Did you ever play Cops and Robbers as a kid? If you’re reading this blog and answered, “yes”, odds are that you played the role of cop. Only today, you’re not protecting hard cash from a robber but a private network filled with important data from threats and attacks—both internal and external—of which there are many.
There are a variety of ways companies attempt to be proactive in their protection of both their and their customers’ data. Regulatory compliance requirements are one method established to provide a layer of protection for sensitive data as well as a baseline as to minimally accepted standards as defined by law (think PCI and HIPPA), and many companies put safeguards in place beyond the minimum requirements.
Internal policies and procedures are a second measure of protection which create a framework of rules and standards for things such as employee system access, password requirements, allowable devices, and other controls; Network Administrators identify tools and solutions from firewalls to antivirus software to data centers and beyond as they determine what best meets the business need (buy or build, cloud-based or on-site IT infrastructure) while at the same time protecting their data; Disaster Recovery and Business Continuity Plans are created to address potential threats ranging from natural disasters to ransomware.
Just as robbers will always pursue cold, hard cash and valuables, hackers will always pursue new ways to surreptitiously gain access to systems and steal and exploit data. Even the most seasoned business continuity planners and security experts will tell you that it is impossible to thwart every targeted attack or account for all scenarios.
Recently, Google Drive and SmartFile were both leveraged by a group called OilRig, which is linked to an Iran-backed group that has targeted banks and governments. In recent articles posted by Security Week and Info-Security, security experts noted these APT attacks involved a “significantly more advanced malware toolkit” and were “heavily focused on bypassing network-level security products” to gain access into targeted environments. The evolved tactics, techniques, and procedures include about 20 different new tools.
One tool, a RAT (Remote Access Trojan), utilized APIs as Command and Control (C&C) to send and receive additional attack tools. These tools, commonly developed by third parties (often not the attackers themselves) and distributed freely or for a fee, allow their users to plug in their own credentials (SmartFile API key, for example) and use the tool. The main benefit to the attacker is that they access the target indirectly, which is a way of masking their identity.
“Our service is easy to integrate (for customers), freely accessible, and provides the feature set necessary,” said Ben Timby, Chief Engineer of SmartFile. He went on to say that the fact that their system was used in this way was unfortunate. In other words, this was not a result of lacking security measures. Rather, it is comparable to Google Drive and AT&T’s services being used in this same activity as their API and some network infrastructure were both used to transfer C&C traffic during the attack.
This is a new method and tool that, unfortunately, is not detectable by most antivirus engines and security products. Google’s antivirus tool, VirusTotal, didn’t locate any issues in any of its scans on Google Drive and only 1 out of 68 for SmartFile.
Interestingly enough, VirusTotal has been shown to be used by hackers themselves to improve their tactics, techniques, and procedures (TTP’s) as they adjust code and make the necessary adjustments until they successfully pass the scans, at which point they launch their attack against the target. It’s possible the OilRig group did just this as an Iran-linked group was identified by Brandon Dixon in June 2014 (in an online Wired article) uploading about 1,000 weaponized documents to the site and showing considerable skill in evading detection. OilRig became active a short time later in 2015.
Tony Spelde, SmartFile CTO summed up the occurrence, “Security is critical to our business. Defending against usage like OilRig will always require a combination of prevention, detection and response. The day that information on this attack was released, our internal investigation corroborated the findings and the accounts were deactivated.”
In short, advanced persistent threats are just that: persistent. They are not uncommon nor unavoidable. However, while threats persist, proactive prevention and detection thereof do, as well.