual log analysis is mindless.
- Technical and program tools. Let's return to the APT methodology. Was it difficult to limit the size of the POST request? Why wasn't the dynamic DNS blocked or the fast-flux requests detected? Why weren't request hits on proxy servers analyzed, though they are very showy in case of a virus activity?
- Awareness is a painful problem. It is referred not only to common clerks – even top managers of large-scale companies still swallow the bait of well-known approaches already described in 1990s.
- If information security specialists met requirements of all necessary standards, the APT would not become such a powerful tendency.
Next time I will employ an operating bank system to demonstrate an attack with the use of social engineering methods. This attack can be considered as the APT preparation stage. We'll check how secure our banking system is ;)
Author: Olesya Shelestova, Positive Research