The next generation of APTs: Highly successful but surprisingly simple
The number and reach of cyber threats continues to grow, and while reports of increasing sophistication and complexity dominate the news, some of the most highly targeted attacks are surprisingly simple.
A new generation of Advanced Persistent Threats (APTs) is emerging around the world, and the key point of difference of these threats is that they aren't advanced so much as they are persistent, says Maya Horowitz, Check Point intelligence operations group manager.
“The new generation of APTs are a bit different,” she says. “They have the same targets that are APT worthy, like government, critical infrastructure, and financial organisations, but nowadays these attacks are not only done by NSA, China, and Russia, but are being outsourced to individuals, and smaller groups who have less financial skills and technical resources. They're still APTs, but I would leave the ‘A' out - they're not advanced.
The cyber criminals behind these attacks often target the weakest link - the individual - and are able to breach a company's security parameters using simple but persistent and overall effective methods.
Uncovering the next generation of APTs
Check Point has a threat intelligence group made up of 150 people including analysts, researchers and specialists. This group investigates threats, and uses the findings to educate organisations, update their products, and even stop cyber criminals in their tracks.
One example of a threat campaign Check Point was able to uncover was known as ‘volatile cedar', which Horowitz says was successful in breaching the security parameters of organisations, but was not very advanced at all.
The campaign, led by a persistent attacker group, penetrated a large number of targets including individuals, companies and institutions worldwide, using various attack techniques but most frequently a custom-made malware implant named Explosive.
In a report on the attack, Check Point wrote, “While many of the technical aspects of the threat are not considered ‘cutting edge', the campaign has been continually and successfully operational throughout this entire timeline, evading detection by the majority of AV products. This success is due to a well-planned and carefully managed operation that constantly monitors its victims' actions and rapidly responds to detection incidents.
Horowitz says the hackers used simple algorithms and methods to breach servers and find credentials. She says the malware itself was not sophisticated, but it was highly targeted and well-managed, and was active for around three years before it was taken down.
Check Point's research has enabled organisations to protect themselves against the attack and led to the cyber criminals behind volatile cedar abandoning the project.
Rocket Kitten is another example of this generation of APTs and has been investigated by organisations around the world, including Check Point.
In early 2014, an attacker group of Iranian origin began actively targeting people of interest with malware, supported by persistent spear phishing campaigns.
In a report on the campaign, Check Point writes, “Characterised by relatively unsophisticated technical merit and extensive use of spear phishing, the group targeted individuals and organisations in the Middle East (including targets inside Iran itself), as well as across Europe and in the United States.
Check Point was able to identify victims of this particular attack, and found those targeted included high ranking defence officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.
Check Point writes, “We believe the Rocket Kitten case is an interesting case study for the malware research industry, exemplifying a continuing trend in the nation-state attacker profile we have witnessed over the past two years; cyber-espionage is no-longer reserved to organisations with monstrous budgets to hire thousands of cyber-warriors, operate password-cracking super-computer clusters or advanced research to infect your hard-drive firmware. Adversaries will often find simpler ways for effective compromise, such as creative phishing and simple custom malware."
According to the company, Rocket Kitten highlights a recurring problem: minimal changes to existing malware often evade most current protection solutions, and effectively stopping attackers requires employee engagement as well as basic security measures.
So what can be done?
Horowitz says while this family of attacks are persistent and successful, the good news is they can be combated with a combination of technology and education.
She says, “The good news is that even with what we call APTs we can still protect ourselves, because now that we know about this volatile cedar, any anti-virus can block it.
Sandboxing solutions, anti-virus programmes, intrusion prevention systems, virtual private networks - all of these basic measures are often forgotten, but will help to barricade an organisation against attacks.
Alongside this, education is absolutely necessary, and also often forgotten.
Horowitz says, ‘Mass production of cyber threats' means a lot of these threats aren't sophisticated, so with awareness and basic security measures organisations can protect against them."
“One thing that everyone should be aware of is that attackers will always try to exploit the weakest link, and try to get to the corporate network through personal, unclassified email accounts. Same thing with mobile - a mobile phone can be an entrance point for an attacker to the network, so it's important to have security in place everywhere," she says.
Being aware of the threat, knowing what to look for, and recognising a phishing method, can save an organisation from a damaging breach. For instance, a lot of attacks that occur via email, such as those with ransomware, banking Trojans, mail with attachments and exploit kits as the main attack vectors, can be stopped by encouraging employees to suspect their inbox and think twice before opening a link, Horowitz says.
Education requires security teams to step up and become a source of information for their fellow employees. Horowitz recommends these teams to find out about persistent threats, pick and choose a few that are more common or more easy to protect against, and educate the people - even if it's just with a simple training session every few months or an email newsletter.
“Today the threats are everywhere, so in the past it was coming from nation states and to nation states. Today it's coming from everywhere to everywhere,” says Horowitz.
“Today there are smaller organisations that do APTs, there's outsourcing to individuals to do APTs, and there are just people out there who know how to do some coding and having their own malware, so there are so many threat vectors out there. And today also every one of us are a target. It's not just networks anymore, it's stand-alone pcs. Everyone is starting to hear about it, and be aware, but now we need to take the steps to protect ourselves,” she says.