Site icon GIXtools

Trusted relationship attacks: trust, but verify

IT outsourcing market continues to demonstrate strong growth globally – such services are becoming increasingly popular. But along with the advantages, such as saved time and resources, delegating non-core tasks creates new challenges in terms of information security. By providing third-party companies (service providers or contractors) with access to their infrastructure, businesses increase the risk of trusted relationship attacks – T1199 in the MITRE ATT&CK classification.

In 2023, trusted relationship cyberattacks ranked among the top three most frequently used attack vectors. In such attacks, attackers first gain access to the service provider’s network, and then, if they manage to obtain active credentials for connecting to the target organization’s network, infiltrate the target infrastructure. In most cases, contractors are small- and medium-sized businesses that are less protected than large enterprises. This is also why IT service providers attract the attention of attackers.

Trusted relationship vector is attractive for attackers because it allows them to carry out large-scale attacks with significantly less effort than other vectors. Attackers only need to gain access to the service provider’s network to expose all its clients to cyberrisk, regardless of their size or industry. Moreover, attackers using legitimate connections often go unnoticed, as their actions within the affected organization’s infrastructure look like the actions of the service provider’s employees. According to 2023 statistics, only one in four affected organizations identified an incident as a result of detecting suspicious activity (launch of hacker tools, malware, network scanners, etc.) in their infrastructure, while the rest discovered they had been infiltrated via a third party only after data leakage or encryption.

How access is set up between the target organization and the service provider

Any way of connecting a contractor to the systems of a target organization – even the most secure way – is a potential point of entry for intruders. However, the customer company often gives the service provider quite a lot of access to its systems, including:

Most often, communication between the service provider and the client takes place via VPN connections and Remote Desktop Protocol (RDP) services. Access is set up using a certificate or a login/password pair, and in rare cases multi-factor authentication is added. Having compromised the service provider’s infrastructure, intruders can obtain user accounts or certificates issued by the target organization, and thereby connect to their systems.

Many companies resort to using remote management utilities such as AnyDesk or Ammyy Admin. Most of these utilities allow automatic access by login/password, but they are vulnerable to brute-force attacks. In addition, if misconfigured, these utilities allow connections from any IP addresses/systems if you have valid credentials.

Access to the internal infrastructure can also be organized using SSH or RDP protocols and an allowlist of IP addresses. With this method, there’s no need to connect to a VPN, but the security risks grow significantly (for example, the possibility of brute-force attacks).

At the same time, organizations find it difficult to monitor service providers’ compliance with security policies. For example, contractors may store credentials for connecting to the target organization’s network in plain text in public directories or in corporate information systems such as Jira or Confluence, which the client’s security service may not be aware of.

How attackers gain access to a service provider’s network

In our incident investigations, we continuously note the use of various initial attack vectors to gain access to the infrastructures of IT outsourcing companies. Let’s consider the three most popular ones, which make up more than 80% of all initial attack vectors.

The most common method of initial compromise is exploiting vulnerabilities in applications accessible from the internet. Thus, to penetrate the infrastructure, attackers most often used vulnerabilities in Microsoft Exchange, Atlassian Confluence, CMS Bitrix, and Citrix VDI.

The second most popular method is the use of compromised credentials. In every third incident where this vector was used, attackers bruteforced passwords for services accessible from the external network: RDP, SSH, and FTP. In other cases, they used data that was stolen before the incident began.

Rounding out the top three is targeted phishing. Attackers continue to refine their multi-step schemes and social engineering methods, often using attached documents and archives containing malware to penetrate the network.

Attack development

By investigating incidents related to trusted relationship attacks, we have identified the most interesting attacker tactics and techniques. We present them here in the order they appear in the attack process. In the incidents we worked on, attackers can be divided into two groups according to the tactics and techniques used: let’s call them Group A and Group B.

No.
Event
Description

1
Gaining access to service providers
In most cases, the hack started by exploiting vulnerabilities in software accessible from the internet (Initial Access, Exploit Public-Facing Application, T1190).

2
Establishing persistence in the service provider’s infrastructure
Attackers in Group A exclusively used the Ngrok tunneling utility at this stage. They installed it in the service provider’s infrastructure as a service. Only the Windows segment was compromised (Persistence, technique Create or Modify System Process: Windows Service, T1543.003).

Attackers in Group B initially used backdoors for persistence, which were later used to load and launch Ngrok or the remote management utility AnyDesk. As a result, both Windows and Linux segments were compromised. The attackers used the following backdoors:

In some incidents, Ngrok persistence was achieved through the task scheduler.

3
Actions after compromising credentials for connecting to target organizations
Group A, having discovered credentials for connecting to the service provider’s clients’ VPN tunnel, penetrated their infrastructure on the same day: the attackers connected to systems allocated to the contractor via the RDP protocol using accounts allocated for the contractor’s employees (Initial Access, Valid Accounts: Domain Accounts, T1078.002), established persistence using the Ngrok utility (probably in case of losing access to the VPN), and returned to the new victims’ infrastructure after several months. Up to three months could have passed between initial access to the target organization and attack discovery.

Group B established persistence in the service provider’s infrastructure and returned after several months to carry out attacks on their clients. Up to three months could have passed between initial access to the contractor and attack discovery

4
Actions of attackers in the systems allocated to the service provider in the target organization
The systems allocated to the service provider in the target organization became the entry point for the attackers. During incident investigations, traces of launch of numerous utilities were found on these systems:

5
Lateral movement in the target organization’s network
For lateral movement within the target organization’s network, the attackers used the RDP protocol (Lateral Movement, Remote Services: Remote Desktop Protocol, T1021.001).

6
Data collection from workstations and servers of the target organization
In some incidents, attackers from both groups collected data from workstations and servers (Collection, Data from Local System, T1005), packed them into archives (Collection, Archive Collected Data: Archive via Utility, T1560.001) and uploaded them to external file-sharing resources (Exfiltration, Exfiltration Over Web Service, T1567).

7
Fulfilling attack objectives
In most cases, the attackers launched ransomware in the target organization’s infrastructure (Impact Data, Encrypted for Impact, T1486). It’s worth noting that group policies or remote creation of Windows services were often used to distribute ransomware files in the infrastructure. Less frequently, distribution and execution were carried out manually.

Attackers use tunneling utilities (Command and Control, Protocol Tunneling, T1572) or remote access software (Command and Control, Remote Access Software, T1219) for several reasons:

Firstly, this eliminates the need for a VPN, which is necessary to connect to the system in the target infrastructure via the RDP protocol, as contractor’s employees do. Attackers are often active during non-working hours, and correctly configured monitoring can alarm the security personnel upon detecting VPN connections at odd hours from suspicious IP addresses (for example, those belonging to public anonymization services). If such activity is detected, then the corresponding accounts will most likely be blocked, and, as a result, the attackers will lose access to the infrastructure.

With tunneling and remote access utilities, attackers can gain a secure foothold in the target system. AnyDesk allows you to register this software as a service. We’ve seen several options for establishing persistence through the Ngrok utility:

Launch type
Commands

As a service
ngrok.exe service run –config ngrok.yml

Manually
ngrok.exe config add-authtoken
ngrok.exe tcp 3389

As a task
ngrok.exe tcp 3389 (authentication data was set manually before establishing persistence by executing the following command: ngrok.exe config add-authtoken )

Secondly, the use of such utilities is convenient for attackers. The presence of a backdoor in the network provides them with unhindered access to the internal infrastructure; however, it’s not always comfortable to interact with the compromised system in this way, so attackers turn to utilities. By forwarding the RDP port through Ngrok or connecting via AnyDesk, the attacker is able to interact with the compromised system more easily.

Thirdly, such utilities are quite difficult to track. Ngrok and AnyDesk are legitimate utilities; they are not detected by antivirus tools as malware and are often used for legitimate purposes. In addition, they allow attackers to hide the IP address of the connection source in the compromised system.

For example, with a regular RDP connection, in the Microsoft-Windows-TerminalServices-LocalSessionManager/Operational.evtx log, we will see connection events (ID 21) or reconnection events (ID 25), where the attacker’s IP address will be indicated in the connection source field (external IP address if the system is accessible from the internet, or internal IP address of another compromised system). In the case of an RDP connection through a tunneling utility, the source connection value in the log will be ::%16777216 – it doesn’t carry any information about the connecting system. In most cases, this artifact will merely indicate a connection through a tunneling utility.

AnyDesk creates its own logs. Among them, the most useful for incident investigation are connection_trace.txt and ad.trace/ad_svc.trace, as they are named in Windows. The connection_trace.txt log allows you to quickly identify connections to the analyzed system and their type (User, Token, Password). If the attackers used AnyDesk and the log indicates a Token and Password connection type, it can be concluded that the attacker set up automatic connection by password and, with AnyDesk running, can reconnect to the system at any time. The ad.trace/ad_svc.trace log contains debugging information, which allows you to determine the IP address from which the connection was made. However, it’s worth noting that attackers often delete AnyDesk logs, making it nearly impossible to detect traces of their connections.

Fulfilling attack objectives

The ultimate goals of attacks on service providers and target organizations can vary. For example:

Conclusion and advice

Practice shows that attackers, remaining undetected, usually stayed in the target organization’s infrastructure for up to three months and managed to gain control over critical servers and hosts in various network segments. Only after this did they proceed to encrypt the data. This is enough time for the information security department to detect the incident and respond to the attackers’ actions.

The results of our incident investigations indicate that in the overwhelming majority of cases, antivirus solutions detected malicious activity, but the antivirus verdicts were not paid due attention. Therefore, if you have an in-house incident response team, keep them alert through training and cyberexercises; if you don’t have one, subscribe to incident response services from a provider who can guarantee the necessary service level via appropriate SLA.

Attacks through trusted relationships are quite difficult to detect because:

Nevertheless, it is possible to detect these attacks by following certain rules. We’ve put together recommendations for service providers and their clients that will help detect trusted relationship attacks early on or avoid them altogether.

If you’re an IT service provider:

If your organization uses the services of IT outsourcing companies:

Key MITRE ATT&CK tactics and techniques used in trusted relationship attacks

Tactic
Technique
Technique ID

Initial Access
Exploit Public-Facing Application
T1190

Initial Access
Trusted Relationship
T1199

Initial Access
Valid Accounts: Domain Accounts
T1078.002

Persistence
Create or Modify System Process: Windows Service
T1543.003

Persistence
Hijack Execution Flow: Dynamic Linker Hijacking
T1574.006

Persistence
Scheduled Task/Job: Scheduled Task
T1053.005

Credential Access
OS Credential Dumping
T1003

Discovery
Network Service Discovery
T1046

Discovery
Account Discovery: Domain Account
T1087.002

Discovery
Remote System Discovery
T1018

Lateral Movement
Remote Services: Remote Desktop Protocol
T1021.001

Collection
Data from Local System
T1005

Collection
Archive Collected Data: Archive via Utility
T1560.001

Command and Control
Protocol Tunneling
T1572

Command and Control
Remote Access Software
T1219

Exfiltration
Exfiltration Over Web Service
T1567

Impact Data
Encrypted for Impact
T1486

Source:: Securelist

Exit mobile version