APT Security: Attack Stages, Recent Attacks, and 6 Ways to Secure Your Network

How Advanced Persistent Threats Work

The stages of an APT attack can be broadly categorized into ןnfiltration, escalation and lateral movement, and extraction.

Stage 1: Infiltration

The first stage of an APT attack is infiltration. This stage involves gaining unauthorized access to the target network. The infiltration method can vary depending on the target, the available vulnerabilities, and the sophistication of the attackers. Common infiltration techniques include: 

• Spear-phishing: This is a targeted form of phishing where the attacker sends a personalized email to a privileged role in the organization, based on meticulous research. The email typically contains a malicious attachment or a link leading to a compromised website. Upon clicking on the link or opening the attachment, the victim’s system becomes compromised, giving the attacker an entry point into the network.
• Exploiting software vulnerabilities: The attacker identifies software applications with known or zero-day vulnerabilities and exploits them to gain access. Once inside, the attacker installs a backdoor, which allows them to maintain access even if the original vulnerability is patched.
• Malware: The attacker can use various types of malware, such as trojans, ransomware, or bots, to compromise the system and gain access to the network. The malware might delivered via email, compromised websites, an infected USB disk, or various other methods.

Stage 2: Escalation and Lateral Movement

Once the attacker has successfully infiltrated the network, the next stage is escalation and lateral movement. Escalation involves gaining higher-level privileges in the network, typically administrative rights. This escalation allows the attacker to have more control over the system, access sensitive data, and make changes to the system configuration.

Escalation is often achieved through the use of exploits that take advantage of system vulnerabilities. It can also be achieved by stealing credentials of higher-privileged users. Once escalated, the attacker can disable security controls, create new accounts, or install additional malware to further their control over the system.

Following escalation, the attacker begins lateral movement across the network. Lateral movement involves moving from one system to another within the network, with the aim of identifying valuable data and additional targets. This movement is typically done stealthily to avoid detection, often using valid accounts and mimicking legitimate network traffic.

Stage 3: Extraction

The final stage of an APT attack is extraction, also known as exfiltration. This stage involves collecting the desired data and transmitting it back to the attacker. The extracted data can include sensitive information such as intellectual property, financial data, customer records, or strategic information.

Extraction is often carried out in a slow and controlled manner to avoid detection. The data is typically encrypted and sent back to the attacker in small chunks. Various methods can be used for extraction, including over standard network protocols, via email, or ‘tunneling’ via unexpected channels such as DNS.

Once the extraction is complete, the attacker will typically clean up their tracks to avoid detection. This can involve deleting logs, removing malware, and closing backdoors. However, in some cases, the attacker may choose to leave the backdoor open for potential future attacks.

Warning Signs of APT

The following are primary warning signs that an APT may be targeting your corporate network:

• Targeted spear-phishing emails—while phishing is a common attack vector used in a large percentage of cyber attacks, APT groups may leverage more sophisticated, highly targeted phishing messages. Spear phishing is targeted at influential roles like executives, finance staff, or network administrators. If these types of employees receive emails from unknown sources, or containing suspicious attachments, this should raise a red flag of APT involvement.
• Unusual logins—APT attackers commonly take over accounts and use them to laterally move through the network and escalate privileges. Watch for logins occurring at unusual hours, or unusual in any other sense, such as a user account that rarely accesses an application or data source, and suddenly starts accessing it frequently. Any of these could be signs of APTs active in the network.
• Backdoor trojans—a trojan discovered on an endpoint in the network should not be treated as a normal malware detection. Even if you clean the trojan, ask yourself who planted it in the first place. Use threat intelligence sources to connect trojans to known APT groups, and check if similar trojans are present elsewhere on the network.
• Unusual data transmissions—many APT attacks are focused on stealing sensitive data. Watch for unusual copying of data—data may be exfiltrated using cloud storage services, emails, or many other channels. Even data transfers inside the network warrant attention if the data volumes, source and destination are unusual.
• Data archived for export—check for large “clumps” of data in unusual locations. ZIP files or encrypted files weighing Gigabytes or more should not be lying around on endpoints in the network. Pay special attention to file types that are not commonly used by your organization. Identify these types of anomalous files and investigate their origin. If users are not aware of these files, this is strong evidence of an APT presence.

Recent APT Security Attacks

Secure USB Drive Compromise

An unknown APT group launched an attack targeting government entities in the Asia-Pacific region in early 2023. The attack involved compromising secure USB drives used for confidential data transfer between government systems. 

The attackers employed advanced techniques like virtualization-based software obfuscation, direct SCSI commands to communicate with USB drives, and code injection into legitimate software. The primary aim was espionage within sensitive government networks.

BlindEagle

The BlindEagle APT group targeted government entities and individuals in South America, primarily for espionage and financial data theft. Throughout 2023, they cycled through various open-source remote access Trojans (RATs) like AsyncRAT, Lime-RAT, BitRAT, and more recently, Agent Tesla and Remcos RAT. Their attacks typically began with phishing emails. 

Despite limited resources, BlindEagle’s ability to adapt and utilize diverse RATs indicates an evolving threat capable of intensifying its surveillance and expanding its target range.

BadRory

Starting in late 2022 and continuing into 2023, a new and unidentified APT group, dubbed BadRory, initiated attacks against Russian entities, including government organizations, military contractors, universities, and hospitals. 

The group mainly employed spear-phishing emails with Microsoft Office documents, leading to the installation of Trojans for controlling systems and exfiltrating files. This campaign, targeting dozens of victims, shows the emergence of new APT actors with sophisticated multi-level infection schemes.

MuddyWater

In 2023, the MuddyWater group utilized customized Ligolo tools to mimic legitimate VPN services for covert operations. Their primary targets and objectives remain undisclosed but are likely related to espionage. 

By emulating VPN solutions and incorporating metadata similar to genuine services, MuddyWater aimed to evade detection and maintain a stealthy presence within targeted systems.

Lazarus

In 2023, the Lazarus group targeted the defense industry and nuclear engineers, employing Trojanized applications, especially backdoored VNC apps. They lured job seekers on social media with fake job interviews to execute these malicious apps. 

This campaign focused on defense manufacturing sectors, including radar systems, UAVs, military vehicles, and maritime companies. The attackers aimed to exfiltrate specific files, employing sophisticated communication methods and discreet operations.

6 Ways to Secure Your Network Against APTs

Here are some measures that organizations can take to minimize the risk of APTs.

1. Restrict System Access

To effectively limit system access, use a combination of the principle of least privilege and defense-in-depth (DiD). DiD helps secure all systems throughout, rather than just the perimeter. Typically, DiD employs internal firewalls as well as internal traffic filtering.

The principle of least privilege can help inform your DiD and restrict users and applications gaining more access than needed. The two strategies can significantly limit the ability of an attacker to traverse the network and slow down unauthorized access.

2. Use Administrator Controls

Here are several administrator controls that can help prevent APTs:

• Vulnerability assessments and patch management—can help block attacks that attempt to exploit buggy code.
• User access management—can help make it difficult for APTs to exploit trusted connections.
• Restrict high level permissions—grant admin access only to administrators and qualified personnel.
• Intrusion detection and prevention solutions—can detect signs of possible attacks, helping security teams to quickly take corrective action.
• Web application firewall (WAF)—helps secure sensitive information stored in web-facing applications.

3. Educate Your Staff

APTs often use compromised credentials of employees in order to gain system access. There are several ways in which attackers may compromise credentials, including false log-in portals, brute force, phishing campaigns, or by exploiting weak password controls.

To mitigate these risks, you can train your employees to recognize and avoid credential theft attempts. For example, you can create simple and clear instructions on how to recognize and report spam emails. Additionally, teach users how to create strong passwords. You should also explain why users should never share or reuse credential information.

4. Conduct Penetration Testing

Penetration testing (pentesting) is a deliberate attempt to breach your existing defenses in order to discover security weaknesses. Pentesting may be conducted internally by a red team of attackers and a blue team of defenders, or by an external penetration testing service provider. The goal is to test the defenses of the organization and help security teams practice their response.

5. Use a VPN

A virtual private network (VPN) offers encrypted remote access to a network. It can help minimize remote access risks, such as unsecured WiFi connections that offer APT hackers easy means to gain initial access to a network.

6. Leverage Sandboxes

A sandbox is an isolated virtual environment typically used to open and run untrusted codes or programs without risking production environments. You can move suspicious and infected files into the sandbox, where they are isolated, and prevent the infection from spreading across your IT assets.

Cynet: Advanced Threat Protection for the Enterprise

Cynet 360 is a holistic security platform that can provide multi-faceted protection against Advanced Persistent Threats. Cynet correlates data from endpoints, network detection rules and user behavioral rules to present findings with near-zero false positives.

Block exploit-like behavior

Cynet monitors endpoints’ memory to identify behavioral patterns that are readily exploited, such as unusual process handle request. These behavioral patterns lead to the vast majority of exploits, whether new or known. Cynet is able to provide effective protection against Advanced Persistent Threats and more by identifying such patterns.

Block exploit-derived malware

Cynet employs multi-layered malware protection, including sandboxing, process behavior monitoring, and ML-based static analysis. Cynet also offers fuzzy hashing and threat intelligence. This makes sure that even if an Advanced Persistent Threat establishes a connection with the attacker, and downloads additional malware, Cynet will stop this malware from running, thus preventing any harm from occurring.

User Behavior Rules

Cynet continuously monitors user behavior, generates a real-time behavioral baseline, and provides alerts when behavior deviation is identified. This deviation in behavior may indicate a compromised user account. Additionally, Cynet provides the ability to define user activity policies, triggering an alert in case of violation.

Deception

Cynet supports the use of decoy tokens – data files, passwords, network shares, RDP and others – planted on assets within the protected environment. APT actors are highly skilled and therefore might evade detection. Cynet’s decoys lure such attackers, prompting them to reach out and reveal their presence.

Uncover hidden threats

Cynet uses an adversary-centric methodology to pinpoint threats throughout the attack chain. Cynet thinks like an adversary, identifying indicators and behaviors across endpoints, users, files, and networks. They supply a holistic account of the attack process, regardless of where the attack may try to penetrate.

Accurate and precise 

Cynet utilizes a powerful correlation engine and provides its attack findings free from excessive noise and with near-zero false positives. This makes the response for security teams easier so they can attend to pressing incidents.

Choose from manual or automatic remediation. This way, your security teams can have a highly effective yet straight-forward way to disrupt, detect, and respond to advanced threats before they have the chance to do damage.

Learn more about the Cynet 360 security platform.