Search
  • WSD

Microsoft Reports At Least 10 Nation State Backed Groups.....

Microsoft Reports At Least 10 Nation State-Backed Groups Using ProxyLogon Exploit- At least 10 Nation-state-backed Groups Are Using The ProxyLogon Exploit Chain To Compromise Email Servers, As Compromises Mount Recently patched Microsoft Exchange vulnerabilities are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world. Overall exploitation activity is snowballing, according to researchers. Microsoft said in early March that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Four flaws can be chained together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment. What is an APT Attack (Advanced Persistent Threat) and How to Stop It? Advanced persistent threats (APT’s) are among the most serious cyber threats an organization can face. These attacks are very hard to detect and can allow an intruder to hide stealthily if not longer before detection, within a network for months. While the bad actors stay in the system, a company may suffer regular data losses and system and component outages without knowing the source of the problem. This notification is an introduction to APT attacks. We try to explain what APTs are, try to teach network security defenders how to recognize signs of an infection, and show ways to prepare for this type of attack. What Is an APT and How Does it Attack? An advanced persistent threat (APT) is a cyber-based attack in which a bad actor gains and maintains a long-term presence within a network. The consequences of an APT attack are vast and include: · Infrastructures' take over and modification · Unexplained service outages · Complete site compromise · Possible Loss of critical data and intellectual property APTs are considered a multi-stage attack that can take weeks to set up and have been discovered after lasting in the host environment for months or even years. An APT is different from common cyberattacks in four critical ways: · An APT is more complex than a usual online threat. The attackers typically have a team of bad actors working together to maintain and to achieve their desired objective. This can be destruction, surveillance and or data mining, to sell as reputation damage, or other financial purposes. · APTs are not quick-hit attacks. Once hackers access a network, their goal is to remain undetected inside the environment for as long as possible. · An APT is consists of mostly a manual attack that does not rely on automation or other non-customized features. · APTs are not considered a threat to a large pool of targets. Attacks go after a specific company, so each breach has a custom plan that fits only the target’s defences that were discovered or purchased on the dark web specifically for the intended organization. An APT attack requires a great deal of effort and resources. Hackers typically go after high-value targets, such as enterprises and corporations. However, APT attackers frequently target small firms in the supply chain of larger organizations. Hackers use less defended companies as an entry point, so businesses of all sizes must know how to recognize an APT attack. What Is the Main Goal of an APT Attack? The goal of an APT attack is to break into the network without alarming the system and spend enough time inside to steal data. All valuable data is a potential target for an APT, including: · Intellectual property · User PII · Classified data · Infrastructure data · Access credentials · Sensitive communications Besides stealing data, an APT’s objective can also include sabotaging infrastructure, destroying individual systems, or completing site takeovers. Each attack has a unique purpose, but the goal is always a mix of data breaches, espionage, and sabotage. A simple click on a phishing email or weak passwords can have devastating impacts on organizations of any size. APT Attack Detection: What Are the Signs of an APT Attack? APT hackers use advanced methods to hide their activity, but certain system anomalies can indicate an attack is in progress. Indication of Compromise by an APT 1. Login from outside your usual environment, mostly in off-hours 2. Increased and strange database activity 3. Increased spear-phishing and other targeted lures for all users hoping for just one click 4. Increased trojan-activity and installation attempts for backdoors into the various systems and locations Unexpected Logins Stolen login credentials are one of the main ways APT attackers gain network access. Frequent logins to servers at odd hours may indicate an ongoing APT attack. Hackers could be working in a different time zone or operating at night to decrease the chance of detection. Increased unusual Database Activity Strange database activity may be an indicator of an APT. Look out for sudden increases in database operations involving massive volumes of data. Look for thrashing and other signs of extreme database activity during normally slow periods. An Increase in Backdoor Trojans If tools detect more backdoor trojans than usual, an APT attack could be the cause. APT attackers use backdoor Trojans to ensure continued access in case the login credentials change. Spear-Phishing Emails Spear-phishing emails are a clear sign of a potential APT. Hackers may be sending these emails to upper-management employees with hopes of reaching restricted data. Data Bundles APT attackers often copy and store the data they want to steal to another location in the network. Once isolated and in a bundle, the files are an easier transfer target. Attackers place bundles in places where the team does not typically store data. Regularly scan for and inspect any misplaced or unusual data files Suspicious Behavior of Admin Accounts Take note of any change in the behaviour of administrator accounts. APT hackers rely on admin rights to move laterally through the network and infect larger surfaces. The creation of new accounts with strange parents is also a sign of a potential APT. APT Attack Lifecycle: The 4 Stages of an APT Attack An APT attack involves multiple phases and a variety of attack techniques. A typical attack has four stages: planning, infiltration, expansion, and execution. Stage 1: Planning Every APT project requires a custom plan on how to beat the target’s protection systems. Hackers must perform the following steps during the planning stage: · Define the target and the goal of the operation · Identify the necessary skills and hire team members · Find (or create) the right tools for the job · Learn about the target architecture, access controls, and all hardware and software solutions · Define how best to engineer the attack Once they gather all the information, attackers deploy a small version of the software. This reconnaissance program helps test alarms and identify system weak spots. Test your system defences with vulnerability assessment scanning tools Stage 2: Infiltration The attacker gains access to the network. Infiltration typically occurs through one of three attack surfaces: · Web assets · Network resources · Authorized human users To gain initial access, APT hackers use various attack methods, including: · Advanced exploits of zero-day vulnerabilities · Social engineering techniques · High-target spear phishing · Remote file inclusion (RFI) · RFI or SQL injections · Cross-site scripting (XSS) · Physical malware infection · The exploitation of application weaknesses (especially zero-day bugs) · Domain Name System (DNS) tunnelling. A common tactic during the infiltration is to launch a simultaneous DDoS attack. DDoS distracts the staff and weakens the perimeter, making it easier to breach the network. Once they achieve initial access, attackers quickly install a backdoor malware that grants network access and allows remote operations. Stage 3: Expansion After they establish a foothold, attackers expand their presence within the network. The expansion involves moving up the user hierarchy and compromising staff members with access to valuable data. Brute force attacks are a usual tactic during this stage. Malware is critical to APT as it allows hackers to maintain access without detection. The malware helps the attacker to: · Hide from system controls · Navigate between network segments · Gather sensitive data · Monitor network activity · Detect new entry points in case existing ones become inaccessible At this stage, the attacker has reliable and long-term network access. Security controls are unaware of the danger, and the intruder can start completing the attack objective. If the goal is to steal data, attackers store information in bundles and hide them in a part of the network with little to no traffic. Stage 4: Execution Once they collect enough data, the thieves try to extract the information. A typical extraction tactic is to use white noise to distract the security team. Data transfer happens while the network personnel and the system’s defences are busy. APT teams typically try to complete the extraction without giving away their presence. Attackers often leave a backdoor after they exit the system with the goal of again accessing the system in the future. If the APT attack’s goal is to sabotage a system, the execution phase acts out differently. Hackers subtly gain control of critical functions and manipulate them to cause damage. For example, attackers can destroy entire databases and then disrupt communications to prevent disaster recovery services. Again, the goal is to do damage without the security team finding out about the intruders. This stealth approach allows repeat attacks. How to Prevent an APT Attack? Standard security measures such as antivirus programs cannot effectively protect a company from an APT attack. APT detection and protection require various defence tactics and collaboration between network administrators, security teams, and all users. Monitor Traffic Monitoring traffic is critical for: · Preventing backdoor setups · Blocking stolen data extraction · Identifying suspicious users Examining traffic inside and outside the network perimeter helps detect any unusual behaviour. A web application firewall (WAF) on the network’s edge should filter all traffic to servers. A WAF prevents application-layer attacks like RFI and SQL injections, two common attacks in the APT infiltration phase. Internal traffic monitoring is also vital. Network firewalls offer an overview of user interactions and help identify irregular logins or odd data transfers. Internal monitoring also allows a business to watch over file shares and system honeypots while detecting and removing backdoor shells. Use server monitoring tools to ensure the health and safety of your servers. Whitelist Domains and Applications Whitelisting is a method of controlling what domains and applications are accessible from a network. Whitelisting reduces the APT success rate by minimizing the number of attack surfaces. For whitelisting to work, a team must carefully select acceptable domains and applications. Strict update policies are also necessary as you must ensure users are always running the latest version of all applications. Establish Strict Access Controls Employees are typically the most vulnerable point in a security perimeter. APT intruders often try to turn employees into an easy gateway to bypass the defences. The best method to protect a business from malicious insiders is to rely on the Zero Trust policy. Zero Trust security limits access levels of each account, granting access only to resources a user requires to perform the job. In a Zero Trust environment, a compromised account limits the intruder’s ability to move through the network. Another useful security measure is to use two-factor authentication (2FA). 2FA requires users to provide a second form of verification when accessing sensitive areas of the network. An additional layer of security on each resource slows down intruders moving through the system. Keep Security Patches Up to Date Keeping patches up to date is vital to preventing an APT attack. Ensuring network software has the latest security updates reduces the chance of weak points and compatibility issues. Prevent Phishing Attempts Phishing frauds are a usual entry point for an APT attack. Train employees to recognize phishing attempts and teach them what to do when they encounter one. Email filtering helps prevent the success rate of phishing attacks. Filtering and blocking malicious links or attachments within emails stops penetration attempts. Use email security best practices and protect your inboxes from malicious activity. Perform Regular Scans for Backdoors APT hackers leave backdoors across the network after they gain illegal access. Scanning for and removing backdoors is an effective method of stopping current and preventing future APT attempts. Experts suggest looking for: · Command shells (WMI, CMD, and PowerShell) that establish network connections · Remote server or network administration tools on non-administrator systems · Microsoft Office documents, Flash, or Java incidents that invoke new processes or spawn command shells Remember to scan endpoint devices for backdoors and other malware. APT attacks often involve a takeover of an endpoint device, so detecting and responding to a compromise is a priority Know the Gravity of APTs and Be Ready for an Attack The consequences of an APT attack can be extreme. Loss of data and reputation are almost a guarantee, so do everything in your power to prevent an attack. Luckily, now you know what an APT is and how to recognize one, so you are ready to reinforce and protect your workloads. Learn about the cyber kill chain which can help you understand and predict different stages of a cyberattack. Knowing how hackers work enables a company to select the right tools and strategies to limit breaches, respond to in-progress attacks, and minimize risks. Contact info@wsd.gg for more information on how we can support you


(Source: https://phoenixnap.com/blog/apt-attack)

1 view0 comments

Recent Posts

See All

+44 1481 740001

  • Facebook
  • LinkedIn

©2020 by WSD 2021.