We all know that cybercriminals are looking for our weak spots. And what better target than the platforms we know and love the most? Countless businesses rely on systems supporting Microsoft Exchange and OWA, such as Client Access Servers (CAS). And it is these same platforms that have been aggressively targeted by sophisticated cyberthreat actors in recent times. If they’re successful in compromising the Exchange ecosystem, threat actors can use it as a beachhead within a victim environment. And they can take advantage of a number of integrated applications and interfaces for malicious means. Talk about hitting us all where it hurts.
The COVID-19 pandemic has disrupted us in so many ways, not least than in our working lives as the risks to business continuity become even more exaggerated. As I mentioned in my earlier blog, the latest 2020 Cyber Threatscape report reveals five frontline trends that are influencing the cyberthreat landscape and suggests ways to tackle them. Last time we looked at COVID and the opportunistic threats which stemmed from that. Here, I’d like to take a closer look at the second of our observations, how new sophisticated tactics, techniques and procedures (TTPs) are targeting business continuity.
<<< Start >>>
<<< End >>>
Established platforms are under siege
Compromises in our core platforms are a breeding ground for malicious activities. Hosts supporting Exchange and associated services often relay large volumes of data to external locations—it’s a prime opportunity for malicious actors to hide their traffic within this background noise. Alongside this Command and Control conduit, there’s the problem of credential theft. As hosts such as CAS servers typically operate Web login portals for services including OWA, adversaries with access to these devices may be able to steal user login credentials.
One of the most sophisticated adversaries I follow along with my colleagues in the Accenture cyber threat intelligence (CTI) team is BELUGASTURGEON. This threat actor, around since at least 2008, has made use of a sophisticated Exchange backdoor known as LightNeuron which effectively grants access to messages across the Exchange server. We also have observed threat groups using backdoors in Internet Server Application Programming Interface (ISAPI) filters for use against OWA, including with malware. You can take a look at the full report if you’d like some interesting detail behind those two activities.
Techniques are exploiting vulnerabilities
Adversaries are great chameleons, always findings ways to adapt to improve defenses, such as the increasing use of network segregation, separation and improved perimeter visibility. Threat groups using approaches that give lateral movement in organizations, and “island hopping” from one party into another through legitimate interconnectivity, are using living-off-the-land techniques more and more to evade detection.
Recent campaigns against government entities have involved newly-designed malware families configured with internally-routable command and control infrastructure, perhaps also designed for evasion. Since December 2019, we’ve been tracking campaign activity, mainly against South Asian government entities, employing a new family of malware we call BlueBird. It’s a spin off from the Quarian malware family which East Asian cyberthreat actors have used for nearly a decade. We’ve seen Bluebird evolve and one of its newer aspects is that its command and control is configured as an internally routable IP address rather than an externally-routable IP address or domain which can frustrate network defenders. Take a look at the full report for more on this threat.
New techniques will naturally challenge network defenders. State-aligned operators should emphasize stealth and persistence to meet their intelligence-gathering goals. It reminds us once again of the importance of identifying and monitoring priority adversaries and then threat hunting against their specific behaviors. Let’s stop them in their tracks by continuing to exploit the weaknesses of these cybercriminals long before they get a chance to attack our favorite places.
A special thanks to the following individuals who also contributed to 2020 Cyber Threatscape Report: Patton Adams, Omar Al-Shahery, Joseph Chmiel, Amy Cunliffe, Molly Day, Oliver Fay, Charlie Gardner, Gian Luca Giuliani, Samuel Goddard, Larry Karl, Paul Mansfield, Hannaire Mekaouar, Mei Nelson, Nellie Ohrand Kathryn Orme.
Read the previous blog post in this series.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved.