Threat Intelligence

11/16/2017
10:30 AM
Curtis Jordan
Curtis Jordan
Commentary
100%
0%

Forget APTs: Let's Talk about Advanced Persistent Infrastructure

Understanding how bad guys reuse infrastructure will show you the areas of your network to target when investigating new threats and reiteration of old malware.

Security staff put a lot of emphasis on advanced persistent threats, or APTs, and rightly so. They are extremely difficult to defend against if a hacker is specifically targeting an organization. But with everyone's focus on APTs, we may be missing a different type of attack vector: advanced persistent infrastructure.

We tend to view threats in a silo, often ignoring correlating histories. By doing that, we miss vital information about attacks. In this case, intruders are using patterns that weren't readily picked up in the past. They aren't looking to buy a new server for every new attack. Instead, threat actors will reuse IPs and domain names across multiple campaigns.

The evolution of the Apache Struts vulnerability is a good example of how threat actors use advanced persistent infrastructure as an attack vector. In 2014, there were initial reports of exploits against the Struts vulnerability. In early 2017, new exploits were discovered in a Struts 2 vulnerability. We noticed the two exploits followed a very distinct pattern.

According to data submitted by qualified companies without attribution on TruSTAR's threat intelligence platform, we can now see threats trending across major industry sectors like retail, financial services, cloud, and healthcare. For the past four weeks, indicators of compromise (IOCs) associated with Apache Struts 2 have been trending across our all of the users who submit data to our platform. Looking back at historical report data in the Struts 1 and Struts 2 vulnerabilities, we found that the IP addresses used with the original Struts are now being used with the new Struts.

This lead to some interesting observations:

  • Tactics May Change But IPs Don't. Unless they are a member of a big crime organization, most bad guys don't have the money to buy new IP addresses and domains over and over again. Hence, when an IP address comes online we should know exactly what it is tied to and its history.
  • Hackers Feed on the Lazy. The connections between Struts 1 and Struts 2 created a new reality: as is often the case, when a new zero-day exploit is reported, organizations are slow to move on patching these things. The bad guys know they have to act quickly to make use of the exploit. What they do is simply retool their favorite form of malware, and then use the infrastructure access they have in place, like IPs and domains, to launch the new attacks.

Recognizing how these IP addresses and domains are reused allow you to predict what may be coming down the pike. Look at your activity history. That will give you an idea about what to be on the lookout for. When you see a new version or variant of a known malware, monitor old IPs and domains that directly correlate for new activity.

By understanding how bad guys reuse infrastructure, you’ll have a better idea of the areas of your network to target when investigating a new threat, especially when it is a reiteration of an old malware.

This research was provided by the TruSTAR Data Science Unit. Click here to download the IOCs that are currently leveraging the Apache Struts 2 attack.

This research was provided by the TruSTAR Data Science Unit. Click here to download the IOCs that are currently leveraging the Apache Struts 2 attack.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Curtis Jordan is TruSTAR's lead security engineer where he manages engagement with the TruSTAR network of security operators from Fortune 100 companies and leads security research and intelligence analysis. Prior to working with TruSTAR, Jordan worked at CyberPoint ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bdsaltaformaggio
100%
0%
bdsaltaformaggio,
User Rank: Author
11/20/2017 | 12:33:57 PM
Homogeneous Systems
I could not agree more with your assessment. In fact, the situation is made exponentially worse due to many components being supplied by a single vendor. These largely homogeneous systems only serve to lower the bar for attackers.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Lessons from My Strange Journey into InfoSec
Lysa Myers, Security Researcher, ESET,  7/12/2018
What's Cooking With Caleb Sima
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14339
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the MMSE dissector could go into an infinite loop. This was addressed in epan/proto.c by adding offset and length validation.
CVE-2018-14340
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, dissectors that support zlib decompression could crash. This was addressed in epan/tvbuff_zlib.c by rejecting negative lengths to avoid a buffer over-read.
CVE-2018-14341
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the DICOM dissector could go into a large or infinite loop. This was addressed in epan/dissectors/packet-dcm.c by preventing an offset overflow.
CVE-2018-14342
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the BGP protocol dissector could go into a large loop. This was addressed in epan/dissectors/packet-bgp.c by validating Path Attribute lengths.
CVE-2018-14343
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the ASN.1 BER dissector could crash. This was addressed in epan/dissectors/packet-ber.c by ensuring that length values do not exceed the maximum signed integer.