This article is part of a series about APT campaigns. The other topics covered in this series are reconnaissance, exploitation and installation, command and control, and exfiltration.
In part two of a series on understanding the processes and tools behind an APT-based incident, CSO examines the weaponization and delivery aspect of an attacker's campaign. This is where the serious work begins, and marks the first hurdle an attacker needs to overcome.
As mentioned earlier in the series, it's important to remember that the difference between a targeted APT-based incident and a garden variety cyberattack is intent, or the overall objectives of the person(s) behind it, but not the tools, tactics, or procedures used.
This is also the stage where generic attacks and targeted attacks become separated. As mentioned previously, generic attacks rely on volume, so attackers will send the same link or the same malware hundreds, or even thousands of times. The process is automated in most cases, as attackers use bots or Web-based scripts to push the attack forward. If they attack a large number of potential victims, they're likely to get a moderate level of success.
[The practicality of the Cyber Kill Chain approach to security]
A targeted attack will use multiple links, various types of malware, and keep numbers low, which allows them to operate in silence. Generic campaigns are noisy, thus easily detected and stopped, which is why volume is so important. Most time, their messages never make it to the final destination.
Staging the attack
Previously, CSO covered the topic of reconnaissance, where the attacker will gather as much data as possible on their target. This collected data will play an important role in the weaponization and delivery phase, as the person(s) behind the attack will now have a solid base of information to work from, enabling them to design and develop a malicious payload and choose the best method for delivering it.
For example, metadata from public documents can be used to select a target platform to attack, such as Adobe, Windows, OS X, Microsoft Office formats, Java, or other specialized software, such as those related to drafting or design (e.g., Autodesk, Solid Edge, or MecSoft). Once they have a good idea on the platform and person(s) to target, the attacker can create an attack using a new and unique approach (e.g., leveraging a previously unknown vulnerability, or Zero-Day), or they may take the more common route and use an exploit kit to target a wide range of flaws on various platforms.
When it comes to crime kits, there are plenty of them available for a rather low cost, and custom modules or features can be added after the fact. They can be hosted anywhere, but attackers usually go for hosting them on legitimate domains with a solid reputation, creating what's called a drive-by download attack.
[Mac Trojan linked to Syrian Electronic Army shuttered]
Watering hole attacks work two ways for the most part. One way is to direct the person(s) being targeted to the attacker's exploit kit via Phishing emails. In September, a newly disclosed Zero-Day vulnerability in Internet Explorer was used by criminals in this exact fashion.
Another way a watering hole attack works is by targeting a shared resource. This resource often has a legitimate reason to exist, has value to the person(s) being targeted, and a solid reputation. Rather than targeting a person(s) directly, the attacker will compromise a site that they're sure to visit and wait for them (or others like them) to become infected.
An example of such an attack happened in February 2013. At the time, a popular iOS developers forum was compromised, and a Java Zero-Day was used to infect visitors, including employees with access to projects and other information at Facebook, Twitter, Apple, and possibly Microsoft. Making matters worse were the signs that employees at several other technology firms were also targeted by the attack.
With that said, it's important to understand the difference between a watering hole and a drive-by download attack. One of them can be used to stage and initiate generic attacks, but they're loud and noticeable; the other is often observed during focused campaigns, because it's not as noisy.
"Drive-by relies on compromising a legit host, solid reputation and lots of visitors, but without any logical relationship to any particular victim. Watering Hole is a server selected for its relevance and may be low visitor volume and relatively unknown reputation, as long as it fits the requirement of being attractive to the prey," explained Rik Ferguson, the VP Security Research at Trend Micro, who helped CSO during the creation of this series.
As mentioned, Zero-Day vulnerabilities are used by attackers, but not always. When Zero-Days are used, the main reason is the increased probability that the attacker('s) goals are met. These goals could be installs for a Paid-Per-Install malware campaign, information theft, botnet building, or espionage. However, it's faster and easier to leverage existing exploits rather than Zero-Days, because organizations and home users regularly fail to patch their systems and third-party software (e.g., Java and Adobe).
Weak patching practices allow known vulnerabilities to be rotated and used for weeks or months after a patch has been released. Should the exploits no longer yield results, the attacker(s) behind the campaign will discard them and move on to other ones.
Looking back at the reconnaissance phase, there are other bits of information that may open a secondary attack surface. Assuming the attacker discovered a flaw in the website of a trusted business partner, or worse, a flaw on the target's own domain, the delivery aspect of this campaign has become easier, as the attacker(s) can launch both types of a watering hole campaign and leverage a single, trusted resource that will demand attention. In this situation, common flaws such as SQL Injection, Cross-Site Scripting (XSS), Local or Remote File Includes, are the common gateways of entry, but default or flawed server configurations can also open the door.
[Cybercriminals increasingly use the Tor network to control botnets, researchers say]
Furthermore, attackers will focus their energies on low-hanging fruit, so vulnerable applications created in-house, or third-party scripts added to a company blog or intranet, can also be used to stage an attack. Finally, if the CMS or hosting platform used by the target is outdated or unpatched, that too becomes an attack surface that's easily compromised. This situation leads to what's called Ice Phishing, which is where a legitimate URL that belongs to a company is used to stage an attack. This is highly problematic, because the intended victim(s) will automatically trust the source out of habit.
Selecting the targets
Once the attacker has identified an attack vector, which includes both the vulnerable platform and the type of attack, they'll need to pick a victim. In many cases, the victim is already established. But sometimes, the victim doesn't matter, as the attacker will target as many people possible in order to increase their odds of success (e.g., Phishing vs. Spear Phishing or watering hole attacks). Assuming the victim hasn't already been selected, but matters, and the overall target is a single organization, then the data from the reconnaissance phase once again becomes useful.
Keeping in mind that criminals target the low hanging fruit first, the people within the organization that are likely to be singled out are the helpdesk staff, or those serving in a supportive role, which can include customer service representatives or administrative assistants. The logic behind these choices centers on their access and reach to others within the targeted organization, or a specific person.
When these people are profiled against the data collected during reconnaissance, including what types of software or hardware they're using and any existing vulnerabilities; social profiles and connections (including family or co-workers); published reports or other work; hobbies or other personal histories, a workable picture emerges that can be leveraged in order to exploit trust and get the victim to do something — including opening the malicious attachment (or follow a malicious link) that's about to be sent to them.
There are others likely to be targeted as well, and once again this is largely due to their access and reach within an organization.
- CEOs have access to most everything on the network, and everyone within the company. They're also likely to be found lacking when it comes to awareness training, or they will ignore it outright. Ask yourself, as an employee, if an urgent request, but one that wasn't unreasonable or out of context (such as checking a file) arrived via email — would you comply or question it?
- CFOs are good for financial related data, but also good for access to human resources and other employees. Like the CEO, CFOs have a wide reach when it comes to access to the network and its resources.
- IT, which can be tough to target, isn't out of the equation either. IT is focused on helping people, and they have access to everyone and everything within the organization. However, their mission of helping is what leads them to be a prized target for criminals. The down side to this is that trying to use technical tricks against technical people isn't foolproof plan. Criminals know this, so they select their IT targets wisely, starting with the helpdesk.
- When it comes to access to source code and development plans, QA and development teams are another target. Again, their nature is to help or assist, so they can be targeted just as easily as the helpdesk, and their access is rather wide.
- Finally, sales, marketing, and public relations teams are often targeted because they have access to the entire organization as well as product details and insider information.
Delivering the payloads
Once the payloads are established, the target(s) selected, and the goals for the campaign set, the attacker needs to set things in motion. While weve covered some of the delivery methods already, we'll recap them here with a bit more detail.