Riddle me this: Detecting indirect attacks

Recent news concerning the China-based group APT10 has brought the issue of securing supply chains to the fore

Posted on 10 April 2017

Recent news concerning the China-based group APT10 has brought the issue of securing supply chains to the fore. The group targeted companies in at least 10 industrialized nations, including Japan, Switzerland and the UK, for intellectual property and other sensitive information through their managed IT service providers (MSPs).

Organizations know, or should know, that a suitable ability to detect cyber threats is key to any cyber defense strategy, but how can they detect attacks that are not targeted, in the first instance, at themselves directly?


From a simple auditing perspective, ensuring that all suppliers are forced to use accounts controlled and audited by the client organization is a good start. These accounts can then have the appropriate levels of access set to only facilitate the services required and be reviewed by the organization’s threat detection teams for evidence of malicious activity and reporting. Countercept undertakes machine learning on such areas as Windows domain controller logs, Lightweight Directory Access Protocol (LDAP) traffic and network behavior profiling in order to spot anomalies. If the supplier accounts are known, additional weighting can be given to any detections of suspicious activity on the client network.


Techniques such as placing malicious dynamic link libraries (DLLs) with legitimate executables in the wrong place, leveraging DLL search order hijacking, have been used by attack groups for many years. Even commodity malware such as Dridex v4 is now using this technique, so ensuring attack detection capabilities cover this type of threat serves to protect against these and many other threats.


In terms of the supply chain from MSP to client organization, focusing network traffic capture on third-party supplier interconnects is key. Doing so ensures that a detection team has the visibility required to spot network layer anomalies originating from a supplier. A variety of techniques can be employed to highlight inconsistencies in network data, from basic intrusion detection systems to behavioral tracking using machine learning. Ensuring the segregation of supplier connections into separate virtual local area networks and forcing traffic through known monitored routes that have security controls such as firewalls, data loss prevention and intrusion prevention systems is also sensible.


But once the client organization has achieved sufficient control of the supply chain, what are the best tools to use to look for potential attacks and unusual activity?


The APT10 attacks are believed to have used malware known as Red Leaves. While it is a relatively new malware variant, it is strongly derived from older types, namely PlugX, which has been heavily researched among the cyber security industry. Red Leaves’ does not represent a new advancement in malware capability as it uses simple techniques that are well-known and have been used for many years. For example, it uses code injection techniques to host the malware within legitimate processes – a technique that is easy to spot with any good Endpoint Detection and Response (EDR) software with memory analysis capabilities. It also involves anomalous process execution trees and the loading of illegitimate DLLs and would, in many cases, involve anomalous persistence mechanisms, all of which can be spotted with effective use of good EDR software.


Once an initial foothold on a network has been obtained, an attacker will generally seek to conduct internal reconnaissance and move laterally. Tracking the abuse of common administrative tools such as plink, pscp, powershell and WMI is also a powerful source of data to hunt with and can quickly unveil advanced attackers. Using basic techniques to perform anomaly detection, such as least frequency analysis, can help quickly sift through large volumes of data to spot potentially malicious activity along with enrichment of data where necessary, such as automatic verification of digital signatures and correlation with software repositories and threat sources such as VirusTotal, to spot previously unseen executable files. Additionally, using techniques like machine learning, network and log data sources can be used to provide further insight to help detect reconnaissance or lateral movement. This is done by continually recording the subtle actions that threat actors are unable to avoid when conducting an attack and detecting user accounts or IP addresses that move outside of their usual usage profiles.


Having attack detection either in-house or through a cyber security provider is now a must for organizations of any size in this digital age. But detection cannot be limited to an organization’s immediate business. With attackers using any and all methods and routes at their disposal, a holistic security view must be taken. What has become apparent from the APT10 attacks is that organizations have to mandate high security standards not just from themselves but also from their suppliers if they do not want to see their security investment undermined by trivial security mistakes. At the same time, third parties that can demonstrably step up their own security profile will become preferred and will undoubtedly have a higher chance of winning contracts.​


If you would like to take advantage of MWR’s attack detection capabilities and achieve this level of protection, or just need some advice in directing your approach, MWR and Countercept are here to help.