Skip to content

Threat Intel Report Q1 2021

Alsid breaks the dynamics of most modern threats to enterprises by preventing attacks from spreading internally.

Lateral Movement + Privilege Escalation

A comprehensive approach

Mitigate existing threats

Immediately discover, map, and score existing weaknesses

Follow our step-by-step remediation tactics and prevent attacks

AD admins, blue teams, and auditors

Maintain hardened security

Continuously identify new vulnerabilities and misconfigurations

Break attack pathways and keep your threat exposure in check

AD admins and SOC analysts

 

 

 

Detect advanced attacks in real time

Get alerts and actionable remediation plans on AD attacks

Help your SOC team visualize notifications & alerts in your SIEM

Incident responders and SOC analysts

Investigate incidents and hunt for threats

Search and correlate AD changes at object and attribute levels

Trigger response playbooks in your SOAR

Incident responders and threat hunters

A security gap that has received too little attention from our industry, and far too much from hackers

Top 5 attack trends

Q1 2021

Initial compromise

Kill chain holding

Huge orgs breached

US Government involvement

Initial breach was long ago

1. Initial compromise

The initial entry point for a breach is becoming more of a variable. Workstation, service, server… nearly any device or technology.

Workstations

Attackers go after the weakest link to find their way in. Phishing attacks are still proving to be the most prolific, as end users are still not getting the fact they should not click on attachments from people they don’t know.

Services

The SolarWinds/Orion breach proved that there is more than one way into an organization. This breach, the largest in history, has proved that there are many ways into an organization’s network.

Servers

Although a service, the Microsoft Exchange server incident is proving that servers running certain applications/services can be used as the entry point into the organization as the first compromised device.

  • Reality is that ANYTHING connected to the network, even a thermostat or smartwatch, could be used as the initial entry point for an attacker.
  • Reality is that there are “so many entry points”, it is [nearly] impossible to secure them all.
  • Reality is IT needs to protect all entry points, but the attacker only needs to compromise one.

2. Kill chain holding

No matter where the attacker enters, the kill chain continues to be the process they follow to get to the data.

Initial entry points

It is no surprise that attackers go after the lowest hanging fruit to gain entry to a network. In most organizations, the fruit might as well be lying on the ground, which equates to end users and legacy apps/services.

Local privileges

Regardless of how many AV and EDR solutions are on an endpoint, attackers have found ways around them to gain local privileges. Local privileges allow the attacker to install applications, which are used to enumerate the network.

Enumeration

With local privileges and read access to AD, the attacker gathers all possible information from AD. This includes details about users, groups, GPOs, ACLs, trusts, privileged accounts—nearly everything.

Lateral movement

Credential harvesting from one computer is good, but from as many as possible is better. Attackers will take credentials from the initial device and use them to move to other devices, collecting more and more credentials each time.

Privilege escalation

There are many ways to escalate privileges:

  • Harvest privileged account
  • Elevate privileges via settings
  • Exploit built-in processes
  • Hack accounts offline

The goal is to gain domain domination.

Backdoors

Attackers don’t want to be caught or denied access once they are in. To ensure there are many ways back into the network, backdoors are created so it is nearly impossible to find them all during forensics, threat hunting, and investigations.

3. Huge orgs breached

Revenue and company size are not proving to help organizations secure their environments.

US Government

  • SolarWinds/Orion
  • Password – “solarwinds123”
  • Lateral movement
  • Establish persistence
  • ONLY knew due to FireEye alert
  • IDS “Einstein” failed to detect

Nissan

  • admin/admin credentials on server
  • 20 GB of source code stolen
  • Most likely did not detect, rather were “tipped” that they were breached

Whirlpool

  • Nefilim ransomware attack
  • Citrix exploit
  • Weak passwords
  • Published files
  • Posted they recovered everything and quickly

Acer

  • REvil breach
  • $50,000,000 ransom
  • Might be Exchange vulnerability
  • Denied calling it ransomware
  • “reported recent abnormal situations observed”

Qualys

  • Clop breach
  • Extorsion campaign
  • SQL injection attack
  • Accellion FTA exploit

Malwarebytes

  • SolarWinds hackers (but not SolarWinds breach)
  • Breached Microsoft 365 and Azure
  • Attackers also targeted admin and service credentials

4. US Government involvement

FireEye, SolarWinds, Microsoft all go to the “Hill” to give testimony and provide insights into the SolarWinds breach.

Microsoft

  • President Brad Smith
  • Stated Russia is only source
  • Attacks have only begun
  • “movement was not due to programming errors on Microsoft’s part but on poor configurations and other controls on the customer’s part”

FireEye

  • CEO Kevin Mandia
  • Company found the breach
  • Alerted US Govt and others

CrowdStrike

  • CEO George Kurtz
  • “consistent with espionage out of Russia”
  • “blame on Microsoft for its complicated architecture, which he called ‘antiquated.’”

More context

  • Urged President Biden to nominate officials to lead federal cybersecurity policy
  • Former President Trump fired then-Director Christopher Krebs in November
  • We have more work to do to fully secure our network against future attacks
  • Review output from tools that monitor and alert on file and directory integrity
  • Employ vulnerability scanners against all externally-facing systems and internal systems
  • Implement MITRE framework

5. Initial breach was long ago

More and more details are coming out regarding how long initial breaches were, compared to when the breach was discovered.

“Recently, the SolarWinds attack illustrated how advanced persistent threat actors can remain hidden in a network for long periods of time undetected. With time, opportunity and investment on their side, threat actors have dug deep into organizations in attempts to stay hidden and further advance their goals.”

TechTarget

Backdoors

  • Installed code
  • New admin accounts
  • New service
  • New scheduled task
  • Registry entries
  • Modified user accounts

Hide from detection

  • Live off land
    • Use legitimate software
    • LOLBins
    • PuTTY suite
    • PowerShell
  • VMs
  • Disable detection

Recovery?

  • Costly to investigate and threat hunt
  • Not 100% confident all backdoors are closed
  • Most backups will be infected

SolarWinds
Lessons

Supply chain

  • Provides access into organization which is not controlled by organization
  • Consistent security needs to be everywhere
  • Security is only as good as the weakest link

Running with elevated privileges

  • Attackers love and want privileges
  • Services and applications that require service accounts to run with privileges are attack vectors
  • Immediately exposes the entire environment to the attacker, with little to no work

Attackers are patient

  • “After an initial dormant period of up to two weeks”
  • “After a dormant period of up to two weeks”
  • “The sample will delay for random intervals between the generation of domains”
  • “The HTTP thread will delay for a minimum of 1 minute between callouts”

Privileges are needed

“Attempt to steal and abuse the identities and credentials of employees or authorized third parties.”

Use these legitimate credentials to move laterally and vertically through the network, looking for high-value targets or to establish persistence. Because attackers appear to be “authorized” users, organizations have a hard time detecting their presence.

Target privileged account credentials that provide special access to systems or abilities that reach beyond those of a typical user – and work to escalate these privileges until they reach the confidential information they intend to steal or services they wish to disrupt.

Active Directory holds the “Keys to the Kingdom”.

“The backdoor also determines if the system is joined to an Active Directory (AD) domain and, if so, retrieves the domain name. Execution ceases if the system is not joined to an AD domain.”

FireEye

Attack examples

Our solutions

Provide field-tested products
with a seamless end-to-end user experience

Break the dynamics of most modern threats to enterprises by preventing attacks from spreading internally

A technical expertise recognized and awarded worldwide

Comments are closed.

Download pdf

Want more insights?

Contact us