Hackers are changing their modus operandi and spending a little bit more time and effort to make sure they get the holy grail of admin access into a target’s systems.
Raymond Schippers is an IT security engineer with Check Point Software, and has been seeing more and more instances of attackers specifically targeting IT administrators with highest-level access.
While it requires a little more time spent scouring LinkedIn and effort to craft a cleverly disguised phishing email, the payoff of successfully compromising an IT administrator is worth it.
“Rather than having to escalate privileges, you know exactly that [your target] has privileges,” he told iTnews.
He will present one particular case study at the Wahckon information security conference in Perth next week.
Schippers recently helped a financial regulator in Europe work out how attackers managed to infiltrate and completely destroy its IT infrastructure.
The regulator only realised it had been hacked after coming in one morning and finding that all its computers and servers no longer worked.
Working backwards, Schippers and team were able to identify the point of entry - a compromised web server running WordPress - that served as the launch pad for a specially-crafted phishing email containing a malicious Excel file sent to the regulator’s IT admins.
The admins trusted the email because it came from the regulator’s own infrastructure. From there the writing was on the wall.
“They got in and exfiltrated as much data as they could. We were lucky that some of the logs survived and gave us the information to work out where the bad guys moved through, and the data they were after. And when they were finished, they destroyed everything in their tracks,” Schippers said.
It took the regulator six weeks to fully restore its operations from tape backup.
Clues within the logs - and the fact that the attackers deployed the same malware to a number of banks in the country on the same day - as well the current geopolitical situation in the country led Check Point to believe the attack was state-sponsored.
Schippers declined to name the organisation or country in question.
One possible suspect is Ukraine, which has been grappling with constant attacks on its national infrastructure - including financial services and power operations - for the last few years, seemingly as a result of its current tensions with Russia.
Poland's financial regulator was also compromised "from another country" earlier this year and spurred a massive infection of systems within the country's banking sector.
A standard cybercrime operation generally wants to expend the least amount of effort for the most amount of gain.
But Schippers expects laborious attacks targeting high-privileged users to continue to grow in frequency, despite the significant amount of effort involved.
He says Check Point has already identified a few “basic” attacks locally using the same method.
“It’s easier when you know [your target] has the privileges you’re after,” he said.
“And we’re starting to see more companies insourcing, which means that to get to a company you’re going to have to go after the IT guys.”
Just this month the Australian Cyber Security Centre warned enterprises to be on the lookout for hackers targeting their outsourcers.
The APT10 or Stone Panda hacking group has been on a campaign to steal information and gain access to networks since mid-last year, and is using IT outsourcers as a stepping stone into customer operations.
Once the attackers are in a network, they are increasingly going for the emails of IT admins and CISOs to work out whether they’ve been detected, and what the organisation’s response is, Schippers said.
In one particular case, Check Point worked with a medical device manufacturer that had been compromised after an assembly worker downloaded a bible study generator containing the Steggoloader malware.
Attackers then targeted the CISO’s email account to stay one step ahead of their target.
“They looked for all the privileged people and tried to read their emails and understand what was going on inside that network, look for whatever was valuable, and understand the response from the security team,” Schippers said.
The attackers were able to compromise 100 machines, forcing the medical device manufacturer to effectively build an entirely new network and move all its old machines over throughout a six-month period.
When the protectors become the protected
So what do you do when the guardians of your network are the ones being compromised?
Schippers’ solution is to make sure your IT admin network is segregated from your normal network.
“Today a lot of IT admins will log into their desktop with a normal account, do their work, browse the internet, and connect to a trusted system to do admin work,” he said.
“The issue is the bad guy sends you the email, installs a keylogger, has your email and password and can log in and ruin your entire network.
“We recommend you have a locked-off network where you do your IT admin stuff, and if you need to browse the internet or do other work, you connect through a different computer.”