Advanced Persistent Threat groups also usually have a fancy name with an animal suffix, with the animal being the association with a country. Those affiliated with the Chinese nation are ‘Panda’, Russia is ‘Spider’ and so on.
They’re also known by a number. By way of example, APT41 is a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations.
APT’s are long lasting bodies. They shift focus to meet changing objectives. Their profile and modus operandi changes over time. Migrating across different sectors, altering Techniques, Tactics and Processes (TTP) for different ideological, financial and political gains.
With effective Threat Intelligence and a mature Security Operations function, most organisations can detect and prevent their activity.
There is a register to ensure we all use the same numbering and naming for APTs, but what do we do about the ‘others’ that don’t make the list?
APT ‘Script Kiddy’
We at Unshakeable Salt Ltd see a particular threat and series of attacks every month. The attack is definitely persistent. It would also be a threat if we has not implemented additional security controls. It is certainly not Advanced.
With a monthly cadence, there is a toolkit out there that produces a script that attempts to ‘brute force’ websites that run the WordPress content management system. That includes our own. The script is clever enough to understand where the website is hosted and derives the correct format of usernames to log in. By way of example, it knows that hosting companies format usernames;
- “domainname.firstname” when provided as infrastructure from a certain UK domain name provider
- “domainname” when provided as a service by GoDaddy
- “authorname” when centrally hosted on a common shared WordPress provider
Clever enough stuff but not clear enough to detect when Multi-factor Authentication has enabled. The script doesn’t have any detection to note when an IP address is blocked from logging in. Hitting the URL of the login page, it ignores the textual response that it has been blocked and reported.
These reporting mechanisms identified a new threat to ourselves and the spawning of a new threat group that we wish to bring to your attention.
Advanced Persistent Threat (ATP00)
Numbered 00, unattributed and paying homage to Dick Dastardly, let me introduce you to APT00. In the cartoons, Dick Dastardly came up with elaborate and technically complex ways to solve simple problems. He also very nearly always failed. It somewhat seems apt (see what I’ve just done), that we nickname this group of script kiddies after him.
Threat Intelligence Mis-Use Case
Today we are seeing a lot of attempted authentications from 220.127.116.11 and 18.104.22.168. They are failing because they are using the correct default GoDaddy style usernames and are not providing a multi-factor token as part of the logon process. Our controls have locked out those IP addresses and our SIEM has automatically filed abuse reports to AbuseIPDB.
Looking at other reports for these same IP addresses, you find they have previously self reported themselves for abuse. As part of the submission, the reporting user supplies plain text describing the type of abuse was detected. Noting an opportunity, they have inserted spam message linking to a dodgy website hosted on a dynamic domain.
Having then placed their ad-revenue generating link on Threat Intel / abuse websites, they then mis-use the IP address to drive other people to investigate it. This drives more traffic towards the abuse reporting engines – and in turn – to more people seeing their dodgy website link.
You have to question this approach. Everyone who uses the threat and abuse reporting tools should spot this mis-use!
Burning time, money and resource to put spam website links into locations where security professionals reside is farcical. We would like to hope that they have spent effort to write scripts to automate this entire process. In reality though, I just have the feeling that there is some far eastern sweatshop in which there are dozens of employees typing in abuse report after abuse report.
We’re just hoping now that all those employees are Muttley clones, demanding medals if anyone is actually dumb enough to click on a link.
Advanced Persistent Threat groups also usually have a fancy name with an animal...