Story image

The next generation of APTs: Highly successful but surprisingly simple

21 Mar 2016

The number and reach of cyber threats continues to grow, and while reports of increasing sophistication and complexity dominate the news, some of the most highly targeted attacks are surprisingly simple.

A new generation of Advanced Persistent Threats (APTs) is emerging around the world, and the key point of difference of these threats is that they aren’t advanced so much as they are persistent, says Maya Horowitz, Check Point intelligence operations group manager.

“The new generation of APTs are a bit different,” she says. “They have the same targets that are APT worthy, like government, critical infrastructure, and financial organisations, but nowadays these attacks are not only done by NSA, China, and Russia, but are being outsourced to individuals, and smaller groups who have less financial skills and technical resources. They’re still APTs, but I would leave the ‘A’ out - they’re not advanced.”

The cyber criminals behind these attacks often target the weakest link - the individual - and are able to breach a company’s security parameters using simple but persistent and overall effective methods.

Uncovering the next generation of APTs

Check Point has a threat intelligence group made up of 150 people including analysts, researchers and specialists. This group investigates threats, and uses the findings to educate organisations, update their products, and even stop cyber criminals in their tracks.

One example of a threat campaign Check Point was able to uncover was known as ‘volatile cedar’, which Horowitz says was successful in breaching the security parameters of organisations, but was not very advanced at all.

The campaign, led by a persistent attacker group, penetrated a large number of targets including individuals, companies and institutions worldwide, using various attack techniques but most frequently a custom-made malware implant named Explosive.

In a report on the attack, Check Point wrote, “While many of the technical aspects of the threat are not considered ‘cutting edge’, the campaign has been continually and successfully operational throughout this entire timeline, evading detection by the majority of AV products. This success is due to a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents.”

Horowitz says the hackers used simple algorithms and methods to breach servers and find credentials. She says the malware itself was not sophisticated, but it was highly targeted and well-managed, and was active for around three years before it was taken down.

Check Point’s research has enabled organisations to protect themselves against the attack and led to the cyber criminals behind volatile cedar abandoning the project.

Rocket Kitten is another example of this generation of APTs and has been investigated by organisations around the world, including Check Point.

In early 2014, an attacker group of Iranian origin began actively targeting people of interest with malware, supported by persistent spear phishing campaigns.

In a report on the campaign, Check Point writes, “Characterised by relatively unsophisticated technical merit and extensive use of spear phishing, the group targeted individuals and organisations in the Middle East (including targets inside Iran itself), as well as across Europe and in the United States.”

Check Point was able to identify victims of this particular attack, and found those targeted included high ranking defence officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.

Check Point writes, “We believe the Rocket Kitten case is an interesting case study for the malware research industry, exemplifying a continuing trend in the nation-state attacker profile we have witnessed over the past two years; cyber-espionage is no-longer reserved to organisations with monstrous budgets to hire thousands of cyber-warriors, operate password-cracking super-computer clusters or advanced research to infect your hard-drive firmware. Adversaries will often find simpler ways for effective compromise, such as creative phishing and simple custom malware."

According to the company, Rocket Kitten highlights a recurring problem: minimal changes to existing malware often evade most current protection solutions, and effectively stopping attackers requires employee engagement as well as basic security measures.

So what can be done?

Horowitz says while this family of attacks are persistent and successful, the good news is they can be combated with a combination of technology and education.

She says, “The good news is that even with what we call APTs we can still protect ourselves, because now that we know about this volatile cedar, any anti-virus can block it.”

Sandboxing solutions, anti-virus programmes, intrusion prevention systems, virtual private networks - all of these basic measures are often forgotten, but will help to barricade an organisation against attacks.

Alongside this, education is absolutely necessary, and also often forgotten.

Horowitz says, ‘Mass production of cyber threats’ means a lot of these threats aren’t sophisticated, so with awareness and basic security measures organisations can protect against them."

“One thing that everyone should be aware of is that attackers will always try to exploit the weakest link, and try to get to the corporate network through personal, unclassified email accounts. Same thing with mobile - a mobile phone can be an entrance point for an attacker to the network, so it’s important to have security in place everywhere," she says.

Being aware of the threat, knowing what to look for, and recognising a phishing method, can save an organisation from a damaging breach. For instance, a lot of attacks that occur via email, such as those with ransomware, banking Trojans, mail with attachments and exploit kits as the main attack vectors, can be stopped by encouraging employees to suspect their inbox and think twice before opening a link, Horowitz says.

Education requires security teams to step up and become a source of information for their fellow employees. Horowitz recommends these teams to find out about persistent threats, pick and choose a few that are more common or more easy to protect against, and educate the people - even if it’s just with a simple training session every few months or an email newsletter.

“Today the threats are everywhere, so in the past it was coming from nation states and to nation states. Today it’s coming from everywhere to everywhere,” says Horowitz.

“Today there are smaller organisations that do APTs, there’s outsourcing to individuals to do APTs, and there are just people out there who know how to do some coding and having their own malware, so there are so many threat vectors out there. And today also every one of us are a target. It’s not just networks anymore, it’s stand-alone pcs. Everyone is starting to hear about it, and be aware, but now we need to take the steps to protect ourselves,” she says.

Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.