How secure are your cloud providers?
New approach by Chinese hackers compromises MSPs, then infiltrates customers...
A new report details the innovative ways that a well-established hacker group are growing their operation by compromising cloud service providers in order to reach into their customer.
Previously hacking groups had been known to use compromised cloud services as ‘warehouses’ for attack tools and malware, and as relay points. However, this new strategy means that the ‘cyber espionage’ group in question can use the secure channels between cloud provider or MSP and client business to infiltrate malware and exfiltrate data with impunity, as most enterprises will whitelist their cloud service providers.
According to 2016 stats from the Cloud Industry Forum, more than four in five UK organisations have formally adopted at least one cloud service.
The report, by PWC UK and BAE Systems, details the ‘MO’ of a group of China-based hackers, known to the infosec community by a range of monikers, including APT10 (FireEye), Red Apollo (PwC), CVNX (BAE Systems), Stone Panda (CrowdStrike), POTASSIUM (Microsoft), and MenuPass (Trend Micro).
The APT10 campaign, which the report calls Operation Cloud Hopper, has targeted managed IT service providers (MSPs), allowing APT10 unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally. A number of Japanese organisations have also been directly targeted in a separate, simultaneous campaign by the same group, according to the report.
APT10 previously targeted employees in key enterprise environments with traditional spear-fishing techniques, but in late 2016 switched to less-well hardened MSP networks and their in-house staff. The results appear to have been a string of compromises across the globe, including companies in the UK, US, India, Japan, France, Brazil, Canada, South Africa, Australia, Thailand, and South Korea.
The group has developed its own malware strains, as well as adapting existing Trojans in an evolving toolbox the report states is indicative of APT10’s “increasing sophistication”, which the authors believe is highly likely to continue. The hackers sensibly use a range of open-source, legitimate tools to minimise the risk of detection, and also use standard Windows functions such as ping.exe and net.exe for communication checks, with the same goal in mind.
Ilia Kolochenko, CEO of High-Tech Bridge said: "Until we will get more details on the attacks, we cannot infer any reliable conclusions about who is behind the so-called APT10. Taking into consideration how careless and negligent some managed IT providers are, I wouldn’t be surprised if all the attacks were conducted by a group of teenagers - something we have seen in the past.
“IT services providers should better enumerate and assess their digital risks, and implement appropriate security controls to mitigate related threats and vulnerabilities. Security standards, like ISO 27001, can significantly help assure that the risks are continuously identified and are being duly addressed. For cybersecurity service providers, accreditation by CREST is also an important factor to demonstrate the necessary standard of care about security, confidentiality and integrity for their own and clientele data.
Companies looking to secure their supply-chain can oblige their suppliers to get certified by ISO 27001 for example, or to provide a solid and unconditional insurance to cover any data breaches and data leaks, including direct and consequential damages.”
PWC UK and BAE Systems reached a similar conclusion too, stating: “This campaign serves to highlight the importance of organisations having a comprehensive view of their threat profile, including that of their supply chain’s. More broadly, it should also encourage organisations to fully assess the risk posed by their third party relationships, and prompt them to take appropriate steps to assure and manage these.”
Compromise via a third party isn’t a new idea, but it certainly seems to be an effective one from the point of view of APT10, and one worthy of consideration for any enterprise. The report contains a range of technical indicators-of-compromise (IOCs), so it’s worth reading and updating firewalls and security appliances.