• United States




Modern APTs start at your corporate website

Jul 21, 20156 mins
Advanced Persistent ThreatsApplication SecurityCybercrime

There hasn’t been a day in recent months when the term “Advanced Persistence Threat” wasn’t making headlines in the media. According to ISACA APT Awareness Study, 93.6 per cent of respondents consider APTs to be a “very serious threat” for their companies.

However, many of the attacks referred to as APTs, or in an APT context like the one documented by FireEye, do not really fall under the ‘advanced’ category in terms of attackers’ sophistication. Public, though a very recent exploit, combined with phishing or newly registered domains are rather a “low-cost APT”, for which we should probably introduce the new term “LCAPT” or just “LAPT” in order to distinguish these from genuine APTs.

Genuine APT usually involves exclusive zero-day exploits, custom-made malware, complicated techniques of data exfiltration to bypass corporate IDS/DLP, and a preliminary compromise of several trusted third-parties of the victim. These attacks are extremely difficult or even impossible to detect. Cyber-mercenaries behind these attacks are not [only] Chinese army officers or Russian teenagers as many tend to think. They have legal, financial and banking industry experts, psychologists, and even ex-law enforcement officers amongst them. Business knowledge combined with advanced technical skills and the ability to fool law enforcement agencies by knowing their methodologies of work, make APT a very serious and costly problem.

Taking a closer look at the APT lifecycle will help to understand how APTs usually start. The very first step is to select the right approach to appropriate victims in the targeted company. Hackers perform very thorough due-diligence on their victims, carefully selecting those who have a necessary level of access to the data that they are looking for. APTs are different from other less sophisticated attacks by very well prepared attack scenarios that will work in 9 out of 10 cases.

Unfortunately, human psychology cannot be altered by security training and awareness alone, so people will always have their basic instincts dominating over acquired skills. We were recently assisting a medium-size insurance company that decided to outsource cybersecurity management to a third-party provider, cutting the majority of internal security jobs. Security people received a very well prepared [fake] email from the management about their future placement and dismissal compensations. Everyone, including senior security experts who have been in the industry for dozen of years, clicked on the included link.

Once the victims are properly selected and the attack scenario is ready, it’s time to deliver a zero-day exploit to execute arbitrary code on victim’s machine, install a backdoor and start invisible expansion to other machines in the local network. Different to all existing Bug Bounties, zero-day exploits can bring dozens or even hundreds of thousands of dollars to their creators. Usually, zero-days are outsourced to hacking teams specialized in exploit development. The most traded zero-days target vulnerabilities in client-side applications, such as browsers, Adobe Flash and Reader, or MS office.

One of the most important points is how to deliver the exploit and compromise the victim in such a way that both the victim and corporate security solutions won’t notice anything. Sometimes hackers start loud DDoS attacks or simple large-scale phishing attacks with known attack signatures that will flood corporate SIEM with messages and attract all of the attention. Therefore, if you are observing how well you have just blocked a large-scale intrusion to your network, also be sure to check that it’s not a smoke screen to hide an APT.

Usually, the exploit is delivered as an attachment to an email or as a link to website. Email attachments are becoming less used in APTs, hackers would rather send a legitimate URL which the victim will blindly and unquestionably trust, such your corporate website.

These days, companies have a great choice of advanced cybersecurity solutions to prevent, monitor and block network intrusions. According to PricewaterhouseCoopers The Global State of Information Security® Survey 2015, 49 per cent of respondents spend money on specialized solutions to prevent and block APTs. However, usually once a C-level manager is blocked and prevented from his daily work with a false-positive intrusion alert, all of these solutions are set into silent monitoring mode. Current business needs are much more important for the majority of top-level managers than potential security risks that they may theoretically face in the future.

Web traffic inspection is usually based on the monitoring of anomalies, known attacks and payloads patterns, reputation and history, and many other drive-by-download detection techniques. However, there are almost always a couple of websites and web applications that are whitelisted for business reasons. One of these is usually a corporate website, as people don’t expect their corporate portal to deliver malware and therefore, in order to reduce number of logs and work, just remove it from the monitoring scope. This is a great gift for hackers, as even a tiny stored XSS on your website enables attackers to deliver the exploit, compromise and backdoor the victim, and then go further into your network. All these factors make your corporate website a perfect vector to host the exploit.

Sometimes attackers won’t deliver their payload at the first click, they would rather reconfirm that the victim is using the “right” browser and OS version first, and then deliver the exploit with the second email and link.

We recently saw a more exciting case where no client-side exploits or malware were used at all. The victim company had a centralized access management of their corporate resources via a web system that grouped email, CRM, HRM and other business-critical applications. The company was recently acquired by a bigger competitor, and many employees were scared to lose their jobs. Hackers managed to compromise one of the subdomains of the corporate website that was hosted on a separate server and didn’t contain any sensitive information. Then they sent emails from the compromised web server asking employees to login into the website using their corporate credentials, and follow a step-by-step questionnaire that was supposed to define whose jobs were likely to be cut. Moreover, the website worked perfectly: employees were asked to answer a dozen credible questions (e.g. work experience, desire to stay, family status, etc), making people believe that it was a perfectly legitimate system. At the end of the questionnaire, every employee received a message that he or she would keep their job. Overflowing with positive emotions, nobody even thought that their password had just been stored in plaintext for further usage by the cybercriminals to access all their corporate data.

Tiny vulnerability in your corporate website or its subdomain may ruin all the efforts you take to protect your company from APTs. Therefore, when planning your annual cybersecurity budget, don’t forget about regular website security audits, otherwise all other spending may suddenly become useless. 


Ilia Kolochenko is a Swiss application security expert and entrepreneur. Ilia holds a BS (Hons.) in Mathematics and Computer Science, and is currently performing his Master of Legal Studies degree at Washington University in St. Louis.

Starting his career as a penetration tester, he later founded web security company High-Tech Bridge, headquartered in Geneva. Under his management, High-Tech Bridge won SC Awards Europe 2017 and was named a Gartner Cool Vendor 2017 among numerous other prestigious awards for innovation in application security and machine learning.

Ilia is a contributing writer for SC Magazine UK, Dark Reading and Forbes, mainly writing about cybercrime and application security. He is also a member of the Forbes Technology Council.

The opinions expressed in this blog are those of Ilia Kolochenko and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.