CyberWire Daily - APTs transitioning to the cloud. [CyberWire-X]
Episode Date: July 11, 2021Cloud attacks have become so widespread that the Department of Homeland Security (DHS) has warned against an increase of nation states, criminal groups and hacktivists targeting cloud-based enterprise... resources. APTs such as Pacha Group, Rocke Group and TeamTNT have been rapidly modifying their existing tools to target Linux servers in the cloud. Modifying their existing code to create new malware variants which are easily bypassing traditional security solutions. The solution? In order to detect and respond to these attacks security teams need visibility into what code is running on their systems. In this episode of CyberWire-X, guest Jonas Walker from Fortinet shares his insights with the CyberWire's Rick Howard, and Ell Marquez of sponsor Intezer offers her thoughts to the CyberWire's Dave Bittner. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, a series of specials where we highlight important security topics
affecting organizations worldwide. I'm Dave Bittner. Today's episode is titled APT's
Transitioning to the Cloud. Cloud attacks have become so widespread that the Department of
Homeland Security has warned against an increase of nation-states, criminal groups, and hacktivists targeting cloud-based enterprise
resources. APTs such as Pasha Group, Rock Group, and Team TNT have been rapidly modifying their
existing tools to target Linux servers in the cloud, modifying their existing code to create
new malware variants which are easily bypassing traditional security solutions. How do we address this problem? In order to detect
and respond to these attacks, security teams need visibility into what code is running on their
systems. A program note, each CyberWire X special features two segments. In the first part of our
show, we'll hear from industry experts on the topic at hand. And in the second part, we'll hear
from our show sponsor for their point of view. And speaking of sponsors, here's a word from our sponsor, Intuzer.
Don't let the cloud obscure an attack. Intuzer Protect is an EDR solution built for the cloud and provides
real-time visibility into code execution in runtime for your entire virtualization stack,
cloud servers, VMs, and containers. Inteser protects all computer resources against advanced
threats, including APTs and unknown vulnerabilities. Want to break all the things without breaking the bank? Head over to Intezer.com to take advantage of their sandbox environment, enabling you
to execute built-in attack scenarios that let you exploit vulnerabilities and infect
with malware.
To start off our show, my CyberWire colleague Rick Howard speaks with Jonas Walker,
security strategist at Fortinet. And later in the program, my conversation with El Marquez,
Linux and security advocate at our show sponsors, Intuzer.
I'm joined by Jonas Walker.
He's the security strategist for Fortinet Labs.
Welcome to the show, Jonas.
Hey, Rick. Thanks for having me.
You have been advising Fortinet customers for the past 20 months or so about, among other things, threat intelligence
and specifically adversary group campaign awareness.
So when you talk about adversary group campaigns with your customers,
how do you describe them?
I mean, in other words, what are you trying to convey to them
when we have that conversation?
Man, the internet is the Wild West out there,
and there are attacks happening every single second from all over the place.
So we need to be prepared against all these attacks,
especially in, you mentioned it, the last 20 months
with attack
surfaces changing all the time so it is the hard on the defensive side and we need to keep our guard
up to date every single day i was looking at the the thai uh cert page this morning on a completely
different manner right and they're tracking some 300 adversary groups. So there isn't consensus
about the number, but we all agree that there is a finite number out there. Would you agree with that?
I definitely agree. And sometimes, I mean, attribution is such a hard game, but I do believe
some of these groups, they just have different personas and they are the same people behind
different kinds of groups just to make it more difficult for us. But honestly, in the end, I don't think it matters that much whether it's
50, 100 or 500. What matters more is that we prepare accordingly against these kind of attacks,
which have a very big overlap when we compare these kind of groups. For example, when we talk
about phishing attacks, it doesn't really matter which group does it, where this group is coming from.
We need to be prepared accordingly against these kind of attacks.
Well, I think I disagree with you a little bit there because one of my pet peeves is that the industry, both the vendor community and the practitioners who do the day-to-day work, we tend to focus on those technical things, the things that we are sure about, you know, the latest malware, the latest zero-day exploit, the latest ransomware.
But in my mind, that's the wrong focus. Instead of trying to prevent random technical tools
from working within my environment, it's a never-ending battle, by the way. There's
gazillions of these things, so you can never know if you're going to win that one. I believe that
we should all shift focus to preventing the success of adversary group campaigns. Instead of blocking
one tool with no context, I believe we should be blocking adversary group campaigns at every stage
of the intrusion kill chain. And I'm wondering what you think about that.
Yeah, defense in depth and having these kind of different layers properly secured. I definitely agree on that.
I didn't mean to say that it's just single groups which we need to focus on. I definitely agree
the kill chain is there for a reason and we have these different kind of layers which we all need
secure properly because there is no 100% security on just one single layer and we need to make it
as difficult as possible on every single of these layers.
So the intrusion kill chain idea has been around since 2010 or so.
Most of our listeners are familiar with the concept.
But for those that need a refresher, can you explain what it is?
So we have the different steps.
And when we think about these attackers,
they don't just randomly start a terminal and start hacking.
They usually come up with a plan.
And these plans are usually divided into different kind of stages.
Let's say the first step is usually the reconnaissance.
And this is also the stage where attackers spend most of their time,
sometimes weeks, months, where they are preparing in advance.
There are the targets.
They try to gather as much information about their potential victims.
Is it either on social media, open source intelligence,
gathering data breaches from the past to gather possible credentials?
And once they gathered enough information,
they come up with a plan during the weaponization part.
So they figure out what kind of weapon do they want to use to strike against these kind of possible victims.
For example, is it a phishing attack? Do they need macro files?
Do they want to leverage technologies like PowerShell or different kind of solutions?
Then sooner than later, they need to come up with a delivery so how do they transport
this kind of malicious software for example to the to the victim and once it's getting executed
on the victim then it installs on the client itself and they need to have communication
established so usually this is done with command and control servers where you have an IP address or a domain name
which is reachable from the internet.
So no matter what they want to do,
they can always be in touch with their victims
which they were able to breach and give them further controls.
Then last but not least, it's about the action on the objectives
because these attackers, they have different kinds of goals.
For some of them, it's all about money.
For others, it's more about espionage or sabotage.
So it very much depends on the attacker,
what kind of objective does he have.
But these steps in the kill chain,
more or less, are there for every single attack.
For some of the attacks, they matter a little bit more.
For some others, a little bit less,
depending on where the attackers try to focus on. So to piggyback on what you said,
and I really like what you said, you know, it isn't just one attack that makes these adversary
groups successful. They have to string together a series of steps to be successful in what they're
trying to do, whether they're stealing data or destroying
it or doing some sort of ransomware operation, right? And if you look at the MITRE ATT&CK
framework, you look at adversary groups and how they do things, those steps could be as many as
30 to 300 steps, depending on how complicated and how mature their campaigns are. And so,
what I have been advocating for is we should be looking to prevent each step
in that attack sequence and not just worry about the individual tools.
I definitely agree. And if you just look at the MITRE ATT&CK framework, we see so many different
techniques just for, for example, initial access. And this pretty much depends on the attacker
strategy because during the reconnaissance phase, they probably figure out what is more likely to be a success element in this whole attack.
Is it more likely to gain access with phishing or do they find potential websites with outdated vulnerabilities where they can just leverage some exploits which are known to everyone and use them to get initial access to these kind of environments.
So since the beginning of the kill chain idea, threat intelligence groups from the vendors like Fortinet Labs
and from the private sector, we've been tracking these adversary group campaigns across the intrusion kill chain.
But my observation is that these campaigns generally go
after the victim's traditional infrastructure and not really their cloud assets. They establish a
beachhead on an employee laptop or a mobile device or servers in the data center, and then they move
laterally to find the data they have come to steal or to destroy. They do that by stealing credentials and then finding a way to elevate those to some privileged account somewhere. When the data they're looking for is in the cloud,
they just use these stolen credentials to get access. But they install their command and control
system in the traditional on-prem infrastructure, not in the cloud. And I'm curious about whether
or not that pattern is changing. Have you seen any examples of
adversary attack campaigns using cloud infrastructure across the intrusion kill chain?
We do see both, but I do agree with you. The vast majority is what you mentioned with the
traditional attacks. And I think the reason for that is that if you do have credentials,
you pretty much don't need to hack any technologies or any systems.
You can just log in because you have a proper username
and a proper password.
But one example which we have seen just recently with cloud attacks
is that so many enterprises put their public and private clouds
directly to the internet.
Let's think about all these private cloud solutions,
which I'm running as well by myself in my old data center
with either vCenter, Azure, or OpenStack.
If these management systems are directly connected to the internet
and vulnerabilities are disclosed from these vendors
and they recommend patching as fast as possible, we see immediately very high
spikes in traffic attacking these vulnerabilities. And a lot of these proof of concepts of how to
exploit these vulnerabilities spread very quickly across the internet. And if attackers are able to
use these exploits, which in some cases are remote code execution exploits, which means all they need
is internet access and find one of these vulnerable management systems directly connected to the
internet. Then they can log in without user credentials and they can access all the virtual
machines. They can find some storage devices. They understand what kind of backups are connected to these management systems and maybe delete them before deploying their ransomware.
So they are more successful with their current attack campaigns.
So you talked to Fortinet customers about how to think about protecting those cloud assets.
What is some general purpose advice you give them about preventing these attacks on their cloud infrastructure?
So, for example, when it comes to the sophistication of these attacks, I think more often shadow IT, which people are not aware about,
misconfiguration, or just people being under business pressure. So what they do is they
put their development environments in the cloud, sometimes forget about it.
And especially with the pandemic, what I have seen recently happening a lot is that people were
pandemic, what I have seen recently happening a lot is that people were changing their environments very quickly due to certain lockdowns and due to work from home. And it was all about availability.
But as we all know, security is not just availability. There's very important factors like
confidentiality, integrity. And if we just think about availability and hope we can put in security layers at later stages
and just make sure we can connect very quickly,
then whoever has internet as well
uses different kinds of search engines
which scan all these new systems on the internet.
And if they have bad configuration management
or vulnerabilities which are out of date,
then it's not that difficult for
these attackers to gain access to these systems. So in my opinion, security needs to be top of
mind and it needs to be priority number one when it comes to putting stuff on the internet. Because
if we don't, whoever has internet can do pretty much the same as the ones with the credentials.
So I agree with you that most of the cloud hacks we've seen in the last five years or
so, even the last 10 years, you know, has been leveraging misconfigurations, leaving
the doors and windows open, you know, so to speak.
But I'm wondering what you think, why that is.
You know, AWS started in like 2006.
So we are well past a decade of using cloud infrastructure for our organizations.
You'd think we would have got better by now.
Why are we still messing with configuration problems and not really worrying about stopping adversaries?
What do you think the problem is there?
It's a very good question.
I think one big reason is, sure usually rushing timelines. This is one thing
which I see very often that the business just demands things to be in place at a certain day.
So we have this pressure. And then sometimes, as we know, people are sometimes unfortunately
the weakest link and maybe they are not properly trained. They are overworked. We have a lack of very skilled people in IT in general.
So it's a hard battle to fight.
And also the cloud is quite complex.
So if we don't know exactly what we are doing
and information gets leaked in the wrong ways,
then this can be abused for attackers very dramatically.
Well, I like the idea that you said it was complex.
And it isn't like we've replaced cloud complexity or the old infrastructure complexity with cloud complexity.
We've added it, you know, because we're still operating in our old data centers, back on prim.
And we've even added mobile devices, too, plus SaaS applications.
and we've even added mobile devices too, plus SaaS applications.
And now a lot of us have a lot of workloads inside of hybrid cloud environments. So the complexity of the security environment is really skyrocketed.
And maybe that's the reason that we can't even get the configuration done.
What do you think about that?
Yeah, definitely.
And also people are not just connecting from
their secure office spaces. People, as you mentioned, are using mobile phones,
they're working from home, they're traveling, they're different locations. And the complexity
is definitely something which makes it more difficult. And if it's not properly configured,
then this is a really big deal. So Jonas, let's end it with this.
Can you offer any advice to the listeners today about what should they be thinking about
first in securing these cloud environments?
What's the number one thing that should be on their minds?
I think we need to keep in mind that whatever we put on the internet, it doesn't take a
lot of time until someone tries to hack in.
So we need to keep in mind that before we put something on the internet,
we come up with a plan, we have a strategy,
we have policies, procedures in place,
how to properly secure these environments.
And for that, we need to understand what are we actually trying to achieve.
And security in the first place sounds like a lot of additional work
and makes everything a little bit slower.
But the drawback is if we don't do these things and put these devices directly on the Internet,
I see these scanners out there picking up these new IP addresses in the first couple of hours
and then getting automatically scanned against known vulnerabilities
and being under attack immediately.
So keeping in mind that whatever we put on the Internet
will be attacked very quickly,
and if not properly secured, it's pretty much game over.
That's The Cyber Wire's Rick Howard
speaking with Jonas Walker from Fortinet.
Next up, my conversation with El Marquez, Linux and security advocate at Intezer, our show sponsors.
We all talk about that transition to the cloud, right?
It's a topic that is overly discussed, but we like to focus on the positives.
We kind of bypass the negatives.
And to me,
it really is the emphasis that we have placed on agility. We want to be the first to market with new features. We want to be the first that integrates new technology. And what we're doing
is we're putting it all on our devs. All right, devs, you're in charge of deployments. You're
in charge of securing your own workload, in charge of securing the cloud,
charge of patching vulnerabilities. And then we look over at the security department and go,
all right, make sure nothing gets messed up. It's impossible, right? We provide all this defense in depth, yet we tell security teams, well, we'll get to training. Right now, we need to get this
feature out. Right now, we need to do this. And we never get to the training part.
We never get to actually teaching us on how to secure our clouds. Can you help us understand
what are some of the benefits and liabilities when it comes to working in the cloud, specifically
when it comes to this stuff? Is this a case where there are benefits, but also perilous things as well? It's interesting
because I think that the benefits are also the negatives. I mean, we have what I talked about
with agility and with that comes, you know, things coming in, things going out, and we lose visibility
into what we're actually protecting. You know, you talk to security teams and they're like,
we have to defend our customers'
data. Great. Where is that located? Databases. But how many databases do you have out there,
especially if they're not on-prem? How quickly is this information coming in and out?
We also have the fact that many companies are offloading the infrastructure, right?
Infrastructure is a service. Don't worry, the cloud provider will handle it.
the infrastructure, right? Infrastructure is a service. Don't worry, the cloud provider will handle it. How often do we speak to the cloud provider on their security status? Right now,
it is supply chain, all the things. That's all anyone's talking about. Imagine if an advanced
persistent threat was actually able to compromise the cloud provider themselves. Have you even asked
your cloud provider if they would let you know that that occurred?
Wow.
Yeah, I mean, it strikes me that perhaps there's a false sense of security when it comes to moving things to the cloud. I mean, do you think that's accurate, that people think that the big-name cloud provider is going to maybe provide more than in reality they actually do?
I've heard that so many times,
and it's scary to hear that it's still happening where people and companies say,
the cloud is secure by default. Now, the whole concept of the shared responsibility model where
I just offload that security. We're using new things such as functions, but we just assume
they're secure. InnoZero has proven that that's not the case when we were able to hack Azure functions.
These are extremely difficult times because we want to believe in our cloud providers.
And we end up in a catch-22.
Do we focus on security there and ensuring it's there, or do we focus on security on our end?
It's just too broad.
There's too much.
Well, let's talk about some of the APTs themselves
and some of the things that you and your colleagues are tracking when it comes to
how they're exploiting the cloud environments. Recently in 2020, we actually saw an increase
of 40% in new Linux malware families. And many of these are coming from APTs. For example,
in new Linux malware families.
And many of these are coming from APTs,
for example, you know, AP28 and AP20,
and we can just add all the numbers here.
What they're seeing is the vulnerabilities that we've introduced into our system.
We're so busy configuring our cloud
and ensuring our cloud deployments
that we leave things like Docker APIs open.
And we've seen and discovered malware such as Docky
that's specifically taking advantage of
this. In the news currently is Team TNT that's actively going through and finding cloud resources
and getting legitimate credentials, sitting and watching the servers to see what our workflow is
so they can bypass that signature and anomaly-based detection. It's kind of like a prime target for them because they have the time to actually learn and invest.
Whereas I've mentioned several times, our security teams lack that time.
And we have APTs that have greater visibility into our systems.
And we've even seen them come in and actually do the hardening on our systems to make sure that they're the only ones that are in it.
They're better at our security than we are.
Yeah, you know, I've seen some of those stories where, you know, bad actors will come in and they'll actually, you know, clear out other groups' malware so that they have exclusive run of the place.
I mean, that's fascinating that they're putting in that amount of effort.
The most, I guess, fascinating story
that I've kind of heard around there
is a, I would say a turf war behind,
and I'm going to mess up these names,
but Pasha, Roki Group,
hopefully I got those somewhere right.
Your guess is as good as mine, yeah.
I should have just looked up the other names
that we call them by.
But what we're seeing is them actively going after one another's crypto mining software,
the crypto jacking software, and keeping each other out of the servers, kicking each other out, hardening.
All the threat actors seem to want the same thing, right?
They want the resources on our system.
So eventually they're going to be finding the same vulnerabilities. It's just a fascinating thing to me that they've kind
of, along with working with each other, have turned on each other. Right. No honor among thieves,
I suppose. I mean, I think historically we've seen that happen over and over. So why not the
cybersecurity field? Right, right. Now, I mean,
I suppose, is it accurate to say as well that, as you sort of alluded to earlier, that, you know,
the easy availability, the global availability of these cloud service platforms,
the bad guys have that same level of availability. What makes it attractive to us, which is that we can use it easily from anywhere, they can have that same sort of access that we can.
They really can.
And we constantly see them using especially cloud providers outside of the U.S., outside of environments where outside of countries where they have that accountability to say, this is who used it. And at times they even use infrastructure from countries that do have that protection because
of all of the red tape involved within it. They can be gone by the time we're able to get to the
actual investigation. So what is to be done then? I mean, what are the potential solutions here,
your recommendations for how folks can best prepare themselves and protect
themselves against these sort of things? We do need to continue doing some of the
traditional things. We do need that endpoint protection. Obviously, we need to ensure that
we have visibility into everything, you know, from our endpoints to our servers. But at the same time,
we need to ensure that we actually know what's running on our
assets. If they're coming up and going down with a minute or seconds, do you have something like
Docky that would have bypassed your early screening because the image itself was not
malicious? Then it was able to use a command which many servers have, kind of a living off
the land attack by curling down the malicious payload. That happened in a
matter of seconds to minutes. Were you able to detect that at the time? So by monitoring the
runtime on our assets, we can actually get a view onto the code that is happening within that time.
And one thing that we're noticing, especially when trying to look for APTs, is that there's a lot of shared code.
They know these attacks work. Why would they reinvent them?
They just start adding new code, changing a bit of things in order to bypass that signature detection.
They share code with one another.
I mean, we basically have malware as a service at this point.
And they start adapting features a little bit from A, a little bit from B,
in order to gain different capabilities.
You know, we mentioned at the outset that one of the real attractive things about cloud
environments is how nimble they are, how quickly you can do things.
I mean, does adding this sort of thing, having a system in place to keep an eye on what code
is running, does that take away from an organization's
ability to be nimble? Is that an extra load to lift or are they able to pretty much run in parallel
without a real impact? You know, at InnoZero, one of the things that we focused on is ensuring that
obviously we don't add to the resources that are being used within a system. I mean, if you've been compromised and you have cryptojacking occurring,
then you're already at high CPU levels.
So by focusing on sensors and technology that monitor things as they're occurring,
that only really alert and notify you when they see malicious code,
when they see malicious activity being launched,
it takes a big load off of what
your security teams are having to do. It takes a load off of the resources that you are dedicating
in order to monitor and protect your systems. One of the things that I heard recently is that
cloud servers and cloud resources are being attacked every 90 minutes. I mean, we have one being hit
and that's quickly going down in time,
not going down in frequency, but the time used.
So it's extremely complicated and just overwhelming
when we look at our security teams
trying to maintain our uptime
and the correct resources to a system.
There has to be a balance between it,
and that's why I personally and InnoZero as a company
believe that that runtime protection is so critical.
And what are you hearing from the folks out there
who are implementing these types of systems,
the people who are charged with defending them?
When they have something like this in place,
how does it affect how they're able to do their work,
you know, their lifestyle in general?
I hate to say that the thing I found most entertaining,
but almost like uplifting,
was that they're saying that they're gaining time
to be able to do more of the analysis,
more of the DFIR things.
When we're so quickly trying to put bandages
on what's going on,
many things slip through the cracks or we just harden our systems and try to move on.
But with this extra time, they're able to delve in, have greater root cause analysis.
And many of them are surprised at how many libraries and binaries are actually shared
between all of this malware, which makes it so much easier for their teams to
be able not only to detect it, but also to be able to build stronger defenses against it.
One of the things that we definitely want to focus on, and it's something that I talk a lot
about and government agencies talk a lot about, is that we need to have that assume breach mentality.
Yes, we can build all of the defenses we want,
but when we're so busy building these walls,
we're kind of building an environment
where we're helping the APT that is already in our system.
By being able to focus on our actual systems itself
and look for the attacker that's probably already in there.
I did a lunch and learn where I spoke to a
lot of companies and 90% of the people there, you know, along with saying that they didn't have
visibility to their assets, said that there is more than likely something already compromised
in their environment that they just don't know about. So critical with this is assuming breach
and looking to see what's actually occurring on that system,
because the attacker more than likely is already there.
On behalf of my colleague, Rick Howard, our thanks to Jonas Walker for sharing his expertise
and to El Marquez for joining us. CyberWireX is a production of the CyberWire and is proudly
produced in Maryland at
the startup studios of DataTribe, where they're co-building the next generation of cybersecurity
startups and technologies. Our senior producer is Jennifer Iben. Our executive editor is Peter
Kilby. I'm Dave Bittner. Thanks for listening.