Last Updated: 2016-07-07 17:00:56 UTC
by Johannes Ullrich (Version: 1)
The term "APT" often describes the methodology more than it does describe the actual exploit used to breach the target. Target selection and significant recognizance work to find the right "bait" to penetrate the target are often more important than the final vulnerability that is exploited. Traditional defenses like anti-malware systems and blocklists are not tuned to look for the vulnerability being exploited but are more looking for specific known exploits which can easily be obfuscated using commodity tools.
Cymmetria today released a research report showing results of a "deception" campaign they launched to learn more about a particular actor. In this case, the attack was targeting specific individuals using a spear phishing campaign, which are "APT" characteristics. The vulnerability being exploited (CVE-2014-4114) is about two years old and only affects PowerPoint 2003 and 2007, something you would expect to be patched by now. Privilege escalation was achieved using the UACME code which can be found in the public domain.
To exploit and pillage the infected system, open source software like Metasploit was then used to establish a remote shell via Meterpreter.
Cymmetria calls this a "Copy / Paste APT" in that it used code that was mostly copy/pasted from various well-known sources and methods which would be taught in an intermediate penetration testing class.
Another interesting aspect is the way in which Cymmetria used its deception tools. The overall idea of deception isn't exactly new, but it has seen a renaissance in the last couple years. In the past, "Honeypots" were mostly used by researchers to learn more about commodity attacks. Researchers usually configured systems with known vulnerabilities in unprotected networks to lure attackers and to learn more about their methods and objectives. Modern commercial deception tools take a slightly different approach, more along the idea of "honey tokens" then honeypots. The goal of these tools is to detect more advanced attacks. Systems are not made particularly vulnerable to entice the attacker, but instead, these systems follow more the ideas of "honey tokens," small bits of data that entice the attacker to pursue specific targets that are used to detect the attacks. For example, Cymmetria deployed specific file shares that would look enticing to an attacker, and left documents behind with pointers to RDP servers that were part of the deception campaign.
In this particular case, after the system was infected via the PowerPoint document, the attacker exfiltrated numerous documents from the system. It took about three days until the attacker discovered the deception file share and tried to access it. The attacker then took the bait, and also connected to the RDP system. However, they were not able to log in as the document describing the RDP service did not include credentials. Instead, credentials would have been available in memory on the infected system (e.g. the attacker would have to run mimikatz).
Cymmetria published IoCs as part of their release. You can use them to look for this threat in your systems. But I think the lesson should be that even more advanced actors can be tricked into using honey tokens, which creates a relatively low-cost opportunity to detect a compromise early. In this case, it took about three days, which doesn't sound great at first, but keep in mind that these attacks are usually only detected after months using more traditional means.