Understanding Threat Actors: How They Infiltrate Systems

a1l4m
8 min readApr 20, 2024

--

How do Threat Actors and APTs gain access to the system? Even though we have tons of solutions and layers of defense mechanisms.

Background

Note: I am not going to talk about nation-state actors as they spend tons of time developing their exploits and discovering their own zero days that they use to gain a foothold in their targets. But am going to cover normal APTs :”

Most of the APTs, have their Post Exploitation techniques ready, but what’s stopping them is the initial access. That’s why we are here today to cover some of the stuff that the threat actors use to put their feet into the system.

Introduction

In the vast and intricate world of cybersecurity, Advanced Persistent Threats (APTs) and Threat Actors are often discussed in terms of high-tech exploits and sophisticated hacking techniques. However, there’s a common misconception that securing systems is all about shoring up web vulnerabilities. In reality, the threat landscape is much broader. This blog aims to shed light on the diverse techniques used by threat actors to gain initial access to systems — beyond the digital equivalent of picking locks.

The Misunderstood Landscape of Cyber Threats

Cybersecurity isn’t just about guarding against SQL injections or securing web forms. Many professionals, particularly web pentesters and BugHunters, view these as the primary battlegrounds. Yet, they overlook equally critical threats such as social engineering, typosquatting, and the subtle art of manipulating human psychology. These methods often bypass the most robust technical defenses by targeting the weakest link in the security chain: people.

Initial Access Techniques

Exploiting New CVEs: Seizing Opportunities in Emerging Vulnerabilities

One of the most dynamic aspects of cybersecurity is the constant emergence of new vulnerabilities, cataloged in the Common Vulnerabilities and Exposures (CVE) system. Threat actors vigilantly monitor these disclosures for exploitable weaknesses, often racing against IT professionals to use these vulnerabilities to their advantage before patches and updates can be applied.

For instance, a newly discovered CVE in a widely used software can provide a golden opportunity for attackers. These vulnerabilities, if unpatched, can serve as the perfect entry point to deploy malware or conduct further exploitative actions within a network. The process typically involves:

  1. Monitoring and Identification: Threat actors use automated tools to scan public databases, and security bulletins for newly reported vulnerabilities. Also uses indexes like shodan to scan for vulnerable services.
  2. Development of Exploit Code: Once a promising CVE is identified, skilled attackers quickly develop exploit code to take advantage of the vulnerability, often creating a working exploit within days or even hours of the vulnerability being disclosed.
  3. Deployment: This exploit is then deployed either directly or through watering hole attacks, phishing emails, or malicious advertisements that lead to exploit kits hosted on compromised websites.
  4. Initial Access and Lateral Movement: Successful exploitation provides the attackers with their initial foothold from which they can launch further attacks, install backdoors, and explore the network for valuable data and additional weak points.

A recent example of CVE exploitation involves CVE-2024–1709 and CVE-2024–1708, which were used to gain initial access into enterprise systems to deploy LockBit ransomware. These vulnerabilities were identified in the ConnectWise ScreenConnect software, affecting all on-premise versions below 23.9.8. The vulnerabilities allowed for an authentication bypass and a path traversal issue, respectively. Despite ConnectWise issuing an advisory and a patch, the information about the exploit became public, making it trivial for attackers to exploit these vulnerabilities.

The ease of exploitation was such that the initial attack vector involved simply modifying a URL path to bypass authentication controls. Once inside, attackers could create administrative accounts or deploy additional malicious tools and payloads. This type of vulnerability showcases the importance of rapid patch application and vigilance in monitoring for abnormal activities even after patches are believed to have secured the systems.

For more info about these two CVEs

Typosquatting: Exploiting Simple Mistakes

Typosquatting relies on users making typos when entering URLs into their browsers — these slight mistakes direct them to malicious websites that closely mimic the intended ones. These sites can then be used to steal credentials or distribute malware. A notable case involved a popular cryptocurrency platform where cybercriminals registered a domain that was just one letter off from the legitimate site. Users entering this wrong address were led to a convincingly similar but malicious site that prompted them to input their private keys or login details, leading to direct financial theft.

Here is a site that lets you know if people have registered a domain that is similar to a specific domain: dnstwister

Facebook TypoSquatting

Embedding Malicious Code in Software Libraries

An increasingly common method used by threat actors involves embedding malicious code within popular code libraries or frameworks. For example, a malicious actor might upload a corrupted package to the Python Package Index (PyPI) or NuGet, which are repositories for Python and .NET packages, respectively. Unsuspecting developers download these packages, thinking they are legitimate, and incorporate them into their applications. This not only compromises the development process but also allows the malware to infect all downstream software built with these corrupted libraries. A case in point is the infamous incident where several packages in PyPI were found to contain a hidden malicious code that stole AWS credentials and sent them to an external server once the packages were installed in a system.

To demonstrate how easy this one is. Here is a screenshot from a malicious NuGet package that I published on nuget.org with just one letter off from the original package.

Malicious Nuget Package

Disclaimer: This whole thing is for testing purposes and i have taken the package down immediatly after finshing my tests.

Social Engineering: The Human Factor

Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. In cybersecurity, it’s one of the most effective tools for bypassing technical safeguards because it targets emotional or psychological weaknesses rather than software or hardware vulnerabilities. For instance, a classic social engineering attack is the “CEO scam,” where an attacker posing as a company’s executive emails a staff member with an urgent request for wire transfers or sensitive data. Another prevalent example is the “baiting” scenario, where attackers leave malware-infected physical devices, such as USB drives, in places where they are sure to be found. Curious finders then plug these devices into network computers, inadvertently triggering malware installations.

Rule Num1: Safety first

Case Study: APT28 — A Walkthrough

APT28, also known as Fancy Bear, is a sophisticated and well-resourced group believed to be associated with Russian military intelligence. Their operations are well-documented, with a series of attacks that highlight their advanced capabilities and strategic objectives.

Spear-Phishing Campaigns: The Initial Breach

One of the most notable tactics employed by APT28 is spear-phishing. This technique involves sending targeted emails to specific individuals within an organization. These emails appear to come from a trusted source and contain either malicious links or attached documents that are laced with malware. For example, in the 2016 DNC hack, APT28 sent emails mimicking Google security alerts, prompting users to change their passwords. The links led to a fake Google domain controlled by the attackers, where entering credentials resulted in immediate account compromise.

Use of Zero-Day Vulnerabilities

Apart from spear-phishing, APT28 is also known for its use of zero-day vulnerabilities — previously unknown security holes in software that are not yet patched. In one instance, they exploited a zero-day vulnerability in Microsoft’s Word software to distribute a type of malware called “Fysbis.” Upon opening the infected Word document, the malware would be executed automatically, providing APT28 with remote control over the victim’s computer.

Deployment of X-Agent Malware

Once the initial access was secured, APT28 frequently deployed their custom malware, known as X-Agent or Sofacy. This malware is capable of keylogging, harvesting screenshots, and extracting files to send back to the control servers. In operations targeting government agencies, X-Agent was installed to maintain persistence within the network, allowing continuous monitoring and data exfiltration over extended periods.

Exploitation and Lateral Movement

Following the establishment of a foothold within the network, the group would perform lateral movement to access other important systems and escalate their privileges. This phase often involves the use of stolen credentials, further spear-phishing within the organization, and sometimes the exploitation of other vulnerabilities within the network’s infrastructure.

Example Operation: Targeting the World Anti-Doping Agency (WADA)

In a well-publicized breach, APT28 targeted WADA in retaliation for allegations of state-sponsored doping by Russian athletes. They accessed WADA’s Anti-Doping Administration and Management System (ADAMS) database, which contained sensitive athlete data. The attackers exploited a spear-phishing email sent to an International Olympic Committee (IOC) member, which, once opened, provided them with access to the WADA network. The breach led to the public disclosure of confidential athlete information, demonstrating the political motivations and capabilities of APT28.

Conclusion

As we’ve explored throughout this blog, the techniques employed by threat actors are both varied and sophisticated, extending far beyond simple hacks to exploit deep-seated human and systemic vulnerabilities. The cases of APT28 and other similar groups underline a critical truth in cybersecurity: the landscape is perpetually evolving, and our defenses must evolve accordingly. Awareness and education are our best tools in this ongoing battle. By broadening our understanding of these tactics and continuously adapting our strategies, we can not only defend but also anticipate and counteract the maneuvers of these cyber adversaries.

Call to Action

The world of cybersecurity is vast and complex, but it is by sharing knowledge and experiences that we can offer one another the best defense against threat actors. Have you come across these techniques in your personal or professional life? Or perhaps you’ve encountered other methods that deserve attention? Share your insights and stories with us to help foster a community of learning and vigilance. For those keen on delving deeper into the intricacies of cybersecurity, consider following industry experts and engaging with ongoing discussions in forums and professional groups. Your voice and your experiences are invaluable in the collective effort to secure our digital frontiers.

That’s it For Now :”

--

--

a1l4m
a1l4m

Written by a1l4m

DFIR | CTF Player & Author

No responses yet