The Evolution of Hacking: Advanced Persistent Threats (APT)

www.itbusinessedge.com

 Introduction

In the last couple of decades we had observe some of the most brilliant hacking techniques ever known. We also delved into a lot of sophisticated Malware which redefined the whole concept of security. As more and more simplicity are being worked on the tools and more people adapt to the whole security world, we have seen a substantial growth in not only sophistication but also security persistence.  Here is what becomes: APTs.

Nowadays, we are not only fighting against malicious and curious hungry people who want our data, identity and financial information but also against governments, mafias, and "terrorist" nations to gain trade and national secrets.  As this world might be coming to an imminent end (the end of humanity), it is logical to think that more and more havoc will be caused into our lives and in order to survive, we will have to accept a New World government, where everything will be monitored, judged, moderated and executed within one a World Organization in justification for total security and safety for all humanity.

As more havoc is being done in this society, so it happens in our digital world. Better autonomic, resillient and cognitive systems are also put into the market (and our society) and to the hands of the gifted ones (and malicious users) in order to provide this society with more advanced, smart ways to silently break into the most sophisticated and secure systems. Advanced Persistent Threats is defined as " a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity." By disseminating each word, we have a better idea of what APT really is:

Advanced - Multi-vector 0 day attacks.

Persistent - Undetectable attacks over a long period of time.

Threat - Manace over sensitive information to a critical infrastructure and assets.

Past Examples

Below there are only a handful of APT examples:

PoisonIvy
Stuxnet
NightDragon
GhostNet
Lurid

Past Targets

Moonlight Maze (1998)
Titan Rain (2003)
US Congressmen (2006)
Oak Ridge National Laboratory (2007)
Los Alamos National Laboratory (2007)
US Department of Defense (2008)
Office of His Holiness the Dalai Lama (2008)
Operation Aurora (2009)
Australian Resource Sector (2010)
French Government (2010)
Canadian Government (2011)
Australian Government (2011)
Comodo Affiliated Root Authority (2011)
RSA (2011)
Oak Ridge National Laboratory (2011)
L-3 Communications (2011)
Lockheed Martin (2011)
Northrop Grumman (2011)
International Monetary Fund (2011)


How APT Works

First, it is important to identify the phases of a successful APT.  In order to successfully attack a system without being detected, a series of out of the radar sophisticated techniques must be used.

First Step - Advanced (Infection)

Attack is conducted by sending the RAT's Trojan (server file) by tricking the user to run it.


Methods can be used as attachments, visiting a website which a vulnerability was taken advantaged of the malicious user which can download the Trojan of the RAT.  An indirect and less suspecious method is being used by simply throwing a USB drive with the RAT's Trojan software to the target's backyard, car, or personal item such as his coat, or pant's pocket.  If he plugs it in thinking he luckily found a USB he can use, the malicious user can craft an autoexecutable which executes the RAT's Trojan software in the background.  He can put random school documents or home-made pictures (not his own) to make it less suspecious.  A more advanced alternative is if the malicious user crafted a malicious software which downloads the server file (RAT's Trojan) when innactivity is detected on the target's machine, so he doesn't notice system's performace or hints when the connection, download and auto-execution is taking place.

The attacker, once the victim is infected, can manages the victim's PC through the Remote Administration Tool (the RAT).
 
When the victim is infected, it simply notifies the malicious user who is running the RAT on his end.  Then, the malicious user can conduct a series of activities:

  -Keylogging (logs every single keystroke)
  -Uploads and downloads system's files
  -Unrestricted remote shell login
  -Uses proxy services to hide attacker's identity (through HTTP/SOCKS)
  -Kills, lists and starts system processes
  -Spies on victim's webcam
  -Screen Captures
  -Full administrative access to files and system's registry
  -Used to send SPAM from the victim's machine
  -Logs-off, restarts and shutdowns the victim's computer
  -Update the RAT's server (trojan) on the victim's machine
  -Uninstallation of RAT itself

Second Step - Persistent (Methods)

The persistent phase comes when the attacker conducts such stealthy activities, such as:

  -Updating the server file on the victim's machine so it doesn't get detected by anti-malwar
  -Inject the server file to a specific system process. i.e: winlogon.exe, iexplorer.exe or rundll32.exe.
  -The server file's shortcut image can be changed as well as the name of the file to avoid detection.
  -Auto-runs and connects to attacker if the server's injected service is killed

Third Step - (Exfiltration) Threats

This serious threat can be used to make nefarious exfiltration of mass data such as:

  -Network footprinting
  -Assets enumeration
  -Usernames and Passwords
  -Administrative domain account creation for further access
  -Plant backdoors for evasion
  -Secret data and company secrets' leak
  -Data and infrastructure corruption
  -Compromise other hosts
  -Privilege Escalation
  -Encrypt critical files and demand ramson to decrypt it
  -Etc,Etc,Etc

Final Thoughts

As we are going through a war phase, a lot of attacks are being made with digital weapons.  More instrusive controls such as better digital IDS/IPS signatures, more skilled people, Firewall rules and Anti-virus behavioral scans as well as signatures (come on, they do help a little) are getting behind exponentially with the emerge of more sophisticated APT malware.  With the evolution of cognitive systems, soon we won't have to enlist to fight wars because machines will be able to fight them for us.  The hacking techniques now being used as almost automatic and will soon be cognitive and conducted with the help of a more accurate AI (artificial intelligence).  In this information age, not only critical infrastructure but also the whole society's information is the target and at risk minute by minute.  That is why we need to be our own Firewall and not only be diligent about our activities and actions (they do cause an effect), but also about how we determine our future.

Keeping yourself off of the Radar of the NSA. Only fiction? Part 2

Our privacy deminishes every day, day by day and the facts stated on part 1 of "Keeping Yourself Off the Radar of the NSA" is only the tip of this huge iceberg.  The recommendation I gave for part 1 was to use Tails, even though it is not bullet-proof and the person who has the most knowledge wins in this cat and mouse game.  In part 2, we will go through more risks which increase everyday while getting more complex as well.

On this week, we not only found out about software surveillance but also hardware and network-based data mining through big and wealthy corporations as well as the net neutrality law which, by the way, temporarily won the battle but certainly not the war.

Last week, we found out about a vulnerability on Linux systems which are taking advantage from physical DRAM memory chips to gain kernel access to the system.  We also found out how Apple is sending the voice recordings consumers send to "Siri", the iPhone Intelligent Personal Assistant, to third party companies for advertisement and other undocumented purposes.

Further last week we have found out about certain phone brands such as Xiaomi Mi 4 is preloaded with malware by the manufacturer's customer ROM which then they denied and stated that those phones were fake replicas.  But don't worry, not all news are bad news in regards with surveillance.  Earlier this year, we have also found out about new ways to make it harder for governments and corporations to track our digital fingerprints.  The British multi-millionaire Kim dot Com did not only invented a secured end-to-end encrypted way to chat with your friends, but he is also now reinventing a new non-IP based "Internet" called "MegaNet" which, he states, will defy the whole surveillance essence.

But this is not the only attempt of defy tyranic global spies.  There are also other systems right now which are in Beta testing that will be used to form their own Internet and share information as free as people want it, because, after all, information should be free for the world to use it, manipulate it and see it however they would like as long there is no harm to others.

If you watched documentaries such as "Track me if you can" and "Terms of Conditions May Apply" (2003), you will realize that we have no or little control over our privacy. Even secret programs are out there that can track our identity by just finding our walking pattern. How are we then safe from the prying eyes?

From hardware, to software to global surveillance to secret programs to track people and break our privacy, we are in a dystopian world where our only weapon is knowledge.