“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.
As digital risk continues to evolve, organizations must regularly assess vulnerable areas of their enterprise. Organizations that understand how to identify, assess, evaluate, treat, and monitor risk in an effective, efficient manner will have the upper hand over those who do not.
Sophisticated attackers do not just fire and forget at a single entry point. More advanced attackers will make every attempt to break through security barriers to accomplish their goals. Attackers constantly evolve to thwart security efforts, infiltrate the target enterprise, and maintain a foothold for future attacks.
Attackers are infiltrating supply chains, third party vendors, and even security companies. They use stolen data for much more than just account takeovers. They also use this data to push new social engineering tactics over the top. Attackers use trusted technologies, like HTTPS, to trick victims into a false sense of security.
A recent report from Webroot indicates that nearly a third of phishing pages are using HTTPS and nearly a quarter of malicious URLs are hosted on trusted domains. These are all methods used to gain trust and personalize attacks to increase the success rate.
On the Shoulders of Giants?
Researchers at Radware and Link11 noted a campaign posing as the infamous Fancy Bear (APT 28). It is targeting the financial sector with DDoS attacks to demand a ransom to stop the attacks. The group, which appears to own a DDoS botnet, is asking victims for payments of two Bitcoins. The group is well-researched in their attacks. They aim for the backend infrastructure of the target organization rather than attacking the main business sites.
Impersonation of well-known threat actors is not a new tactic. Attackers sometimes pose as a more notorious group to invoke greater fear. This attack, however, falls well outside the bounds of normal Fancy Bear activity.
Hacking the Hacker
In another interesting development, it appears that the APT Venomous Bear (Turla) is using Iranian cyber-espionage tools and masquerading as attackers from the Islamic Republic. According to British security officials, the current campaign used tools from the Iranian APT known as Helix Kitten (APT34) to attack organizations in at least 20 different countries over the past 18 months. Researchers do not believe the two groups are colluding. Instead, it appears that Venomous Bear infiltrated the Helix Kitten infrastructure.
According to information provided by the NSA and GCHQ, the Russian group was able to access the networks of existing Helix Kitten victims and even access the code needed to build its own “Iranian” hacking tools.
What does it all mean?
The attackers are using increasingly sophisticated and complex methodologies to break down security controls. The goal behind the tactics described above is to trick users into trusting the source, and in some cases, leave false clues for misattribution. There is a wealth of data on the dark web and underground markets to help advance attacker goals. Attackers are creating more efficient malware to gain more data throughout their attacks, which adds to the mix of available data.
The data can be used in many ways, including credential-stuffing attacks, spear phishing attacks, and account takeovers. In some cases, cyber criminals are using the harvested data to create synthetic IDs, sometimes cultivating their fake profiles for years. Synthetic IDs are one of the fastest growing financial crimes in the US, accounting for 10-15 percent of charge-offs.
Cyber criminals build up good credit records, making purchases and minimum payments. At some point in the life cycle, the criminal maxes out all credit cards under the synthetic ID and then disappears, leaving the creditors with mountains in unpaid debts.