Anatomy of an APT attack: Step by step approach
This article will explore the technique, design and the inner workings of an APT (Advanced Persistent Threat) attack. It will also relate various stages of attack with a few attacks that were custom-created to penetrate enterprises for extraction of internal data, trade secrets, and sensitive business information.
APTs are designed to gain access to a network, acquire data, and secretly monitor the targeted computer systems over long periods. Many researchers agree that the term “Advanced Persistent Threat” was first coined by the U.S. Government during 2005 by Security Analysts to describe complex cyber-attacks against specific targets for financial or informational gains by a well-funded group of individuals.
The “Advanced” process signifies sophisticated techniques using malware and known vulnerabilities to exploit the internal systems. The “Persistent” process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The “Threat” process indicates human involvement in orchestrating the attack. Basically, APT is a network attack. An authorized person gains access into the network and stays there for a longer period by establishing a back door — collects data and moves out. The target networks are usually financial institutions, military intelligence. The goal of a targeted attack is to steal valuable intellectual property, money, and other personally identifiable information (PII).
In 2006, there was only a single reported APT attack, by 2014, the number spiked to over 50 known, documented incidents, according to APTnotes. These types of attacks are becoming more and more sophisticated. They have caused numerous large and costly data breaches by routinely defeating or evading traditional security measures. Even after successfully accomplishing the mission, the APT continues to live on to gather additional information. They are very difficult to detect and remove as they will not obviously appear to be malware and may be planted very deeply into an organization’s computing systems. In addition, the designers and initiators of the APT will consistently monitor and guide its activities by changing its code to evade detection.
Zero days and cyber attacks
Many APT threats have been utilizing zero day vulnerabilities to target victim organizations. During 2014, an APT attack that utilized and took advantage of a zero-day vulnerability in Internet Explorer (CVE-2014-1776), consisted of phishing emails sent to a targeted group of people at defense, aerospace, energy, and research universities. The phishing emails contained a link that led to malicious websites hosting the zero-day exploit code.
They sent out many more messages to a wider set of targets, trying to infect as many endpoints as possible before a patch was made available. The attackers also updated their email templates and themes every day to keep the campaign “fresh” and evade any spam detection rules put in place to detect the previous messages.
FireEye describes an attack life cycle, or “kill chain,” of an APT attack to create a holistic view towards each step in the chain, of which identification of zero-day exploits plays a major component.
Step by step analysis of APT attack
Each step in an APT attack includes a very well planned and studied move by the attackers. This includes creating internal blueprint of the IT infrastructure of the organization, malware engineering, social engineering attacks and undetected data extraction.
- Target selection
The first stage of in an APT attack is choosing the target organization. Few attackers choose a victim first and then perform research about then through websites, employee resumes and web data looking for the company’s use of Software and Infrastructure designs that are exploitable or comfortable to work with. Others go hunting for “accidental victims.” For example, in 2007, hacker Albert Gonzalez went war-driving in search of organizations that had vulnerable WiFi networks, and he found his victim, retail giant T.J. Maxx.
- Information gathering
The attackers perform a complete study about their victim profile to create a blueprint of its IT systems and search for exploitable vulnerabilities to penetrate all defenses. Details about sites, network topology, domain, internal DNS and DHCP servers, internal IP address ranges, and any other exploitable ports or services are captured. Depending on the target, this process might take some time, as large organizations tend to invest a lot more in security and set up multiple layers of defense. Knowledge is power, and the more insight a cybercriminal gains into a targeted network, the higher the chances of successful covert penetration and malware deployment.
- Point of Entry
After collecting sufficient information to initiate an attack, they narrow down the point of entry of exploitation. Attackers also study about the security solution defenses and known attack signatures that the victim might possess. In most scenarios, attacker’s phish their target company’s employees into opening a malicious attachment or clicking a crafted URL in the hopes of delivering their payload by exploiting a zero-day vulnerability in a common browser or application such as Adobe, Java, or Microsoft Office. As discussed earlier, they can also exploit any zero-day vulnerabilities of the software used by the employees. For instance, attackers used Adobe ColdFusion’s vulnerabilities to break into the networks of LaCie, the computer hardware manufacturer.
- Planting malware on compromised machine
Once the attacker executes the exploit on an employee’s machine, the exploit injects malicious code into the PC to install a backdoor or allowing full access into the machine. In RSA SecureID attack where the attacker stole SecureID data by installing a customized remote administration tool (RAT) known as Poison Ivy, RAT variant. Poison Ivy has been used extensively in many other attacks, including GhostNet. Often these remote administration tools, the purpose of which is simply to allow external control of the PC or server, are set up in a reverse-connect mode, which means they pull commands from the central command & control(C&C) servers, then execute the commands, rather than getting commands remotely. This connectivity method makes them more difficult to detect, as the PC reaches out to the command and control rather than the other way around.
- Escalate privileges
The attacker first harvests access credentials from the compromised PC or users (user, domain admin, and service accounts). They then perform privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators.
To gain login credentials, attackers use keyloggers, ARP spoofing, and hooking tools among others to obtain credentials. Hooking tools basically hook functions related to password authentication while ARP spoofing tools sniff conversations between two systems or more in a network packet though spoofed ARP to steal credentials. Pwdump is another tool for getting password hashes from the Windows registry. Other tools used are Windows Credential Editor (WCE), Mapiget, Lslsass, Gsecdump, and CacheDump.
Attackers can also use a technique called “pass the hash” which involves the use of a hash instead of a plaintext password in order to authenticate and gain higher access. They can also use a brute force attack, which is simply guessing passwords through a predefined set of passwords.
- Command and control communication
Once inside the target organization, APTs are typically remotely orchestrated via “command and control” (C&C) communications between the infiltrated systems and the attackers themselves. Throughout the attack, the perpetrators will also use this channel to open and manipulate backdoor network access to discover and exfiltrate their targeted data.
Unlike botnets that have high volume traffic to thousands of zombie PCs, APT C&C traffic is intermittent with low volume making them harder to spot. Attackers also take measures to go undetected by continuously changing IP addresses or traffic redirection via proxy servers. C&C communications that blend in with normal web traffic, use or spoof legitimate apps or sites, or use attacker created, internal C&C servers cannot be detected without advanced, local network monitoring
- Lateral movement
If the attacker thinks they can exist in the environment without being detected, they may continue in stealth mode for a long while. If they think they run the risk of being detected, however, they move much faster. Lateral movement usually involves activities related to reconnaissance, credentials stealing and infiltrating other computers.
Remote control tools enable attackers to access other desktops in the network and perform actions like executing programs, scheduling tasks, and managing data collections on other systems. Few tools and techniques used for this purpose include remote desktop tools, PsExec, and Windows Management Instrumentation (WMI).
When communication with the compromised systems and C&C (command and control) servers is established, threat actors need to sustain persistent access across the network. To do so, they have to move laterally within the network and gain higher privileges through the use of different tools. This, in turn, enables threat actors to have access to servers, which contain valuable information—the company “crown jewels
- Asset discovery and persistence
Several techniques like port scanning and network analysis are used to identify valuable servers and services that house data of interest. Some of the tools used in this activity include netstat, a command-line tool that can get network connection information via active connections and open ports. This may be used for identifying running services or internal servers accessed by the compromised computer. Port scanning tools check open network ports in order for attackers to make a tunnel connection between the compromised system and his system. Port forwarding tools like ZXPortMap and ZXProxy (aka AProxy) are used to create a tunnel connection to bypass firewall protection.
- Data exfiltration
It is the unauthorized transfer of sensitive information from a target’s network to external location which the threat actor controls. After discovering the data of interest, the APT generally gathers the data into an archive and then compresses and encrypts the archive. This enables them to hide the content of the archive from deep packet inspection and data loss prevention techniques. The next step involves the exfiltration of the data from the victims system.
Because data routinely moves in and out of networked enterprises, data exfiltration can closely resemble normal network traffic, making detection of exfiltration attempts challenging for IT security groups. Once sensitive information is gathered, the data is funneled to an internal staging server where it is chunked, compressed, and often encrypted for transmission to external locations under an attacker’s control. Tools include Lz77 (used for compression of applications to help exfiltrate data), ZXProxy (Helps redirect HTTP/HTTPS connections for source obfuscation), LSB-Steganography (Uses steganography techniques to embed files into images), ZXPortMap (Traffic redirection tool, which helps to obfuscate the source of connections.), ZXHttpServer (Small HTTP server that is deployable and extremely flexible). Many of these tools are copied to victim machines, and are often never removed by the APT actors.
- Covering the tracks
Once attackers have accomplished their goal, the attackers take care not to leave any traces of their covert operations. There have been instances where attackers left a backdoor open through which they waltzed in several times and robbed a victim repeatedly without being caught.
If new target data continues to become available (new customer records or updated business plans) and holds value for the attacker, data extraction phase continues for a longer duration.
Eventually, the attack will stop, either because the attacker has achieved their goal or because the victim notices and cuts off the attack. Once the APT steals the data, they then perform multiple criminal activities like:
- Selling the data.
- Threatens to publicly disclose the data
- Asks the victim to pay a ransom
Targeted attacks are successfully bypassing traditional security defenses, and the majority of IT professionals now believe their organizations have been targeted. According to an Information Week Security article by Mathew Schwartz, “APTs take a low-and-slow approach that’s difficult to detect, but which has a high likelihood of success. Attackers only need to trick a single employee into opening a piece of malware that exploits a zero-day vulnerability, thus giving them access to not just the employee’s PC, but potentially the entire corporate network.”
A strong defense against APTs must have in-depth detection and analysis capabilities across all phases of the attack lifecycle. Network administrators must implement application white listing to prevent unnecessary malwares from being installed or used on the employees systems. Organizations must utilize SIEM tools to analyze network logs. This might even help in forensic analysis in case of data breaches.
- Cybercrime apt and avt techniques
- Cloud content – White papers
- Fireeye Blog
- Apt attack utilizing latest internet explorer zero-day vulnerability
- Anatomy of an attack