APT10—allegedly a Chinese threat actor—has come up in the news recently, this time running a campaign known as Operation “Cloud Hopper”.
Chinese actors are the main suspect based on malware compilation time and interactive hacking activities, but there’s a chance that this is a deception attempt to manipulate the forensics evidence.
*The following post relying mainly on PWC analysis from April 2017: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
Attack Methodology
The strategy for this campaign is to target Managed Service Providers’ (MSP) networks and “hop” to their customers’ networks. MSPs are third party companies that manage the infrastructure of multiple small companies, which makes them a perfect target for attackers; they only need to hack one network—the MSP network—to access multiple clients. This scaling capability yields a higher ROI (hacking is a business after all).
Infiltration and Exfiltration
Even though the report indicates that the attackers compromised the MSP and then hopped to their customers, it’s almost impossible to guarantee, from a forensics point of view, the “patient-zero” infection. In most cases, you don’t have enough raw data—some of it’s deleted and some of it’s obfuscated—and the investigation might not start until years after the infiltration.
As the report indicates, the attackers took advantage of the MSP to gain access to more customers using shared resources (e.g. credentials).
The report also indicates a few known malware families in this campaign that were delivered via spear phishing emails. These are not sophisticated malware, so if the customers or the MSP had any good AV or sandbox solution, there is a high probability they would identify it.
Active Directory for the “rescue”
Active Directory is the underlying layer for almost every Data Breach and also in this case as well, meaning once you have RAT presence even on one end-point you can work undercover using legitimate AD domain identity.
Reconnaissance
You don’t need to be a domain admin to gather information from Active Directory, even the most basic domain user by design have the ability to query their Domain controllers for almost anything.
In this report, they found traces of built-in net and ping commands that were used to map the network. These tools allow the attackers to remain stealthy, and they eliminate the need to scan the entire ip network.
It’s not mentioned but they can easily use also LDAP queries to have a better perspective on the AD network with much more data with efficient target identification.
Lateral Movement
At this phase, the attackers need to escalate privileges and use powerful credentials in order to move laterally in the network.
In the report, there was evidence for Mimikatz and PwDump tools to extract credentials from the LSASS endpoint in order to gain Domain Admin privileges. (They didn’t mention any evidence for Kerberos ticket manipulation or any other sophisticated AD traversal method.)
Another stealthy key factor is using legitimate and built-in tools such as RDP, WMI, SMB shares for the actual movement.
Concluding Remarks
- The most important conclusion here is trust no one. This include your MSP and your Active Directory users.
- Nobody is immune to malware infection which means you need to have post breach strategy and better identification for lateral movement.
- Treat your Active Directory as a hostile environment, always assume breached.