- Monday 3 April 2017

APT10 - Operation Cloud Hopper

Written by Adrian Nish and Tom Rowles
For many businesses the network now extends to suppliers who provide management of applications, cloud storage, helpdesk, and other functions. With the right integration and service levels Managed Service Providers (MSPs) can become a key enabler for businesses by allowing them to focus on their core mission while suppliers take care of background tasks. However, the network connectivity which exists between MSPs and their customers also provides a vector for attackers to jump through. Successful global MSPs are even more attractive as they become a hub from which an intruder may access multiple end-victim networks.

Since late 2016 we have been investigating a campaign of intrusions against several major MSPs. These attacks can be attributed to the actor known as APT10 (a.k.a. CVNX, Stone Panda, MenuPass, and POTASSIUM). Their activity seems to have increased in mid-2016, and has focused on compromise of MSPs as a stepping stone into victim organisations.

Figure 1 – Attack stages for APT10 in targeting MSP end-customers

We have joined forces with PwC to release our findings from investigations into these on-going attacks and raise awareness. This joint analysis report can be found on PwC's blog at:
The current campaign linked to APT10 can be split into two sets of activity:
1. Attacks targeting MSPs, engineering and other sectors with common as well as custom malware;
2. Attacks targeting Japanese organisations with the 'ChChes' malware;

The latter campaign has been well covered in the public domain, however the MSP targeting is the focus of our joint analysis report with PwC.

The group use a custom dropper for their various implants. This dropper makes use of DLL side-loading to execute the main payload.

In our analysis the attackers have used several payloads including:
1. PlugX – a well-known espionage tool in use by several threat actors
2. RedLeaves – a newly developed, fully-featured backdoor, first used by APT10 in recent months

The C&C domains chosen by the APT10 actors for their MSP-related campaign are predominantly dynamic-DNS domains.

The various domains are highly-interconnected through shared IP address hosting, even linking back historically to the group’s much older operations. The graph below depicts infrastructure used by the attackers in late 2016.

Figure 2 – Infrastructure view from late 2016

In recent months the infrastructure has expanded significantly. The nodes number into the thousands and cannot be easily visualised.

The below graph represents a linkage between one of the PlugX C&Cs used in the group’s newer operations and the older infrastructure of the APT10 actors as disclosed by FireEye in their 2014 Siesta Campaign blog post. In terms of timing, there is reasonable hosting overlap to suggest a single group is responsible for all these domains.
Figure 3 – Subset of links from historic APT10 activity and newer C&C domains

Through our research we have identified several organisations who have been infiltrated by the attackers. All are either customers of or providers of Managed Services / Enterprise Service / Cloud Services - implying that this is a significant focus area for APT10 attacks. Further investigation has shown that the attackers are jumping from MSPs to end-customer (or vice-versa). It is impossible to say how many organisations might be impacted altogether at this point.

Geo-locations of compromised systems include victims in the UK, US, India, Japan, and others.
Managed Service Providers are a particularly sensitive area of business; these companies both hold large volumes of customer data but also may have VPN, RDP, and other connections into networks they manage. As sensitive organisations such as Government and Defence have improved their perimeter security it has forced APT groups to look elsewhere for infiltration routes. The ‘supply-chain’ is one of these vectors, and we continue to see an increasing number of actors finding success in exploiting this route.

From an end-customer's perspective, this supply chain risk needs to be managed jointly across security, legal, and most importantly through procurement functions. Driving for the lowest price possible from suppliers is not likely to end well for business where cyber-security matters.

From an MSP's perspective, strong focus needs to be put on security architecture, network hardening, monitoring, detection and response. We would also suggest regular red-teaming or simulated targeted attack testing - performed by independent testers and leveraging intelligence from known attacks.

Whilst these attackers have skill, persistence, some new tools and infrastructure - there is nothing about the techniques themselves that should make this hard to detect or mitigate. The lessons learned from these incidents should be used as an opportunity for security improvements for both MSPs and their customers.

For further analysis, recommendations, and IOCs we suggest viewing the full report: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html

No comments:

Post a Comment