Anatomy of an APT attack: Step by step approach complete guide by Blackhat Pakistan 2023
This article will explore the technique, design, and inner workings of an Advanced Persistent Threat (APT}Anatomy of an APT attack . It will also combine different phases of the attack with several attacks that have been custom-built to penetrate businesses to extract internal data, trade secrets and sensitive business information.
Introduction to Anatomy of an APT attack:
APTs are designed to gain network access, extract data, and surreptitiously monitor target computer systems for long periods of time. Many researchers agree that the term “advanced persistent threat” was first coined by the US government in 2005 by security analysts to describe sophisticated cyber attacks against specific targets for financial or informational gain by a well-funded group of individuals.
Also Read:Gapz: Advanced VBR Infection 2023 by Blackhat Pakistan
An “advanced” process means sophisticated techniques using malware and known vulnerabilities to exploit internal systems. A “Persistent” process indicates that an external command and control system continuously monitors and acquires data from a specific target. The “Threat” process refers to human involvement in organizing an attack. An APT is essentially a network attack. An authorized person gains access to the network and remains in it for an extended period of time by setting up a backdoor — collecting data and moving away. Target networks are usually financial institutions, military intelligence. The goal of a targeted attack is to steal valuable intellectual property, money, and other personally identifiable information (PII).
In 2006, only one APT attack was reported, by 2014 the number had increased to more than 50 known and documented incidents, according to APTnotes. These types of attacks are becoming increasingly sophisticated. They have caused a number of large and costly data breaches by routinely violating or evading traditional security measures. Even after the successful completion of the mission, the APT continues to live and acquire additional information. They are very difficult to detect and remove because they won’t look like malware overtly and can be embedded very deep in an organization’s computer systems. In addition, the designers and initiators of the APT will rigorously monitor and control its activities by changing the code to avoid detection.
Zero days and cyber attacks
Many APT threats use zero day vulnerabilities to target victim organizations. During 2014, an APT attack that exploited and exploited a zero-day vulnerability in Internet Explorer (CVE-2014-1776) consisted of phishing emails sent to a targeted group of people at defense, aerospace, energy, and research universities. The phishing emails contained a link that led to malicious sites hosting zero-day exploit code.
They sent out many more messages to a wider set of targets and tried to infect as many endpoints as possible before a fix was made available. The attackers also updated their email templates and subject lines daily to keep the campaign “fresh” and avoid any spam detection rules in place to detect previous messages.
FireEye describes the attack life cycle or “kill chain” of an APT attack to create a holistic view of each step in the chain, of which the identification of zero-day exploits plays a major part.
Step-by-step analysis of an APT attack
Every step in an APT attack involves a very well-planned and studied move by the attackers. This includes creating an internal blueprint of the organization’s IT infrastructure, malware engineering, social engineering attacks, and undetected data extraction.
Destination selection
The first stage of an APT attack is to select the target organization. Few attackers will first select a victim and then conduct research on the victim through websites, employee resumes, and web data looking for how the company uses software and infrastructure designs that are exploitable or comfortable to work with. Others prey on “random victims”. For example, in 2007, hacker Albert Gonzalez went on a war seeking organizations that had vulnerable WiFi networks and found his victim, retail giant T.J. max.
Collection of information
Attackers conduct a complete study of their victim’s profile to create a blueprint of their IT systems and look for exploitable vulnerabilities to penetrate all defenses. Details of sites, network topology, domain, internal DNS and DHCP servers, internal IP address ranges and any other exploitable ports or services are captured. Depending on the goal, this process can take some time, as large organizations tend to invest much more in security and set up multiple layers of defense. Knowledge is power, and the more insight a cybercriminal gains into a targeted network, the higher the chances of successful covert penetration and deployment of malware.
Entry point
After gathering enough information to launch an attack, it narrows down the exploit’s entry point. Attackers are also concerned with defending security solutions and known attack signatures that the victim might possess. In most scenarios, phishing attacks employees of their target company to open a malicious attachment or click on a crafted URL in hopes of delivering their payload by exploiting a zero-day vulnerability in a common browser or application such as Adobe, Java, or Microsoft Office. As mentioned earlier, they can also exploit any zero-day vulnerabilities in software used by employees. For example, attackers used an Adobe ColdFusion vulnerability to penetrate the networks of LaCie, a computer hardware manufacturer.
Planting malware on a compromised computer
Once an attacker runs an exploit on an employee’s computer, the exploit injects malicious code into the computer to install a backdoor or allow full access to the computer. In the RSA SecureID attack, where an attacker stole SecureID data by installing a customized Remote Administration Tool (RAT) known as Poison Ivy, a RAT variant. Poison Ivy has been widely used in many other attacks, including GhostNet. These remote management tools, whose purpose is simply to allow external control of a PC or server, are often set up in loopback mode, meaning that they download commands from central command and control (C&C) servers and then execute commands, rather than fetching commands at a distance. This connection method makes them more difficult to detect, as the PC reaches for commands and control rather than the other way around.
Permission Escalation
The attacker first obtains access data from the attacked computer or users (users, domain administrators and service accounts). They then escalate privileges to non-administrative users on target systems and then move to gain access to key high-value targets, which included process experts and IT and non-IT server administrators.
To obtain credentials, attackers use keyloggers, ARP spoofing, and hacking tools, among others, to obtain credentials. Hacking tools basically hack password authentication-related functions, while ARP spoofing tools monitor conversations between two or more systems in a network packet via fake ARP to steal credentials. Pwdump is another tool for getting password hashes from the Windows registry. Other tools used are Windows Credential Editor (WCE), Mapiget, Lslsass, Gsecdump and CacheDump.
Attackers can also use a technique called “pass the hash”, which involves using a hash instead of a plaintext password to authenticate and gain higher access. They can also use a brute-force attack, which is simply guessing passwords through a predefined set of passwords.
Command and control communication
Once inside the target organization, APTs are typically controlled remotely through “command and control” (C&C) communications between the infiltrated systems and the attackers themselves. During an attack, criminals will also use this channel to open and manipulate network access backdoors to expose and exfiltrate their targeted data.
Unlike botnets, which have a high volume of traffic on thousands of zombie computers, APT C&C traffic is intermittent and low volume, making them more difficult to detect. Attackers also take measures to remain undetected by constantly changing IP addresses or redirecting traffic through proxy servers. C&C communications that mix with normal web traffic, use or spoof legitimate applications or sites, or use attacker-crafted, internal C&C servers cannot be detected without advanced local network monitoring
Lateral movement
If an attacker thinks they can exist in the environment without being detected, they can continue in stealth mode for a long time. However, if they think they are at risk of being found out, they move much faster. Lateral movement typically involves activities related to reconnaissance, credential theft, and infiltration of other computers.
Remote control tools allow attackers to access other desktops on the network and perform actions such as running programs, scheduling jobs, and managing data collections on other systems. A few tools and techniques used for this purpose include Remote Desktop Tools, PsExec, and Windows Management Instrumentation (WMI).
Once communication is established with compromised systems and C&C (command and control) servers, threat actors need to maintain persistent access over the network. To do so, they must move laterally within the network and gain higher privileges using various tools. This, in turn, allows threat actors to access servers that contain valuable information—a company’s “crown jewels”
Asset discovery and persistence
Several techniques such as port scanning and network analysis are used to identify valuable servers and services where data is stored. Some of the tools used in this activity include netstat, a command-line tool that can obtain network connection information through active connections and open ports. This can be used to identify running services or internal servers accessed by the compromised computer. Port scanning tools check for open network ports so that attackers can create a tunnel connection between the attacked system and its system. Port forwarding tools like ZXPortMap and ZXProxy (aka AProxy) are used to create a tunnel connection to bypass firewall protection.
Exfiltration of data
This is the unauthorized transfer of sensitive information from the target’s network to an external location controlled by the threat actor. After finding the desired data, APT generally collects the data into an archive and then compresses and encrypts the archive. This allows them to hide the contents of the archive from deep packet inspection and data loss prevention techniques. The next step is to exfiltrate data from the victim’s system.
Because data routinely moves in and out of enterprise networks, data exfiltration can closely resemble normal network traffic, making detection of exfiltration attempts challenging for IT security groups. Once sensitive information is collected, the data is routed to an internal work server where it is split, compressed, and often encrypted for transmission to external locations under the attacker’s control. Tools include Lz77 (used to compress applications to exfiltrate data), ZXProxy (Helps redirect HTTP/HTTPS connections to obfuscate the source), LSB-Steganography (Uses steganography techniques to embed files in images), ZXPortMap (traffic redirection tool that helps obfuscate the connection source.), ZXHttpServer (a small HTTP server that is deployable and extremely flexible). Many of these tools are copied onto victims’ computers and often never removed by APT actors.
Covering your tracks
Once the attackers reach their target, they make sure to leave no trace of their covert operations. There have been cases where the attackers left the back door open, through which they climbed in several times and repeatedly robbed the victim without being caught.
If new target data (new customer records or updated business plans) is still available and of value to the attacker, the data extraction phase continues for a longer period of time.
Eventually, the attack stops, either because the attacker has reached his goal or because the victim notices and breaks off the attack. Once APT steals data, they perform several criminal activities such as:
- Sale of data.
- Threatens to publish data
- He asks the victim to pay a ransom
Conclusion
Targeted attacks have successfully bypassed traditional security defenses, and most IT professionals now believe their organizations have been targeted. According to an Information Week Security article by Mathew Schwartz, “APTs use a slow, slow approach that is difficult to detect but has a high probability of success. Attackers only need to trick a single employee into opening malware that exploits a zero-day vulnerability, giving them access not only to the employee’s computer, but potentially to the entire corporate network.”
A strong defense against APTs must have deep detection and analysis capabilities at all stages of the attack lifecycle. Network administrators must implement an application whitelist to prevent unnecessary malware from being installed or used on employee systems. Organizations must use SIEM tools to analyze network logs. This can even help with forensic analysis in the event of a data breach.
Sources
- Cybercrime apt and avt techniques
- Cloud content – White papers
- Fireeye Blog
- Apt attack utilizing latest internet explorer zero-day vulnerability
- Anatomy of an attack
