Threat Intel Report Q1 2021
Alsid breaks the dynamics of most modern threats to enterprises by preventing attacks from spreading internally.
Lateral Movement + Privilege Escalation
A comprehensive approach
Mitigate existing threats
Immediately discover, map, and score existing weaknesses
Follow our step-by-step remediation tactics and prevent attacks
AD admins, blue teams, and auditors
Maintain hardened security
Continuously identify new vulnerabilities and misconfigurations
Break attack pathways and keep your threat exposure in check
AD admins and SOC analysts
Detect advanced attacks in real time
Get alerts and actionable remediation plans on AD attacks
Help your SOC team visualize notifications & alerts in your SIEM
Incident responders and SOC analysts
Investigate incidents and hunt for threats
Search and correlate AD changes at object and attribute levels
Trigger response playbooks in your SOAR
Incident responders and threat hunters
Top 5 attack trends
Q1 2021
Initial compromise
Kill chain holding
Huge orgs breached
US Government involvement
Initial breach was long ago
1. Initial compromise
The initial entry point for a breach is becoming more of a variable. Workstation, service, server… nearly any device or technology.
Workstations
Attackers go after the weakest link to find their way in. Phishing attacks are still proving to be the most prolific, as end users are still not getting the fact they should not click on attachments from people they don’t know.
Services
The SolarWinds/Orion breach proved that there is more than one way into an organization. This breach, the largest in history, has proved that there are many ways into an organization’s network.
Servers
Although a service, the Microsoft Exchange server incident is proving that servers running certain applications/services can be used as the entry point into the organization as the first compromised device.
- Reality is that ANYTHING connected to the network, even a thermostat or smartwatch, could be used as the initial entry point for an attacker.
- Reality is that there are “so many entry points”, it is [nearly] impossible to secure them all.
- Reality is IT needs to protect all entry points, but the attacker only needs to compromise one.
2. Kill chain holding
No matter where the attacker enters, the kill chain continues to be the process they follow to get to the data.
Initial entry points
It is no surprise that attackers go after the lowest hanging fruit to gain entry to a network. In most organizations, the fruit might as well be lying on the ground, which equates to end users and legacy apps/services.
Local privileges
Regardless of how many AV and EDR solutions are on an endpoint, attackers have found ways around them to gain local privileges. Local privileges allow the attacker to install applications, which are used to enumerate the network.
Enumeration
With local privileges and read access to AD, the attacker gathers all possible information from AD. This includes details about users, groups, GPOs, ACLs, trusts, privileged accounts—nearly everything.
Lateral movement
Credential harvesting from one computer is good, but from as many as possible is better. Attackers will take credentials from the initial device and use them to move to other devices, collecting more and more credentials each time.
Privilege escalation
There are many ways to escalate privileges:
- Harvest privileged account
- Elevate privileges via settings
- Exploit built-in processes
- Hack accounts offline
The goal is to gain domain domination.
Backdoors
Attackers don’t want to be caught or denied access once they are in. To ensure there are many ways back into the network, backdoors are created so it is nearly impossible to find them all during forensics, threat hunting, and investigations.
3. Huge orgs breached
Revenue and company size are not proving to help organizations secure their environments.
US Government
- SolarWinds/Orion
- Password – “solarwinds123”
- Lateral movement
- Establish persistence
- ONLY knew due to FireEye alert
- IDS “Einstein” failed to detect
Nissan
- admin/admin credentials on server
- 20 GB of source code stolen
- Most likely did not detect, rather were “tipped” that they were breached
Whirlpool
- Nefilim ransomware attack
- Citrix exploit
- Weak passwords
- Published files
- Posted they recovered everything and quickly
Acer
- REvil breach
- $50,000,000 ransom
- Might be Exchange vulnerability
- Denied calling it ransomware
- “reported recent abnormal situations observed”
Qualys
- Clop breach
- Extorsion campaign
- SQL injection attack
- Accellion FTA exploit
Malwarebytes
- SolarWinds hackers (but not SolarWinds breach)
- Breached Microsoft 365 and Azure
- Attackers also targeted admin and service credentials
4. US Government involvement
FireEye, SolarWinds, Microsoft all go to the “Hill” to give testimony and provide insights into the SolarWinds breach.
Microsoft
- President Brad Smith
- Stated Russia is only source
- Attacks have only begun
- “movement was not due to programming errors on Microsoft’s part but on poor configurations and other controls on the customer’s part”
FireEye
- CEO Kevin Mandia
- Company found the breach
- Alerted US Govt and others
CrowdStrike
- CEO George Kurtz
- “consistent with espionage out of Russia”
- “blame on Microsoft for its complicated architecture, which he called ‘antiquated.’”
More context
- Urged President Biden to nominate officials to lead federal cybersecurity policy
- Former President Trump fired then-Director Christopher Krebs in November
- We have more work to do to fully secure our network against future attacks
- Review output from tools that monitor and alert on file and directory integrity
- Employ vulnerability scanners against all externally-facing systems and internal systems
- Implement MITRE framework
5. Initial breach was long ago
More and more details are coming out regarding how long initial breaches were, compared to when the breach was discovered.
“Recently, the SolarWinds attack illustrated how advanced persistent threat actors can remain hidden in a network for long periods of time undetected. With time, opportunity and investment on their side, threat actors have dug deep into organizations in attempts to stay hidden and further advance their goals.”
TechTarget
Backdoors
- Installed code
- New admin accounts
- New service
- New scheduled task
- Registry entries
- Modified user accounts
Hide from detection
- Live off land
- Use legitimate software
- LOLBins
- PuTTY suite
- PowerShell
- VMs
- Disable detection
Recovery?
- Costly to investigate and threat hunt
- Not 100% confident all backdoors are closed
- Most backups will be infected
SolarWinds
Lessons
Supply chain
- Provides access into organization which is not controlled by organization
- Consistent security needs to be everywhere
- Security is only as good as the weakest link
Running with elevated privileges
- Attackers love and want privileges
- Services and applications that require service accounts to run with privileges are attack vectors
- Immediately exposes the entire environment to the attacker, with little to no work
Attackers are patient
- “After an initial dormant period of up to two weeks”
- “After a dormant period of up to two weeks”
- “The sample will delay for random intervals between the generation of domains”
- “The HTTP thread will delay for a minimum of 1 minute between callouts”
Privileges are needed
“Attempt to steal and abuse the identities and credentials of employees or authorized third parties.”
Use these legitimate credentials to move laterally and vertically through the network, looking for high-value targets or to establish persistence. Because attackers appear to be “authorized” users, organizations have a hard time detecting their presence.
Target privileged account credentials that provide special access to systems or abilities that reach beyond those of a typical user – and work to escalate these privileges until they reach the confidential information they intend to steal or services they wish to disrupt.
Active Directory holds the “Keys to the Kingdom”.
“The backdoor also determines if the system is joined to an Active Directory (AD) domain and, if so, retrieves the domain name. Execution ceases if the system is not joined to an AD domain.”
FireEye
Attack examples
- Hackney Council: Ransomware Cyber attack: Hackers post Hackney Council’s ‘stolen documents’ – BBC News
- Nissan NA: Weak privileged credentials Nissan NA source code leaked due to default admin:admin credentials (bleepingcomputer.com)
- Capital Building Breach: Physical breach Capitol attack’s cybersecurity fallout: Stolen laptops, lost data and possible espionage | ZDNet (ampproject.org)
- Scottish Environment Protection Agency’s: Ransomware Ongoing ransomware attack leaves systems badly affected, says Scottish environment agency | ZDNet (ampproject.org)
Our solutions
Provide field-tested products
with a seamless end-to-end user experience
Break the dynamics of most modern threats to enterprises by preventing attacks from spreading internally
A technical expertise recognized and awarded worldwide