BACK

TA18-276B: Advanced Persistent Threat Activity Exploiting Managed Service Providers

TA18-276B: Advanced Persistent Threat Activity Exploiting Managed Service ProvidersOriginal release date: October 03, 2018Systems Affected Network Systems Overview The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs). Since May 2016, APT actors have used various tactics, techniques, and …

  • 03 Oct 2018
10 min read
TA18-276B: Advanced Persistent Threat Activity Exploiting Managed Service Providers
Original release date: October 03, 2018Systems Affected Network Systems Overview The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs). Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.This Technical Alert (TA) provides information and guidance to assist MSP customer network and system administrators with the detection of malicious activity on their networks and systems and the mitigation of associated risks. This TA includes an overview of TTPs used by APT actors in MSP network environments, recommended mitigation techniques, and information on reporting incidents. Description MSPs provide remote management of customer IT and end-user systems. The number of organizations using MSPs has grown significantly over recent years because MSPs allow their customers to scale and support their network environments at a lower cost than financing these resources internally. MSPs generally have direct and unfettered access to their customers’ networks, and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cyber criminals and nation-state actors. By using compromised legitimate MSP credentials (e.g., administration, domain, user), APT actors can move bidirectionally between an MSP and its customers’ shared networks. Bidirectional movement between networks allows APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks.Note: NCCIC previously released information related to this activity in Alert TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors published on April 27, 2017, which includes indicators of compromise, signatures, suggested detection methods, and recommended mitigation techniques.Technical DetailsAPTAPT actors use a range of “living off the land” techniques to maintain anonymity while conducting their attacks. These techniques include using legitimate credentials and trusted off-the-shelf applications and pre-installed system tools present in MSP customer networks.Pre-installed system tools, such as command line scripts, are very common and used by system administrators for legitimate processes. Command line scripts are used to discover accounts and remote systems.PowerSploit is a repository of Microsoft PowerShell and Visual Basic scripts and uses system commands such as netsh. PowerSploit, originally developed as a legitimate penetration testing tool, is widely misused by APT actors. These scripts often cannot be blocked because they are legitimate tools, so APT actors can use them and remain undetected on victim networks. Although network defenders can generate log files, APT actors’ use of legitimate scripts makes it difficult to identify system anomalies and other malicious activity.When APT actors use system tools and common cloud services, it can also be difficult
Source: US-CERT AlertsPublished on 2018-10-03
Blog Details
  • 03 Oct 2018

Newest Articles.

View all
  • 04 Mar 16

    Top 5 Recent Cyber-attacks/hacks and How They Could Relate to your Business.

    Read Article logo
  • 13 Mar 16

    Data leaks, how can they affect Sales and Business Integrity?

    Read Article logo
  • 20 Apr 16

    Common Cyber Security Threats Faced by Businesses and The Impacts

    Read Article logo
  • 11 May 16

    Regular Vulnerability Scans Assessments: Keeping You Safe

    Read Article logo

Get a Quote

Click below and we’ll send you a quote within 48 hours.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Contact Us

Click below and we’ll send you a quote within 48 hours.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Step 1 of 4 - Let’s get started

25%
  • Thanks for your interest in working with us. Please complete the details below and we’ll get back to you within one business day.

Buy Cyber Essentials

price-popup-pattern