Dell SecureWorks Warns - APT Hackers Repeatedly Try Reentering Their Targeted Networks
Dell SecureWorks' Counter Threat Unit™ (CTU) is warning organizations that "Persistent" hackers, intent on stealing government secrets, Intellectual Property and financial data, are compromising victims' networks and even after being evicted, are repeatedly trying to reenter the victims' IT environment.
The lesson here is that evicting a cyber-attacker from one's environment is not always the end of the fight when battling sophisticated adversaries. During the past year, the CTU observed countless intrusions where attackers tried to reenter an environment after being evicted – an occurrence which has increasingly become the norm. These attempts to reenter took a number of different forms, from the compromise of legitimate remote access solutions to identifying and targeting a vulnerable webserver. By focusing on attacker behavior however, it is possible to detect adversaries more quickly the second time around and limit the opportunity for them to do more damage.
Below, are three examples of how attackers regrouped and reentered the targeted environment after being evicted. Each of these incidents occurred at global corporations, and in each case, the goal of the attackers is suspected cyber-espionage. In each case, attempting to spot malicious activity with means that extend beyond using static indicators, such as IP addresses and domains, is critical to detecting and remediating intrusions as quickly as possible.
Case Study 1:
A global telecommunications manufacturing company was suspicious that they might have been a victim of malicious cyber activity, although their in-house security team could not find any evidence to the fact. So, they engaged Dell SecureWorks' Special Operations Incident Response (IR) team to carry out a Targeted Threat Hunting engagement to see if they could find any indication of a cyber intrusion. The Special Operations team used Dell SecureWork's endpoint security service to sweep for malicious activity. The service, Advanced Endpoint Threat Detection (AETD) Red Cloak, quickly detected threat actors moving laterally across the manufacturer's network and connecting to the domain controller, and using "Scheduled Tasks" to run credential-stealing tools against the domain controller to steal passwords for all users in the enterprise.
Through investigation, Dell SecureWorks IR team discovered that the manufacturer had originally been compromised, due to a cross-domain policy violation, when they connected to one of their customer's network.
Though antivirus was present on the compromised system of the manufacturer, it failed to detect the malware. As a result, when an employee of SecureWorks' client logged into their corporate network, the attackers came with them. Fortunately, the adversaries were detected the same week by AETD Red Cloak and evicted. The story however does not end there.
Four months after being kicked out, the same threat actors re-emerged. This time, they compromised a webserver belonging to another customer of the manufacturer. This customer was allowed to connect to the manufacturer's network so as to conduct business. The attackers placed a web shell on the webserver, and were able to obtain account information using the same credentials, which the threat actors had originally stolen and had used to log into the manufacturer's network via Citrix. The hackers used the same username and password to log into the target organization's network, via Citrix. When the adversary re-entered, they were quickly identified as the same attackers, because of their behavior on the endpoint, the timeline of their activity, and their attempted use of previously compromised domain accounts. After the manufacturer took Citrix offline, at the advice of the IR Team, the threat actors identified a group of legacy employees who were not required by the manufacturer to use two-factor authentication when logging into the corporate network via VPN. The cyber criminals immediately jumped on that opportunity and implanted malware onto the systems, and used it to connect to other systems inside the network. We worked with the client to ensure that everyone, who was given remote access to the manufacturer's network, was required to used two-factor authentication.
The importance of two-factor authentication for all remote access solutions and for all users cannot be emphasized enough. If there is an existing hole in an organization's perimeter, threat actors will find it and use it, as it is much easier than making their own entry point.
Case Study 2:
Dell SecureWorks spotted similar threat actor behavior during an incident response engagement they were carrying out at an aerospace manufacturing company.
Within hours of deploying the AETD Red Cloak technology, Dell SecureWorks was able to uncover that the organization had been compromised by attackers that had been able to maintain persistence for more than two years. It was not clear how the attackers initially broke into the company's network, as is typically the case when the intrusion dates back several years. After identifying the devices which were compromised, determining which credentials needed to be reset, and creating a remediation plan, SecureWorks IR Team was able to evict the threat actors on the same day.
Once again, this was not the last time the SecureWorks IR team would hear from the hackers. The attackers reentered the aerospace manufacturer's network two months later. They broke in using a web shell placed on a vulnerable web server. Unlike case study one, this server did not belong to a third-party partner or customer. It belonged to the aerospace company, and it was a test server being used by the company's developers. However, the company's IT organization had no knowledge of the test server. Because it was unknown to the security team, the server was left unsecured, even though it was connected to both the Internet and the company's internal network. The threat actors moved laterally to six different hosts, using five different sets of credentials, in the first two hours of their re-entry. They deployed new malware and used brand new command and control servers, making it impossible for security devices, that only alert on simple threat indicators such as hashes and domains, to detect them.
Using AETD Red Cloak, the IR team detected the web shell activity and captured the commands, containing the usernames and passwords, that the threat actors used to move laterally. After SecureWorks scoped the extent of the reentry, the IR team worked to ensure all affected systems were remediated and any compromised credentials were reset. The aerospace manufacturer learned a hard lesson about asset management and ensuring remotely accessible systems reside in the DMZ.
Case Study 3:
One more example of "Persistent" cyber criminals can be found in an incident involving a global manufacturer in the oil and gas industry. This time, the company was alerted to suspicious activity via alerts from Dell SecureWorks iSensor Intrusion Prevention/Intrusion Detection System (IPS/IDS). The client recognized that the scope of the activity was likely not limited to a single system and engaged Dell SecureWorks' IR team to inspect their infrastructure. In 48 hours of deploying Red Cloak, the IR team had determined that threat actors had indeed compromised the company's environment 14 months earlier.
The IR team worked diligently to analyze forensic evidence from the intrusion 14 months earlier. During the investigation, the Red Cloak team caught the cyber-criminals reentering the network. Originally, the attackers compromised the oil and gas manufacturer's network by brute-forcing the credentials of an employee. The threat actors tried to use the credentials again, but discovered the employee's password had expired.
Undaunted, they brute-forced the password again and used it to log into the company's network via Citrix. Unfortunately, the organization had not implemented two-factor authentication for employees logging in, via Citrix, despite the recommendations of the IR team to implement two-factor authentication.
As a result, the threat actors spent a week working to gain access to the Domain Controller, which would give them access to the credentials of all the company's employees and ultimately any system in the network. To gain access to the Domain Controller, they used a legacy Service Account credentials stolen from another server in the company's environment. Once the hackers established access, they compromised the credentials of every employee in the organization, forcing the IR team to reset the accounts of the entire workforce.
Less than three weeks after being evicted from the company's IT environment, the attackers placed a web shell on the company's Citrix server so as to steal credentials for that server. Although they succeeded in obtaining those credentials, the IR team took the system offline and blocked them from doing further damage. All totaled, the attackers entered the environment 10 different times over the course of a month. Each time, one access point was remediated, the threat actors found another one. The victim learned the importance of not relying solely on prevention and building a detection and response capability.
In all of these cases, the cyber attackers had cyber-espionage in mind. Corporate secrets are worth their weight in gold, and persistent threat actors are not going to give up the chance to get their hands on them. When persistent attackers are at work, re-entry attempts are a virtual certainty. It is critical, for that reason, to find the initial access point before conducting an eviction whenever possible. If the initial attack vector cannot be found, organizations should be highly vigilant and remain on guard for another attempt, by the cyber hackers, to re-enter their network. By focusing on detecting the threat actors' behavior, and not just IP addresses and other static indicators, organizations can keep a watchful eye out for adversaries – whether they are breaking in for the first time or for the 10th.