BRANDEFENSE BRANDEFENSE
  • Home
  • Product
    How it works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    brandefense background
    Eliminate risks
    Explore the Brandefense
  • Blog
  • Resources
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    We in the Press
  • Partners
    Channel Partners
    Deal Registration
  • Company
    About Us
    Career
    Privacy Policy
    Terms of Use
    Contact Us
Free Trial

BRANDEFENSE

  • Home
  • Product
    How it works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    brandefense background
    Eliminate risks
    Explore the Brandefense
  • Blog
  • Resources
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    We in the Press
  • Partners
    Channel Partners
    Deal Registration
  • Company
    About Us
    Career
    Privacy Policy
    Terms of Use
    Contact Us
Initial Access Methods: How Malicious Actors Do Infiltrate Companies?

Initial Access Methods: How Malicious Actors Do Infiltrate Companies?

BRANDEFENSE
Ransomware
12/09/2022

Last updated on October 19th, 2022 at 10:48 am

Table of Contents

  • Introduction
  • Initial Access Methods
      • What is Initial Access ?
      • Initial Access Techniques
    • T1189: Drive-by Compromise
      • How Is It Detected?
      • Impact Mitigation
      • Example Attack Scenario
    • T1190: Exploit Public-Facing Application
      • How Is It Detected?
      • Impact Mitigation
      • Example Attack Scenarios
    • T1133: External Remote Service
      • How Is It Detected?
      • Impact Mitigation
      • Example Attack Scenarios
    • T1078: Valid Accounts
      • How Is It Detected?
      • Impact Mitigation
      • Example Attack Scenario
    • T1566: Phishing
      • How Is It Detected?
      • Impact Mitigation
      • Example Attack Scenarios
  • Conclusion
      • References

Introduction

Integrating technology into the working life of institutions brings with it ‘security’ problems. The effort of the threat actors to gain access to the target network and maintain the provided access is the basis of the existing security problem. Threat actors, acting with various motivations, such as financial returns, commercial/political/military advantages, or political ideologies, are always looking for ways to manipulate the weak points of institutions/organizations.

For institutions/organizations, it is essential to ensure the security of the data in hand in order not to experience financial loss and loss of reputation. For this reason, it is necessary to be aware of the techniques that threat actors use for Initial Access and the detection methods of these techniques.

Initial Access Methods

What is Initial Access ?

Threat actors first try to enter the target organization’s network in attacks such as ransomware. Initial Access; It consists of techniques that use various attack vectors to gain initial access and foothold on the target network.

Threat actors, called Initial Access Brokers (IABs), after accessing the targeted network and maintaining a certain level of persistence on that network, existing accounts belonging to the organization, use of external services, etc. Different additional ports can be obtained. Afterward, the accesses obtained on the target network are offered for sale in deep and dark web markets.

Recipients of access for sale by IABs commonly include ransomware groups or other threat actors, including their affiliates.

Listed below are the types of access offered for sale by IABs:

  • Panel Access (For example, cPanel),
  • Web Shell Access,
  • RDP Access,
  • VPN Access,
  • Virtual Machine Access.

Initial Access Techniques

Technical ID Technical Name
T1189 Drive-by Compromise
T1190 Exploit Public-Facing Application
T1133 External Remote Services
T1556 Phishing
T1078 Valid Accounts

T1189: Drive-by Compromise

This technique relies on the targeted user visiting a compromised website. There are several ways to breach the security of a website through this technique.

  • A compromised website can be injected with malicious code such as JavaScript, iFrame, and cross-site scripting.
  • Malicious advertisements may be served on the website through legitimate advertising providers.

After the user visits the website under the control of the threat actor, malicious scripts on the website are automatically run to try to detect the version of the browser and the vulnerable plugins and complements used by the target. When a vulnerable version is detected, code is sent to the browser to exploit the vulnerability.

If the operation is successful and the target user is not protected by similar programs, such as the antivirus program, the threat actor gains remote access to the user’s computer.

How Is It Detected?

  • Firewalls can perform reliability-oriented queries on the URLs the user wants to visit, including checks such as registration date, number of users, and malicious activity history.
  • IDS systems on the network are used for discovery, browser identification, etc. In addition, it can detect malicious scripts such as exploit codes and standard hiding techniques of these codes.

Impact Mitigation

As mentioned above, Drive-by Compromise is a technique that targets the security vulnerabilities of the applications and web browsers used. For this reason, the software and systems used should be used in the most up-to-date version available.

Example Attack Scenario

The REvil ransomware group was spreading the Sodinokibi software in its campaigns by breaching WordPress sites and injecting malicious JavaScript code into the area.

drive by compromise
Figure 1: Injected JavaScript code

T1190: Exploit Public-Facing Application

Attackers can often exploit programming or design flaws in applications, programs, servers, or services that have access to the Internet and are publicly available, causing such applications to exhibit unwanted or unexpected behavior. It can be said that such applications include websites, databases, services such as SMB or SSH, web servers, and affiliate services.

How Is It Detected?

Successful/unsuccessful attempts to exploit the vulnerability of the applications mentioned above produce output outside the normal program flow. These abnormal behaviors can be noticed by examining the application logs.

Overall network traffic (e.g., SQL Injection attempts, etc.) for attempts to exploit the vulnerability can be detected by in-depth inspection of network packets. Web Application Firewall solutions can detect such unusual attempts.

Impact Mitigation

  • It should be checked regularly for security vulnerabilities that external systems may have. Identified security vulnerabilities should be disclosed to the public and fixed as soon as possible.
  • To take action against known vulnerabilities, up–to–date versions of the applications and services should be used. Learn now if your technologies have vulnerability!
  • Isolating running applications from each other and taking advantage of virtualization/sandboxing technologies will limit the attacker’s access to the system, even if there is a successful attempt.
  • Web Application Firewall solutions can be used to prevent application access, limit applications’ exposure, and detect network traffic that may result from exploitation.

Example Attack Scenarios

  • Russian state-backed threat actor APT28 exploited previously identified vulnerabilities such as CVE-2020-0688 and CVE-2020-17144 to gain the ability to execute code on vulnerable Microsoft Exchange servers.
  • APT41 leveraged CVE-2020-10189 against Zoho ManageEngine Desktop Central and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.
  • UNC2452 exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.
  • Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.

T1133: External Remote Service

The use of digital technologies and external remote services such as RDP and SMB has increased considerably since the pandemic period. Employees often use external applications such as VPNs and Citrix to connect to internal resources from the outside world. In addition, these services use services such as Windows Remote Management, and Virtual Network Computing (VNC) to manage users’ connections and authentication.

External remote services are used so frequently cause threat actors to update their TTP accordingly. So much so that in a study conducted by ESET, it is stated that the number of attacks that only exploit RDP vulnerabilities increased by 768% between the first and fourth quarters of 2020.

(https://www.welivesecurity.com/2021/02/08/eset-threat-report-q42020/)

The External Remote Service technique exploits security vulnerabilities in external remote services such as Microsoft’s Remote Desktop Protocol (RDP) or Windows Server Message Block (SMB). In addition, threat actors try to hijack an authorized account to use these services through various methods, such as social engineering and brute force attacks.

Thus, when the login credentials of an employee of the institution are captured, they can be included in the internal network through these services. Learn if your sensitive accounts are leaked!

How Is It Detected?

Such an attempt can be detected by examining indicators such as authentication records, unusual access patterns, unexpected activities from the user account, and accesses outside of regular working hours for authentication processes performed over existing services with valid user accounts.

Impact Mitigation

  • Unused/unnecessary and remotely available services can be disabled to reduce the attack surface. Learn if you have unnecessary attack surfaces!
  • Multi-factor authentication (2MFA) is recommended as this technique usually requires access to a valid user account.
  • By doing network partitioning within the organization, you can limit employees’ access only to the department they are related to. This way, a compromised account cannot access other network resources.

Example Attack Scenarios

  • Russian state-backed threat actor APT28 attempted brute force authentication on its targets using TOR and commercial VPN services such as CactusVPN, IPVanish, NordVPN, and ProtonVPN.
  • APT29 used compromised identities to access networks via SSH, VPNs, and other remote access tools.
external remote surface
Figure 2: Example of “credential hopping” technique

T1078: Valid Accounts

Valid Accounts mean using valid credentials to bypass access controls placed on various resources in systems within the network. These credentials can be used to gain and maintain permanent access to systems.

How Is It Detected?

Monitoring for unusual activity in user account activity is the focus of the detection of this technique. For example, Accounts logged on to multiple systems simultaneously, accounts logged on to a single system simultaneously, and accounts logged on after working hours can be defined as unusual activities. Institutions also need to configure strong activity controls on account activities.

Impact Mitigation

  • Changing existing passwords using strong policies and enabling multi-factor authentication (2MFA) whenever possible is recommended.
  • Sensitive data, such as credentials, are often forgotten in code and public code repositories during application/software development. Therefore, you should ensure that the applications do not contain such data.
  • It is important to detect early and control leaked accounts for every organization, whether employees’ accounts are leaked or not. Getting this information is really easy with security solutions that provide this kind of intelligence. To learn about leaked employees’ credentials click here!

Example Attack Scenario

Financially motivated threat group FIN5 used legitimate VPN, Citrix, or VNC credentials to gain and maintain access to their targeted environment. The information mentioned here describes the account information that current employees use to access the intra-company network remotely.

T1566: Phishing

Phishing attacks are a type of social engineering attack that is often used to obtain personal user data such as login credentials. Threat actors can carry out phishing attacks via email, text message (SMS), social media, or phone to gain initial access to target systems. In short, user interaction is required for this technique to be successful.

Usually, e-mails intended for a person, institution, or industry are distributed with a file attachment containing malicious code, and logical reasons are tried to be given as to why this file should be opened. Malicious file attachments can be used in many formats, such as Microsoft Office documents, executable files, PDF files, or archived files (RAR, ZIP, 7z, etc.). The distribution of files with password protection in order not to be detected by the endpoint security solutions and the various instructions for the user to open the file is among the scenarios that may be encountered.

Emails with file attachments can likewise contain a direct link address. In this kind of case, when the user clicks on the relevant link, the username, e-mail, password, etc. encounters pages where vital personal information such as.

How Is It Detected?

  • Network intrusion detection systems and email transmission paths can detect phishing emails containing malicious email attachments. The solutions that can be used for this can be signature or behavior based. DKIM+SPF checking or filtering based on email header analyzes can give details about possible attack attempts.
  • Using anti-virus solutions on the email server or user computer can help detect malicious files and attachments. It can be helpful to monitor sub-processes created by software associated with Microsoft Office or other documents.

Impact Mitigation

  • It is recommended to use anti-virus solutions to quarantine suspicious files and network intrusion detection systems designed to scan and delete malicious email attachments. You can also scan emails to prevent file extensions used for malicious activities from being forwarded over emails.
  • Institution personnel should be aware of possible phishing attacks, and attention should be paid to the content of urgency.
  • Threat actors target high-level employees such as the CEO and corporate personnel (Whale phishing). You can use the VIPSecurity module with the Brandefense Threat Intelligence team’s support to protect your organization’s C-Level employees against possible phishing attacks.

Example Attack Scenarios

Emotet Trojan, which first appeared in 2014 and has the title of the most dangerous banking trojan software until 2021, was distributed as malicious file attachments with the theme of fake phone bills within the e-mail in UK campaigns.

emotet trojan
Figure 3: Emotet Trojan distribution with email file attachment

To spread REvil ransomware to target devices, the GOLD SOUTHFIELD threat group used fake emails that looked like warning letters from the fee collection center of public law broadcasters in the German Federal Public Service.

ransomwares distribution
Figure 4: Ransomware distribution with email file attachment

Conclusion

Threat actors will always try to look for the easiest way to carry out successful attacks on their targets, depending on their motivation. Since the most frequently used methods focus on the “human” factor, which is the weakest link of a system, a conscious user/employee profile should be created first in order to stay safe.

Considering that at least one Initial Access technique is used on the basis of attacks carried out at different scales from the past to the present, being aware of these techniques and knowing how to counter them is the first rule of staying safe.

On a superficial level, you are now familiar with different topics such as techniques, method of application, detection and mitigation commonly used among threat actors. At the end of this report you are also somewhat prepared for attack attempts that may come from personnel errors. You can also request a free demo by contacting Brandefense.

References

  • https://attack.mitre.org/tactics/TA0001/
  • https://www.welivesecurity.com/2021/02/08/eset-threat-report-q42020/
  • https://www.criticalinsight.com/resources/news/article/inside-the-mind-of-a-threat-actor-tactics-techniques-and-procedures-explained
  • https://www.zdnet.com/article/big-jump-in-rdp-attacks-as-hackers-target-staff-working-from-home/
Share on Facebook Share on Twitter
Search
Categories
APT GroupsBlogDark WebDRPSFraudRansomwareSector AnalysisSecurity NewsVIP SecurityWe in the PressWeekly Newsletter
Recent Posts
  • MOVEit Transfer Software Exploited Through Critical Zero Day Vulnerability 2023
    MOVEit Transfer Software Exploited Through Critical Zero Day Vulnerability 2023
  • “Triangulation Trojan” Launches Sophisticated Attack on Apple Devices
    “Triangulation Trojan” Launches Sophisticated Attack on Apple Devices
  • Perspective of the Month | APT Groups
    Perspective of the Month | APT Groups
  • BellaCiao: The New Malware From Iran’s Charming Kitten
    BellaCiao: The New Malware From Iran’s Charming Kitten
2023 Ransomware Trends Report
Let’s Dive in Ransomware Attack Trends
Report

Let’s Dive in Ransomware Attack Trends

Download Report
Follow us!

Continue Reading

Previous post

Mirai Variant MooBot Botnet Targets Vulnerable D-Link Devices

moobot botnet
dark deep surface web
Next post

Why Organizations Need Extensive Dark Web Coverage?

particle element
We know what hackers know about you
Our cyber threat intelligence and security research team is ready to help you.
Request a demo
Free Trial
Contact
Login

Follow us on

brandefense logo brandefense

Brandefense is solving SOC’s complex challenges. We are here to help Brandefense customers to protect their brands and reputations against cyber threats.

United States:

300 Delaware Ave. Ste 210 #328 Wilmington, DE 19801 / USA

Republic of Turkey:

Üniversiteler Mahallesi, 1605.Cadde, Kapı No:3/1, No: 204, 06800 Çankaya/Ankara 06800

© 2022 Brandefense. All rights reserved.

Solutions
Threat IntelligenceBrand ProtectionVulnerability ManagementFraud ProtectionVIP SecurityAttack Surface ManagementVulnerability Intelligence
Use Case
Data LeakagePhishing MonitoringAccount Takeover DetectionStolen Credit CardsDark Web MonitoringRemediation / Takedown
Partners
Channel PartnersDeal Registration
Company
AboutCareerPrivacy PolicyTerms Of UseContact
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}
Close
Search

Hit enter to search or ESC to close