Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/16/2017
10:30 AM
Curtis Jordan
Curtis Jordan
Commentary
100%
0%

Forget APTs: Let's Talk about Advanced Persistent Infrastructure

Understanding how bad guys reuse infrastructure will show you the areas of your network to target when investigating new threats and reiteration of old malware.

Security staff put a lot of emphasis on advanced persistent threats, or APTs, and rightly so. They are extremely difficult to defend against if a hacker is specifically targeting an organization. But with everyone's focus on APTs, we may be missing a different type of attack vector: advanced persistent infrastructure.

We tend to view threats in a silo, often ignoring correlating histories. By doing that, we miss vital information about attacks. In this case, intruders are using patterns that weren't readily picked up in the past. They aren't looking to buy a new server for every new attack. Instead, threat actors will reuse IPs and domain names across multiple campaigns.

The evolution of the Apache Struts vulnerability is a good example of how threat actors use advanced persistent infrastructure as an attack vector. In 2014, there were initial reports of exploits against the Struts vulnerability. In early 2017, new exploits were discovered in a Struts 2 vulnerability. We noticed the two exploits followed a very distinct pattern.

According to data submitted by qualified companies without attribution on TruSTAR's threat intelligence platform, we can now see threats trending across major industry sectors like retail, financial services, cloud, and healthcare. For the past four weeks, indicators of compromise (IOCs) associated with Apache Struts 2 have been trending across our all of the users who submit data to our platform. Looking back at historical report data in the Struts 1 and Struts 2 vulnerabilities, we found that the IP addresses used with the original Struts are now being used with the new Struts.

This lead to some interesting observations:

  • Tactics May Change But IPs Don't. Unless they are a member of a big crime organization, most bad guys don't have the money to buy new IP addresses and domains over and over again. Hence, when an IP address comes online we should know exactly what it is tied to and its history.
  • Hackers Feed on the Lazy. The connections between Struts 1 and Struts 2 created a new reality: as is often the case, when a new zero-day exploit is reported, organizations are slow to move on patching these things. The bad guys know they have to act quickly to make use of the exploit. What they do is simply retool their favorite form of malware, and then use the infrastructure access they have in place, like IPs and domains, to launch the new attacks.

Recognizing how these IP addresses and domains are reused allow you to predict what may be coming down the pike. Look at your activity history. That will give you an idea about what to be on the lookout for. When you see a new version or variant of a known malware, monitor old IPs and domains that directly correlate for new activity.

By understanding how bad guys reuse infrastructure, you’ll have a better idea of the areas of your network to target when investigating a new threat, especially when it is a reiteration of an old malware.

This research was provided by the TruSTAR Data Science Unit. Click here to download the IOCs that are currently leveraging the Apache Struts 2 attack.

This research was provided by the TruSTAR Data Science Unit. Click here to download the IOCs that are currently leveraging the Apache Struts 2 attack.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Curtis Jordan is TruSTAR's lead security engineer where he manages engagement with the TruSTAR network of security operators from Fortune 100 companies and leads security research and intelligence analysis. Prior to working with TruSTAR, Jordan worked at CyberPoint ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bdsaltaformaggio
100%
0%
bdsaltaformaggio,
User Rank: Author
11/20/2017 | 12:33:57 PM
Homogeneous Systems
I could not agree more with your assessment. In fact, the situation is made exponentially worse due to many components being supplied by a single vendor. These largely homogeneous systems only serve to lower the bar for attackers.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...