Trusted relationship attacks: trust, but verify

IT outsourcing market continues to demonstrate strong growth globally – such services are becoming increasingly popular. But along with the advantages, such as saved time and resources, delegating non-core tasks creates new challenges in terms of information security. By providing third-party companies (service providers or contractors) with access to their infrastructure, businesses increase the risk of trusted relationship attacks – T1199 in the MITRE ATT&CK classification.

In 2023, trusted relationship cyberattacks ranked among the top three most frequently used attack vectors. In such attacks, attackers first gain access to the service provider’s network, and then, if they manage to obtain active credentials for connecting to the target organization’s network, infiltrate the target infrastructure. In most cases, contractors are small- and medium-sized businesses that are less protected than large enterprises. This is also why IT service providers attract the attention of attackers.

Trusted relationship vector is attractive for attackers because it allows them to carry out large-scale attacks with significantly less effort than other vectors. Attackers only need to gain access to the service provider’s network to expose all its clients to cyberrisk, regardless of their size or industry. Moreover, attackers using legitimate connections often go unnoticed, as their actions within the affected organization’s infrastructure look like the actions of the service provider’s employees. According to 2023 statistics, only one in four affected organizations identified an incident as a result of detecting suspicious activity (launch of hacker tools, malware, network scanners, etc.) in their infrastructure, while the rest discovered they had been infiltrated via a third party only after data leakage or encryption.

How access is set up between the target organization and the service provider

Any way of connecting a contractor to the systems of a target organization – even the most secure way – is a potential point of entry for intruders. However, the customer company often gives the service provider quite a lot of access to its systems, including:

  • allocating various systems for conducting operations;
  • issuing accesses for connecting to the infrastructure;
  • creating domain accounts.

Most often, communication between the service provider and the client takes place via VPN connections and Remote Desktop Protocol (RDP) services. Access is set up using a certificate or a login/password pair, and in rare cases multi-factor authentication is added. Having compromised the service provider’s infrastructure, intruders can obtain user accounts or certificates issued by the target organization, and thereby connect to their systems.

Many companies resort to using remote management utilities such as AnyDesk or Ammyy Admin. Most of these utilities allow automatic access by login/password, but they are vulnerable to brute-force attacks. In addition, if misconfigured, these utilities allow connections from any IP addresses/systems if you have valid credentials.

Access to the internal infrastructure can also be organized using SSH or RDP protocols and an allowlist of IP addresses. With this method, there’s no need to connect to a VPN, but the security risks grow significantly (for example, the possibility of brute-force attacks).

At the same time, organizations find it difficult to monitor service providers’ compliance with security policies. For example, contractors may store credentials for connecting to the target organization’s network in plain text in public directories or in corporate information systems such as Jira or Confluence, which the client’s security service may not be aware of.

How attackers gain access to a service provider’s network

In our incident investigations, we continuously note the use of various initial attack vectors to gain access to the infrastructures of IT outsourcing companies. Let’s consider the three most popular ones, which make up more than 80% of all initial attack vectors.

The most common method of initial compromise is exploiting vulnerabilities in applications accessible from the internet. Thus, to penetrate the infrastructure, attackers most often used vulnerabilities in Microsoft Exchange, Atlassian Confluence, CMS Bitrix, and Citrix VDI.

The second most popular method is the use of compromised credentials. In every third incident where this vector was used, attackers bruteforced passwords for services accessible from the external network: RDP, SSH, and FTP. In other cases, they used data that was stolen before the incident began.

Rounding out the top three is targeted phishing. Attackers continue to refine their multi-step schemes and social engineering methods, often using attached documents and archives containing malware to penetrate the network.

Attack development

By investigating incidents related to trusted relationship attacks, we have identified the most interesting attacker tactics and techniques. We present them here in the order they appear in the attack process. In the incidents we worked on, attackers can be divided into two groups according to the tactics and techniques used: let’s call them Group A and Group B.

No.
Event
Description

1
Gaining access to service providers
In most cases, the hack started by exploiting vulnerabilities in software accessible from the internet (Initial Access, Exploit Public-Facing Application, T1190).

2
Establishing persistence in the service provider’s infrastructure
Attackers in Group A exclusively used the Ngrok tunneling utility at this stage. They installed it in the service provider’s infrastructure as a service. Only the Windows segment was compromised (Persistence, technique Create or Modify System Process: Windows Service, T1543.003).

Attackers in Group B initially used backdoors for persistence, which were later used to load and launch Ngrok or the remote management utility AnyDesk. As a result, both Windows and Linux segments were compromised. The attackers used the following backdoors:

  • Cobint, installed as a service, for the Windows segment (Persistence, Create or Modify System Process: Windows Service, T1543.003);
  • FaceFish, installed via the LD_PRELOAD environment variable, for the Linux segment (Persistence, Hijack Execution Flow: Dynamic Linker Hijacking, T1574.006).

In some incidents, Ngrok persistence was achieved through the task scheduler.

3
Actions after compromising credentials for connecting to target organizations
Group A, having discovered credentials for connecting to the service provider’s clients’ VPN tunnel, penetrated their infrastructure on the same day: the attackers connected to systems allocated to the contractor via the RDP protocol using accounts allocated for the contractor’s employees (Initial Access, Valid Accounts: Domain Accounts, T1078.002), established persistence using the Ngrok utility (probably in case of losing access to the VPN), and returned to the new victims’ infrastructure after several months. Up to three months could have passed between initial access to the target organization and attack discovery.

Group B established persistence in the service provider’s infrastructure and returned after several months to carry out attacks on their clients. Up to three months could have passed between initial access to the contractor and attack discovery

4
Actions of attackers in the systems allocated to the service provider in the target organization
The systems allocated to the service provider in the target organization became the entry point for the attackers. During incident investigations, traces of launch of numerous utilities were found on these systems:

  • for network exploration: Soft Perfect Network Scanner, Advanced IP Scanner, LAN Search Pro, Fscan (Discovery, Network Service Discovery, T1046);
  • for domain exploration: BloodHound, PowerView, adPEAS, CrackMapExec (Discovery, Account Discovery: Domain Account, T1087.002; Discovery, Remote System Discovery, T1018);
  • for password extraction: Mimikatz, SecretsDump, Lsassy (Credential Access, OS Credential Dumping, T1003);
  • for remote command execution: WMIExec, PsExec (Execution, Windows Management Instrumentation, T1047; Execution, System Services: Service Execution, T1569.002).

5
Lateral movement in the target organization’s network
For lateral movement within the target organization’s network, the attackers used the RDP protocol (Lateral Movement, Remote Services: Remote Desktop Protocol, T1021.001).

6
Data collection from workstations and servers of the target organization
In some incidents, attackers from both groups collected data from workstations and servers (Collection, Data from Local System, T1005), packed them into archives (Collection, Archive Collected Data: Archive via Utility, T1560.001) and uploaded them to external file-sharing resources (Exfiltration, Exfiltration Over Web Service, T1567).

7
Fulfilling attack objectives
In most cases, the attackers launched ransomware in the target organization’s infrastructure (Impact Data, Encrypted for Impact, T1486). It’s worth noting that group policies or remote creation of Windows services were often used to distribute ransomware files in the infrastructure. Less frequently, distribution and execution were carried out manually.

Attackers use tunneling utilities (Command and Control, Protocol Tunneling, T1572) or remote access software (Command and Control, Remote Access Software, T1219) for several reasons:

Firstly, this eliminates the need for a VPN, which is necessary to connect to the system in the target infrastructure via the RDP protocol, as contractor’s employees do. Attackers are often active during non-working hours, and correctly configured monitoring can alarm the security personnel upon detecting VPN connections at odd hours from suspicious IP addresses (for example, those belonging to public anonymization services). If such activity is detected, then the corresponding accounts will most likely be blocked, and, as a result, the attackers will lose access to the infrastructure.

With tunneling and remote access utilities, attackers can gain a secure foothold in the target system. AnyDesk allows you to register this software as a service. We’ve seen several options for establishing persistence through the Ngrok utility:

Launch type
Commands

As a service
ngrok.exe service run –config ngrok.yml

Manually
ngrok.exe config add-authtoken
ngrok.exe tcp 3389

As a task
ngrok.exe tcp 3389 (authentication data was set manually before establishing persistence by executing the following command: ngrok.exe config add-authtoken )

Secondly, the use of such utilities is convenient for attackers. The presence of a backdoor in the network provides them with unhindered access to the internal infrastructure; however, it’s not always comfortable to interact with the compromised system in this way, so attackers turn to utilities. By forwarding the RDP port through Ngrok or connecting via AnyDesk, the attacker is able to interact with the compromised system more easily.

Thirdly, such utilities are quite difficult to track. Ngrok and AnyDesk are legitimate utilities; they are not detected by antivirus tools as malware and are often used for legitimate purposes. In addition, they allow attackers to hide the IP address of the connection source in the compromised system.

For example, with a regular RDP connection, in the Microsoft-Windows-TerminalServices-LocalSessionManager/Operational.evtx log, we will see connection events (ID 21) or reconnection events (ID 25), where the attacker’s IP address will be indicated in the connection source field (external IP address if the system is accessible from the internet, or internal IP address of another compromised system). In the case of an RDP connection through a tunneling utility, the source connection value in the log will be ::%16777216 – it doesn’t carry any information about the connecting system. In most cases, this artifact will merely indicate a connection through a tunneling utility.

AnyDesk creates its own logs. Among them, the most useful for incident investigation are connection_trace.txt and ad.trace/ad_svc.trace, as they are named in Windows. The connection_trace.txt log allows you to quickly identify connections to the analyzed system and their type (User, Token, Password). If the attackers used AnyDesk and the log indicates a Token and Password connection type, it can be concluded that the attacker set up automatic connection by password and, with AnyDesk running, can reconnect to the system at any time. The ad.trace/ad_svc.trace log contains debugging information, which allows you to determine the IP address from which the connection was made. However, it’s worth noting that attackers often delete AnyDesk logs, making it nearly impossible to detect traces of their connections.

Fulfilling attack objectives

The ultimate goals of attacks on service providers and target organizations can vary. For example:

  • Establish persistence in the contractor’s infrastructure and remain undetected for as long as possible in order to gain access to their clients’ infrastructure.
  • Remain undetected for as long as possible in order to obtain confidential information (industrial espionage).
  • Exfiltrate as much data as possible and deploy ransomware or a wiper in the organization’s infrastructure to paralyze its activities. We observed this scenario in most attacks on target organizations.

Conclusion and advice

Practice shows that attackers, remaining undetected, usually stayed in the target organization’s infrastructure for up to three months and managed to gain control over critical servers and hosts in various network segments. Only after this did they proceed to encrypt the data. This is enough time for the information security department to detect the incident and respond to the attackers’ actions.

The results of our incident investigations indicate that in the overwhelming majority of cases, antivirus solutions detected malicious activity, but the antivirus verdicts were not paid due attention. Therefore, if you have an in-house incident response team, keep them alert through training and cyberexercises; if you don’t have one, subscribe to incident response services from a provider who can guarantee the necessary service level via appropriate SLA.

Attacks through trusted relationships are quite difficult to detect because:

  • Connections to the target organization’s VPN from the service provider’s network in the early stages are initiated from legitimate IP addresses.
  • Attackers use legitimate credentials to connect to systems within the target organization’s infrastructure (and otherwise).
  • Attackers increasingly use legitimate tools in their attacks.

Nevertheless, it is possible to detect these attacks by following certain rules. We’ve put together recommendations for service providers and their clients that will help detect trusted relationship attacks early on or avoid them altogether.

If you’re an IT service provider:

  • Ensure proper storage of credentials issued for connecting to your clients’ infrastructure.
  • Set up logging of connections from your infrastructure to the clients’ one.
  • Promptly install software updates or use additional protection measures for services at the network perimeter.
  • Implement a robust password policy and multi-factor authentication.
  • Monitor the use of legitimate tools that could be exploited by attackers.

If your organization uses the services of IT outsourcing companies:

  • When allowing service providers into your infrastructure, give them time-limited access to necessary hosts only.
  • Monitor VPN connections: which account was authorized, at what time, and from which IP address.
  • Implement a robust password policy and multi-factor authentication for VPN connections.
  • Limit the privileges of accounts issued to service providers, applying the principle of least privilege.
  • Apply the same information security requirements to third parties connecting to the internal infrastructure as to hosts in the internal network.
  • Identify situations where chains of different accounts are used to access systems within the infrastructure. For example, if service provider’s employees connect to the VPN using one account and then authenticate via RDP using another account.
  • Monitor the use of remote access and tunneling utilities or other legitimate tools that could be used by attackers.
  • Ensure the detection of the following events within the network perimeter: port scanning, bruteforcing domain account passwords, bruteforcing domain and local account names.
  • Pay special attention to activity within your infrastructure outside of working hours.
  • Back up your data and ensure that your backups are protected as strictly as your primary assets.

Key MITRE ATT&CK tactics and techniques used in trusted relationship attacks

Tactic
Technique
Technique ID

Initial Access
Exploit Public-Facing Application
T1190

Initial Access
Trusted Relationship
T1199

Initial Access
Valid Accounts: Domain Accounts
T1078.002

Persistence
Create or Modify System Process: Windows Service
T1543.003

Persistence
Hijack Execution Flow: Dynamic Linker Hijacking
T1574.006

Persistence
Scheduled Task/Job: Scheduled Task
T1053.005

Credential Access
OS Credential Dumping
T1003

Discovery
Network Service Discovery
T1046

Discovery
Account Discovery: Domain Account
T1087.002

Discovery
Remote System Discovery
T1018

Lateral Movement
Remote Services: Remote Desktop Protocol
T1021.001

Collection
Data from Local System
T1005

Collection
Archive Collected Data: Archive via Utility
T1560.001

Command and Control
Protocol Tunneling
T1572

Command and Control
Remote Access Software
T1219

Exfiltration
Exfiltration Over Web Service
T1567

Impact Data
Encrypted for Impact
T1486

Source:: Securelist