Threat Intelligence

11/16/2017
10:30 AM
Curtis Jordan
Curtis Jordan
Commentary
100%
0%

Forget APTs: Let's Talk about Advanced Persistent Infrastructure

Understanding how bad guys reuse infrastructure will show you the areas of your network to target when investigating new threats and reiteration of old malware.

Security staff put a lot of emphasis on advanced persistent threats, or APTs, and rightly so. They are extremely difficult to defend against if a hacker is specifically targeting an organization. But with everyone's focus on APTs, we may be missing a different type of attack vector: advanced persistent infrastructure.

We tend to view threats in a silo, often ignoring correlating histories. By doing that, we miss vital information about attacks. In this case, intruders are using patterns that weren't readily picked up in the past. They aren't looking to buy a new server for every new attack. Instead, threat actors will reuse IPs and domain names across multiple campaigns.

The evolution of the Apache Struts vulnerability is a good example of how threat actors use advanced persistent infrastructure as an attack vector. In 2014, there were initial reports of exploits against the Struts vulnerability. In early 2017, new exploits were discovered in a Struts 2 vulnerability. We noticed the two exploits followed a very distinct pattern.

According to data submitted by qualified companies without attribution on TruSTAR's threat intelligence platform, we can now see threats trending across major industry sectors like retail, financial services, cloud, and healthcare. For the past four weeks, indicators of compromise (IOCs) associated with Apache Struts 2 have been trending across our all of the users who submit data to our platform. Looking back at historical report data in the Struts 1 and Struts 2 vulnerabilities, we found that the IP addresses used with the original Struts are now being used with the new Struts.

This lead to some interesting observations:

  • Tactics May Change But IPs Don't. Unless they are a member of a big crime organization, most bad guys don't have the money to buy new IP addresses and domains over and over again. Hence, when an IP address comes online we should know exactly what it is tied to and its history.
  • Hackers Feed on the Lazy. The connections between Struts 1 and Struts 2 created a new reality: as is often the case, when a new zero-day exploit is reported, organizations are slow to move on patching these things. The bad guys know they have to act quickly to make use of the exploit. What they do is simply retool their favorite form of malware, and then use the infrastructure access they have in place, like IPs and domains, to launch the new attacks.

Recognizing how these IP addresses and domains are reused allow you to predict what may be coming down the pike. Look at your activity history. That will give you an idea about what to be on the lookout for. When you see a new version or variant of a known malware, monitor old IPs and domains that directly correlate for new activity.

By understanding how bad guys reuse infrastructure, you’ll have a better idea of the areas of your network to target when investigating a new threat, especially when it is a reiteration of an old malware.

This research was provided by the TruSTAR Data Science Unit. Click here to download the IOCs that are currently leveraging the Apache Struts 2 attack.

This research was provided by the TruSTAR Data Science Unit. Click here to download the IOCs that are currently leveraging the Apache Struts 2 attack.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Curtis Jordan is TruSTAR's lead security engineer where he manages engagement with the TruSTAR network of security operators from Fortune 100 companies and leads security research and intelligence analysis. Prior to working with TruSTAR, Jordan worked at CyberPoint ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bdsaltaformaggio
100%
0%
bdsaltaformaggio,
User Rank: Author
11/20/2017 | 12:33:57 PM
Homogeneous Systems
I could not agree more with your assessment. In fact, the situation is made exponentially worse due to many components being supplied by a single vendor. These largely homogeneous systems only serve to lower the bar for attackers.
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7682
PUBLISHED: 2018-06-22
Micro Focus Solutions Business Manager versions prior to 11.4 allows a user to invoke SBM RESTful services across domains.
CVE-2018-12689
PUBLISHED: 2018-06-22
phpLDAPadmin 1.2.2 allows LDAP injection via a crafted server_id parameter in a cmd.php?cmd=login_form request, or a crafted username and password in the login panel.
CVE-2018-12538
PUBLISHED: 2018-06-22
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage...
CVE-2018-12684
PUBLISHED: 2018-06-22
Out-of-bounds Read in the send_ssi_file function in civetweb.c in CivetWeb through 1.10 allows attackers to cause a Denial of Service or Information Disclosure via a crafted SSI file.
CVE-2018-12687
PUBLISHED: 2018-06-22
tinyexr 0.9.5 has an assertion failure in DecodePixelData in tinyexr.h.