Information Security UpdatesAdvanced Persistent Threat

Dark Seoul: On Mar 20, 2013, the hard drives of tens of thousands of computers in South Korea were suddenly wiped clean in a massive cyber-attack. The main targets were banks and news agencies. South Korea claimed that the attacks were launched from North Korea’s military intelligence agency. The malware was believed to have spread to the targeted computers by hackers going through 49 different places in 10 countries, including South Korea.

SecurityWeek – South Korea Probe Says North Behind Cyber Attack2

Stuxnet: In 2010, a worm called Stuxnet was found to be inflecting supervisory control and data acquisition management systems produced by Siemens. Subsequent investigation revealed a cyber weapon designed to shut down Iran’s nuclear program by tampering with programmable logic controllers used in its nuclear fuel processing plant.

IEEE SPECTRUM – The Real Story of Stuxnet3

T

he term APT was first used by U.S. Air Force back in 2006 to facilitate discussion about a set intrusion activities with specific characteristics. These days, APT is often used to describe advanced or complex intrusive cyber attacks against specific targeted organizations over a long period of time.1

Richard Bejtlich1 explained the components of the APT terminology as:

Advanced - means the attackers possess sophisticated hacking techniques and are skillful in using various hacking tools. Attackers are also capable of researching new vulnerabilities and developing custom exploits.

Persistent - means the attackers are not opportunistic intruders but instead tasked to

accomplish missions which can last for a long period of time.

Threat - means the attackers are organized, funded and motivated.

The following types of organizations are the specific targets of APT attack because of the mass volume of sensitive information such as source coding, trade secret and personal information which usually help the attacker gain a definitely advantage, identify of a weakness or to certain extend gain an upper handover victim of the attack:

1) Healthcare firms2) Universities3) Financial institutions4) Government entities.

APT Specific Targets

Organized Crime State-Affiliated Activists Victim Industry Finance

Retail Food

Manufacturing Professional Transportation

Information Public Other Services

Region of Operation Eastern Europe North America

East Asia (China) Western Europe North America

Common Actions Tampering (Physical) Brute force (Hacking) Spyware (Malware) Capture stored data (Malware) Adminware (Malware) RAM Scraper (Malware)

Backdoor (Malware) Phishing (Social) Command/Control (C2) (Malware, Hacking) Export data (Malware) Password dumper (Malware) Downloader (Malware) Stolen creds (Hacking)

SQLi (Hacking) Stolen creds (Hacking) Brute force (Hacking) RFI (Hacking) Backdoor (Malware)

Targeted Assets ATM POS controller POS terminal Database Desktop

Laptop/desktop File server Mail server Directory server

Web application Database Mail server

Desired Data Payment cards Credentials Bank account info

Credentials Internal organization data Trade secrets System info

Personal Info Credentials Internal organization data

4

With these characteristics, APT attacks are different from conventional hacking. In conventional hacking, the attackers can be individuals who are picking targets randomly and are using popular hacking tools or readily available scripts. Their motives are either for fun (defacing web sites) or monetary gain (stealing credit card information). They will move on to try another target if they fail to break in after spending certain effort.

For APT, the modulus operandi of is quite different from conventional hacking. First of all, the profile of the attackers can be state or country affiliated organized syndicates. Bejtlich elaborated that the objectives of their attacks can be political (maintaining stability), economic (stealing intellectual property), technical (gaining access to source code for further exploit development) or military (identifying weaknesses for military advantages).

After identifying a target organization, the attackers will engage in reconnaissance to study the infrastructure of the target, the employee profiles and even the business partners of the target trying to identify some potential attack points. Attackers will then try different means to penetrate into the target. A typical method is to craft a spear phishing email containing malicious payload which can bypass anti-malware detection. To increase the chances of the target clicking the malicious link or opening the attachment, attackers spend a lot of time researching the phishing target and the target system. Information is mined from a variety of sources including corporate blogs, Google searches, social media sites, etc.

An example of spear phishing email to LegCo member, Hon CHAN Chi-chuen6

In February 2013, a private cyber security company, Mandiant, made a sensational revelation, claiming in a report that the PLA’s secretive Shanghai-based Unit No. 61398 is responsible for a wide range of cyber-attacks against US networks that resulted in stealing of hundreds of terabytes of data from some 141 organizations since 2006.

The US Government has a number of intelligence agencies with multi-billion dollar budgets and global reach that might have a better knowledge of Chinese cyber activities in the US, such as the National Security Agency, for example. But that data the US keeps to itself, and US media has been quoting Mandiant’s revelation throughout 2013.

US-China cyber espionage comes under increased scrutiny5

APT vs Traditional

APT1’s interaction with a spear phishing recipient

When an innocent employee is lured to action on the phishing email, the malicious payload will be installed which has call back feature to notify the attackers. The attackers will start to control remotely and further compromise more computers. According to their missions, the attackers will search for valuable information from the compromised computers and send back surreptitiously. Since the attackers may have funding supporting them, they can spend months and years on such operations. In order to stay stealth and undetected, the attackers employ skills to encrypt traffic between the compromised computers and command centers, launch attacks from IP addresses that bounce in from different countries, and hide their activities by erasing records from the logs, encrypting.

Anatomy of APT Attacks

According to Mandiant / FireEye, the APT attack cycle typically contains the following stages8:

Initial Compromise - Represents the methods that attackers use to penetrate a target organization’s network using methods such as exploiting vulnerable Internet-facing web servers or spear phishing (An electronic message sent to a targeted victim with personalized message content which contains a malicious attachment, a link to a malicious file, or a link to a malicious website).

Establish Foothold – Attackers will access and control one or more computers within the victim environment. Backdoors will be installed which are used to establish an outbound connection from the victim’s

network to a computer controlled by the attackers.

Escalate Privileges – Involves acquiring credential items that will allow attackers to access more resources within the victim environment. Techniques such as password harvesting and cracking methods will be used. Attackers will try to gain access to privileged and administrator accounts.

Internal Reconnaissance – This is the stage when attacks will collect information about the compromised computers in order to obtain information about the internal network, users, groups, trust relationships, files and documents. Attackers may perform directory or network share listings, or search for data by file extension, key word, or last modified date. File servers, email servers, and domain controllers are customary targets of internal reconnaissance.

Move Laterally – Attackers will move laterally within a network to compromise more computers in order to search for data that they want.

Maintain Presence – Attackers will install backdoors to continue control over the computers remotely from outside network. These backdoors could be different from the ones during Establish Foothold stage in order to make them difficult to identify and remove all of their access points. Attackers are also skillful enough to cover their traces of compromise by deleting activity logs and encrypting communication traffic.

Complete Mission – Once the attackers are successful in finding files of interest on compromised computers, they often pack them into archive files and transfer out using FTP, custom file transfer tools or backdoors.

In January 2013, a well-organized, sophisticated computer spy operation dubbed Red October was found to (still) be targeting high profile diplomats, Governments and nuclear and energy research companies. The Red October operation used phishing emails purporting to be from companies’ HR departments. The attacked covered 69 countries.

In April 2013, an AP journalist clicked on a spear phishing email disguised as a Twitter email. The phisher then hacked AP's Twitter account. Stock markets plunged after a phony tweet about an explosion at the White House, erasing $136.5 billion of value from the S&P 500 index.

In August 2013, a few days before Iran’s national election to choose a successor to President Mahmoud Ahmadinejad, thousands of Gmail account users in Iran were targeted in phishing attack intended to influence the election.

Top 7 Phishing Scams of 20137

Implications to There are massive amount of computer systems in Universities, and Universities are operating IT environments quite openly. Unlike corporate enterprises, not all systems are centrally protected based on a consistent set of tightened security policies. Different faculties and departments may house their own systems and may even ignore implementing proper security protections.

Attackers sometimes find University computer systems easer to penetrate than corporate enterprises. They will use these compromised computer systems as intermediate stepping stone to attack the real targeted organizations in order to create difficulty in tracing attack source of origin.

Some attackers may have interest in research data and hence target to compromise certain computer systems in the Universities in order to gain access to those data. There are also times when attackers will launch attack against Universities to steal personal information which can facilitate them to create more sophisticated phishing email targeting the real victims of corporate enterprises.

Since APT attacks are becoming more common, Universities should be more aware of such threat in order to better defend against APT attacks.

Defending against APTThere is no single silver bullet to defend against APT attacks. Universities will have to consider implement multiple controls in order to reduce the likelihood and impact of APT attacks.

1. Increase Staff and Student Awareness

One of the far most common APT initial compromise attack vector is through phishing email. Staff and students should therefore be educated to increase their awareness of screening against phishing and spear phishing email. If received an unexpected email which contains links or attachments, staff and students should raise their alert to determine whether or not to action on the email. Relying on anti-malware programs to screen the email and attachments can be a good option. But do realize that some payloads can bypass anti-malware detection, and so relying on anti-malware protection is not 100% safe.

In addition, staff and student should change their password credentials often regardless of whether Universities are enforcing a periodic password change policy. Staff and student should also set different password credential

across all University systems, external web applications and social media sites. This will reduce the impact if one of these systems is compromised leaking out credential. If feasible, two-factor authentication should be enabled (e.g. remembering the sign-on device, using

In December, 2013, a man was arrested for his part in a phishing scam targeting UK college students. The scam sent emails inviting students to update their student loan details on a malicious site that took large amounts of money from their accounts.

Using spear phishing emails, a large and complex hacker group in China was said to have hacked more than 100 companies in the U.S. The hacker group is said to have stolen proprietary manufacturing processes, business plans, communications data, and much more.

Top 7 Phishing Scams of 20137

token, etc.) to increase the difficulty of compromising a computer.

2. Strengthen Defense-in-depth Controls

Infrastructure, Application and Security teams should work together to ensure basic security controls are implemented in a defense-in-depth manner. For instance, firewalls with effective rule sets should be configured. Logs should be reviewed using Security Information and Event Management (SIEM) tools to automate the event correlation and incident detection. Servers and network devices should be hardened and applied with latest security patches in a timely manner. Remote access should be controlled by centralizing with a landing server enforced with multi-factor authentication. Privilege accounts should be managed on need-to-know basis to avoid reviewing to excessive people and uncontrolled time period of possession.

Universities can also consider deploying web application firewall or even APT protection / detection systems. Rule set tuning will be required to configure these systems to work properly in order to reduce false alarms. The security architecture should be designed in such a way that firewalls, IPS / IDS, web application firewall or APT protection/detection systems work in layered defense mode.

3. Segregate Systems in Different Network Zones

As explained in the anatomy section, APT attackers will try to move laterally to compromise more computers. Universities can better protect their computer systems by placing the systems in different protected network zones according to their functions or sensitivity. Even if one system is compromised, attackers cannot easily compromise nearby systems if they are placed under segregated network zones.

4. Monitor Suspicious Traffic

APT attacks involve call back traffic. Also, attackers will remotely control the

Blackshades Trojan Malware infected over 500,000 computers across the world, through external links on websites andemails. Blackshades provides remote access control of a computer, enabling criminals to steal information or install Ransomware. An FBI co-ordinated global investigation into the developers and purchasers of BlackshadesMalware led to the National Crime Agency (NCA) making 17 arrests in the UK. CIFAS is working with the NCA to match Blackshades UK purchaser data against CIFAS, and provide the NCA National Cyber Crime Unit with information that can aid further arrests.

Problem Profile Bulletin: Malware Threats10

The first spear phish from group “Admin@338” was sent to a foreign Government in the Asian Pacific region on March 10, 2014 – just two days after the flight disappeared. The threat actors sent a spear-phishing email with an attachment titled, “Malaysian Airlines MH370.doc” (MD5: 9c43a26fe4538a373b7f5921055ddeae). Although threat actors often include some sort of “decoy content” upon successful exploitation (that is, a document representing what the recipient expected to open), in this case, the user is simply shown a blank document.

FireEye Blog11

An example of network segregation enhances the protection of system in different network zones.9

This is not a PDF file. It looks like the filename has a PDF extension but the file name actually includes 119 spaces after “.pdf” followed by “.exe” — the real file extension. APT1 even went to the trouble of turning the executable’s icon to an Adobe symbol to complete the ruse. However, this file is actually a dropper for a custom APT1 backdoor that we call WEBC2-QBP.8

compromised computers by connecting to the installed backdoors. If such network traffic can be monitored and identified, the indicator point of compromise (IOC) can be quickly reviewed. Having said that, it may not be easy to differentiate the call back and remote control traffic because attackers can encrypt the traffic and use the well-known ports for communications.

APT protection / detection systems are specialized in detecting and even blocking such kind of traffic. Some IPS / IDS are also capable of detecting unusual traffic patterns. Universities can consider implementing these solutions at appropriate network access points.

5. Improve Incident Response Capability

No organizations are immune to cyber attacks. In fact, corporate enterprises are beginning to shift to a new mindset that they need to prepare for the worse that they can become a victim target. It is imperative for Universities to define an incident response process. Because the attack can compromise systems, networks and applications, the process should be backed by a taskforce consisting of representatives from IT teams. The team should be trained to respond to suspected and confirmed attacks, contain the compromised environment, collect logs and evidence, and perform forensics investigation.

Conclusion

APT attacks are increasing on a global level. More corporate enterprises have been reviewed by the media to have been APT targets and even victims. These attacks have even reached to local Universities. APT attacks are certainly no myth, and the reality is defenses are still playing catch up. This reinforces the maxim that security is a process, not a one-off event or product.

Universities should start to pay attention to the threat, and consider implementing the recommendations to strengthen the protection of their infrastructure, also the sensitive information that they owned.

Operations components of a security operations competency include a blended capability of technology, process, and people.

References

1. "Understanding the advanced persistent threat” Jul. 2010. Web. 08 Sept. 20142. "South Korea Probe Says North Behind Cyber Attack: Report" AFP. 09 Apr. 2013. Web. 04 Sept. 2014.3. "The Real Story of Stuxnet" David Kushner. 26 Feb. 2013. Web. 04 Sept. 2014.4. "Verizon 2013 Data Breach Investigations Report, 20% of external data breaches tie to state affiliated groups. " 2013. Web. 04 Sept. 2014.5. "US-China cyber espionage comes under increased scrutiny" Ivan Fursov, RT. 07 Nov. 2013. Web. 04 Sept. 2014.6. "Ming Pao News, phishing email to LegCo Hon CHAN Chi-chuen" 04 Sept. 2014. Web. 04 Sept. 2014.7. "Top 7 Phishing Scams of 2013” 26 Dec. 2013. Web. 04 Sept. 2014.8. "Mandiant Releases Report Exposing One of China’s Cyber Espionage Groups" 19 Feb. 2013. Web. 04 Sept. 2014.9. "IBM Tivoli Service Automation Manager – Extension for Juniper SRX Firewall, Background to the Firewall Extension" Web. 05 Sept. 2014.10. "Problem Profile Bulletin: Malware Threats" June. 2014. PDF. 05 Sept. 2014.11. "Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370" 24 Mar. 2014. Web. 08 Sept. 2014

Copyright Statement All material in this document is, unless otherwise stated, the property of the Joint Universities Computer Centre (“JUCC”). Copyright and other intellectual property laws protect these materials. Reproduction or retransmission of the materials, in whole or in part, in any manner, without the prior written consent of the copyright holder, is a violation of copyright law.

A single copy of the materials available through this document may be made, solely for personal, non-commercial use. Individuals must preserve any copyright or other notices contained in or associated with them. Users may not distribute such copies to others, whether or not in electronic form, whether or not for a charge or other consideration, without prior written consent of the copyright holder of the materials. Contact information for requests for permission to reproduce or distribute materials available through this document are listed below:

copyright@jucc.edu.hkJoint Universities Computer Centre Limited (JUCC)c/o Information Technology ServicesThe University of Hong KongPokfulam Road, Hong Kong