The processes and tools behind a true APT campaign: Weaponization and delivery
- 22 January, 2014 15:16
In part two of a series on understanding the processes and tools behind an APT-based incident, CSO examines the weaponization and delivery aspect of an attacker's campaign. This is where the serious work begins, and marks the first hurdle an attacker needs to overcome.
As mentioned earlier in the series, it's important to remember that the difference between a targeted APT-based incident and a garden variety cyberattack is intent, or the overall objectives of the person(s) behind it, but not the tools, tactics, or procedures used.
This is also the stage where generic attacks and targeted attacks become separated. As mentioned previously, generic attacks rely on volume, so attackers will send the same link or the same malware hundreds, or even thousands of times. The process is automated in most cases, as attackers use bots or Web-based scripts to push the attack forward. If they attack a large number of potential victims, they're likely to get a moderate level of success.
A targeted attack will use multiple links, various types of malware, and keep numbers low, which allows them to operate in silence. Generic campaigns are noisy, thus easily detected and stopped, which is why volume is so important. Most time, their messages never make it to the final destination.
Staging the attack
Previously, CSO covered the topic of reconnaissance, where the attacker will gather as much data as possible on their target. This collected data will play an important role in the weaponization and delivery phase, as the person(s) behind the attack will now have a solid base of information to work from, enabling them to design and develop a malicious payload and choose the best method for delivering it.
For example, metadata from public documents can be used to select a target platform to attack, such as Adobe, Windows, OS X, Microsoft Office formats, Java, or other specialized software, such as those related to drafting or design (e.g., Autodesk, Solid Edge, or MecSoft). Once they have a good idea on the platform and person(s) to target, the attacker can create an attack using a new and unique approach (e.g., leveraging a previously unknown vulnerability, or Zero-Day), or they may take the more common route and use an exploit kit to target a wide range of flaws on various platforms.
When it comes to crime kits, there are plenty of them available for a rather low cost, and custom modules or features can be added after the fact. They can be hosted anywhere, but attackers usually go for hosting them on legitimate domains with a solid reputation, creating what's called a drive-by download attack.
Watering hole attacks work two ways for the most part. One way is to direct the person(s) being targeted to the attacker's exploit kit via Phishing emails. In September, a newly disclosed Zero-Day vulnerability in Internet Explorer was used by criminals in this exact fashion.
Another way a watering hole attack works is by targeting a shared resource. This resource often has a legitimate reason to exist, has value to the person(s) being targeted, and a solid reputation. Rather than targeting a person(s) directly, the attacker will compromise a site that they're sure to visit and wait for them (or others like them) to become infected.
An example of such an attack happened in February 2013. At the time, a popular iOS developers forum was compromised, and a Java Zero-Day was used to infect visitors, including employees with access to projects and other information at Facebook, Twitter, Apple, and possibly Microsoft. Making matters worse were the signs that employees at several other technology firms were also targeted by the attack.
With that said, it's important to understand the difference between a watering hole and a drive-by download attack. One of them can be used to stage and initiate generic attacks, but they're loud and noticeable; the other is often observed during focused campaigns, because it's not as noisy.
"Drive-by relies on compromising a legit host, solid reputation and lots of visitors, but without any logical relationship to any particular victim. Watering Hole is a server selected for its relevance and may be low visitor volume and relatively unknown reputation, as long as it fits the requirement of being attractive to the prey," explained Rik Ferguson, the VP Security Research at Trend Micro, who helped CSO during the creation of this series.
As mentioned, Zero-Day vulnerabilities are used by attackers, but not always. When Zero-Days are used, the main reason is the increased probability that the attacker('s) goals are met. These goals could be installs for a Paid-Per-Install malware campaign, information theft, botnet building, or espionage. However, it's faster and easier to leverage existing exploits rather than Zero-Days, because organizations and home users regularly fail to patch their systems and third-party software (e.g., Java and Adobe).
Weak patching practices allow known vulnerabilities to be rotated and used for weeks or months after a patch has been released. Should the exploits no longer yield results, the attacker(s) behind the campaign will discard them and move on to other ones.
Looking back at the reconnaissance phase, there are other bits of information that may open a secondary attack surface. Assuming the attacker discovered a flaw in the website of a trusted business partner, or worse, a flaw on the target's own domain, the delivery aspect of this campaign has become easier, as the attacker(s) can launch both types of a watering hole campaign and leverage a single, trusted resource that will demand attention. In this situation, common flaws such as SQL Injection, Cross-Site Scripting (XSS), Local or Remote File Includes, are the common gateways of entry, but default or flawed server configurations can also open the door.
Furthermore, attackers will focus their energies on low-hanging fruit, so vulnerable applications created in-house, or third-party scripts added to a company blog or intranet, can also be used to stage an attack. Finally, if the CMS or hosting platform used by the target is outdated or unpatched, that too becomes an attack surface that's easily compromised. This situation leads to what's called Ice Phishing, which is where a legitimate URL that belongs to a company is used to stage an attack. This is highly problematic, because the intended victim(s) will automatically trust the source out of habit.
Selecting the targets
Once the attacker has identified an attack vector, which includes both the vulnerable platform and the type of attack, they'll need to pick a victim. In many cases, the victim is already established. But sometimes, the victim doesn't matter, as the attacker will target as many people possible in order to increase their odds of success (e.g., Phishing vs. Spear Phishing or watering hole attacks). Assuming the victim hasn't already been selected, but matters, and the overall target is a single organization, then the data from the reconnaissance phase once again becomes useful.
Keeping in mind that criminals target the low hanging fruit first, the people within the organization that are likely to be singled out are the helpdesk staff, or those serving in a supportive role, which can include customer service representatives or administrative assistants. The logic behind these choices centers on their access and reach to others within the targeted organization, or a specific person.
When these people are profiled against the data collected during reconnaissance, including what types of software or hardware they're using and any existing vulnerabilities; social profiles and connections (including family or co-workers); published reports or other work; hobbies or other personal histories, a workable picture emerges that can be leveraged in order to exploit trust and get the victim to do something -- including opening the malicious attachment (or follow a malicious link) that's about to be sent to them.
There are others likely to be targeted as well, and once again this is largely due to their access and reach within an organization.
CEOs have access to most everything on the network, and everyone within the company. They're also likely to be found lacking when it comes to awareness training, or they will ignore it outright. Ask yourself, as an employee, if an urgent request, but one that wasn't unreasonable or out of context (such as checking a file) arrived via email -- would you comply or question it?
CFOs are good for financial related data, but also good for access to human resources and other employees. Like the CEO, CFOs have a wide reach when it comes to access to the network and its resources.
IT, which can be tough to target, isn't out of the equation either. IT is focused on helping people, and they have access to everyone and everything within the organization. However, their mission of helping is what leads them to be a prized target for criminals. The down side to this is that trying to use technical tricks against technical people isn't foolproof plan. Criminals know this, so they select their IT targets wisely, starting with the helpdesk.
When it comes to access to source code and development plans, QA and development teams are another target. Again, their nature is to help or assist, so they can be targeted just as easily as the helpdesk, and their access is rather wide.
Finally, sales, marketing, and public relations teams are often targeted because they have access to the entire organization as well as product details and insider information.
Delivering the payloads
Once the payloads are established, the target(s) selected, and the goals for the campaign set, the attacker needs to set things in motion. While weve covered some of the delivery methods already, we'll recap them here with a bit more detail.
Drive-by download attacks: This type of delivery method enables the attacker(s) to target a wider pool of victims. It's a common method for generalized crime such as the delivery of finance-based malware, information stealing malware, or botnet building malware. Crime kits are the typical delivery vehicle, as they can leverage multiple vulnerabilities in a single pass.
Any website with an exploitable vulnerability is a likely to be impacted by this type of attack. Keep in mind that SQL Injection can be used to access stored data, but also authentication details in the compromised database, furthering the attack. Moreover, Cross-Site Scripting and File Include flaws (both remote and local), will enable the attack to spread. Once the malicious code is injected into the site, the attacker(s) simply wait for their victims. In the case of File Include flaws, if the attacker(s) gain control of the webserver itself, they can compromise additional domains, as well as all of the data on the server.
Furthermore, if the domain singled out for a generalized watering hole attack is owned by the campaign's target, then the problem is compounded, as the attacker(s) do not need to compromise an employee. At this point, if the network's architecture is designed poorly, they can pivot to the network from the server. Thus, targeting employees (if that was the goal) is a secondary option moving forward.
Note: This is why separating and defending network segments is important. It helps lower the risk of the cascade effect during a breach, which is something criminals look for. If access to one area grants access to all others, the attacker's work that much easier.
Watering hole attacks: Granular watering hole attacks are different than generalized ones. While there is a chance that others not related to the overall campaign goals will be victimized, the attacker(s) are more interested in a select group of people, or a specific person. The aforementioned attack on the iOS developer forum is an example of a focused watering hole attack.
Targets for this type of attack would be developers, QA, IT, or sales, because those are the employee profiles that are more likely to use forums or other social settings to interact with peers or seek assistance. That's not to say the other previously outlined targets don't do this, but criminals will play the odds when they're focused on something or someone.
The methods used to gain access to what will eventually become the watering hole remain the same. Thus, SQL Injection, File Include, and Cross-Site Scripting vulnerabilities will be the main sources of entry. They'll also be the reason for shift's in the initial plan and the plan's advancement. Again, if the attacker(s) can control a server directly tied to the target's network, then compromising an employee becomes a secondary goal.
Phishing (Generalized): Generalized Phishing attacks will target a wide pool of victims. This is how criminals spread a bulk of their malware as email is both fast and cheap, but it also requires little effort on their part. If the potential victim opens the attachment, or follows a malicious link, then the attack is considered a success once the payload has been installed. Phishing has been used to spread financial malware, as well as generalized malware used to steal data or build botnets, which in turn are used to send additional spam.
The email addresses used in Phishing campaigns can come from a variety of sources, including data collected during the reconnaissance phase of the attacker(s) campaign, but also from public disclosures of previous data base breaches, website harvesting, and purchases made from people selling bulk lists. The object of generalized Phishing is to play the numbers game, if someone sends a malicious email one million addresses, and gets 1,000 new malware installs as a result, then the campaign is seen as a huge success.
Phishing (Focused): Focused Phishing attacks, or Spear Phishing, work exactly like generalized Phishing attacks, but the potential victim pool is much, much smaller. Often, the pool is a size of one, which is called a Whaling attack. However, Spear Phishing works well when targeting a person or a small group, because the data collected during reconnaissance helps convince the victim(s) to do something, such as open the malicious attachment or follow a link.
Spear Phishing campaigns are quiet too, making them harder to spot when it comes to passive anti-Spam technologies. However, over the last three years, many of the headline grabbing security incidents occurred due to a single targeted email. Spear Phishing works because the target trusts the information contained in the email, and because most people are pre-conditioned to believe that anti-Spam protections would catch such threats. Thus, if the email arrives in the inbox, it must be legitimate. Add to this the fact that criminals will spoof email addresses, the problem is compounded, as people will rarely ignore an email from someone they know personally or someone in authority.
Wrapping things up
Stopping the weaponization and delivery aspect of an attacker's campaign is critical, because if you stop it at this point, then the battle has been won. However, criminals are a tricky bunch. So unless your organization's defenses are layered and tuned perfectly (something that's not possible), stopping things entirely is easier said than done.
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are a good base layer of protection. However, most organizations still deploy one or the other and not both. If the option is economical, the best bet is to use both of them.
IDS offerings provide visibility, but at the expense of being effective only after the breach has happened. However, this quasi-limitation is still useful if the IDS alerts are acted upon quick enough. If so, loss and damage can be mitigated. On the other end of that spectrum, IPS offerings are useful for identifying and stopping known attacks before they hit the network, but at the expense of lost visibility in many cases. A downside that both solutions share are the signatures they depend on. If not maintained, your organization could fail to detect the latest tricks deployed by attacker.
Anti-Virus protection, while only a small part of an overall security program, is essential for detecting the malware commonly delivered by many exploit kits. At the same time, AV signatures alone don't help. Any AV product deployed will need to rely on more than just 1:1 signature protection. However, while AV vendors offer various layers of protection, including reputation, whitelisting, and host-based IDS, they need to be enabled and used -- something that doesn't always happen in the SMB space.
Spam filtering is also essential for detecting and blocking a majority of attacks, but it isn't wise to rely on anti-Spam protections alone. They are prone to false positives and cannot block everything, especially if the attacker(s) spoof domains whitelisted by the gateway (something that's happened here at CSO many times).
Patch management is another key layer or protection, as that denies the attacker one of the strongest tools in their arsenal, the exploits included with their crime kits. However, patching the OS isn't enough, third-party software such as Adobe and Java needs to be maintained on a regular basis.
Calling it the most critical layer, Ferguson added that it was"unrealistic to expect and enterprise (or SMB) to be able to test and deploy all patches on day of release..."
"So technologies like HIPS and vulnerability shielding will allow them to continue to operate between patch windows, but with the vulnerability effectively neutralized."
Finally, no security program is complete without a solid awareness program. Users can be trained to defend themselves from the most obvious threats overtime, including Phishing. However, it isn't a one off ('we did this because it's required for compliance') step. Awareness training is an ongoing initiative, and needs to address the risks the organization faces directly, so cookie cutter awareness programs offer little long-term value.
Once the attack has been planned and executed, the next step is only possible if the attacker(s) are successful in their weaponization and delivery -- Exploitation. Part three of this series will examine that aspect, as well as how it can be addressed.