CISA警告说，智囊团受到外国APT的攻击

美国网络安全与基础设施安全局（CISA）和联邦调查局（FBI）就他们所说的针对美国智囊团的先进持续威胁（APT）行为者持续，持续的网络攻击发出警告。

联邦调查局称，攻击者正在寻求窃取敏感信息，获取用户凭据并获得对受害者网络的持久访问。

The cyber-intrusions are especially directed at those that focus on international affairs or national security policy, the alert that went out this week said – perhaps unsurprisingly, given the geopolitical nature of APTs, which tend to be backed by nation-states.

“Given the importance that think-tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness,” according to the alert.

In terms of impact, APTs are first and foremost bent on espionage, and are looking to exfiltrate data. Observed spy activities include credential dumping, keylogging, collecting audio, stealing emails, downloading files and more, CISA and the FBI said.

“Cybercriminals are working to gain access to organizations with the brightest and best people to collect certain information, data about ‘state-of-the-art’ technology or strategic projects to better their own efforts,” said James McQuiggan, security awareness advocate at KnowBe4, via email.

“We continue to see cybercriminals targeting organizations that develop or manage high-value intellectual property, so it makes sense that think-tanks are a prime target,” added Stephen Banda, senior manager of security solutions at Lookout, via email.

However, that access could also be used for more nefarious purposes.

“If an individual were to unknowingly share their user credentials with a cybercriminal, the hacker could not only access the victim’s network but they could also send emails from the person’s account, making it look like the messages they were sending were 100 percent legitimate and, potentially, influencing U.S. policies,” Ed Bishop, CTO and co-founder of Tessian, said via email.

Apart from information theft, the alert warned that some attacks are delivering ransomware, hijacking resources for cryptomining, mounting distributed denial-of-service (DDoS) attacks or even wiping disks in destructive attacks.

Attack Vectors

CISA and the FBI made the assessment that APT actors have thus far relied on multiple avenues for initial access in the attacks, including clever social-engineering techniques and impersonating trusted third parties to trick victims into sharing information or account credentials through spearphishing.

“People are more reliant on email to stay connected with colleagues, customers and suppliers, and our recent survey found that half of employees are less likely to follow safe data practices when working from home,” Bishop said.

However, CISA and the FBI also pointed out that APTs are making more sophisticated attempts to infiltrate networks, such as exploiting vulnerabilities in remote networks and other internet-connected devices.

“Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic,” the feds said.

As a result, some attackers are leveraging bugs in virtual private networks (VPNs) and other remote-work tools to gain initial access or persistence on a victim’s network. Researchers said that the remote-working expansion of the use of personal devices and networks is making this process easier.

班达说：“不幸的是，尽管远程工作可以提供一些便利和效率，但它已大大扩展了包括智囊团在内的所有企业的攻击面，”班达说。“例如，通常将在一个中央办公室开会的由10名研究人员组成的专家团队现在正在与10个单独的远程办公室进行协作。每个“个人办公室”都有其自己的安全要求，并具有各种连接的移动和固定端点。”

最后，警报还说，某些攻击始于供应链受损，暴力破解密码或使用被盗的有效凭证。

智囊团攻击

对智囊团的已知攻击一直在进行。例如，微软在2019年2月警告说俄罗斯APT花式熊正在袭击欧洲的民主智囊团。

More recently, Accenture revealed that Turla, another Russian APT, was attacking think-tanks and others by exploiting enterprise-friendly platforms — most notably Microsoft Exchange, Outlook Web Access (OWA) and Outlook on the Web – in order to steal business credentials and other sensitive data.

And in late October, CISA warned that the North Korean APT group known as Kimsuky is actively attacking think-tanks, commercial-sector businesses and others, often by posing as South Korean reporters. Its mission is global intelligence gathering, CISA noted, which usually starts with spearphishing emails, watering-hole attacks, torrent shares and malicious browser extensions, in order to gain an initial foothold in target networks.

Protection and Mitigation

CISA and the FBI recommended that think-tank organizations apply a range of critical (but basic) best practices to protect themselves, including implementing social-engineering and phishing training.

“All organizations, including think tanks, are targets to nation-states and cybercriminals, and by phishing the human, they view it as the more accessible way into the systems and infrastructure,” said McQuiggan. “Organizations need to maintain a strong security-awareness training program and update it frequently to keep employees updated on the latest attack patterns and phishing emails. Employees can make the proper decisions to identify potential phishing emails and report them. This action makes for a more solid security culture and allows the organization to work towards being a more substantial asset for the security department.”

The alert also advocated network segmentation, good password hygiene and multi-factor authentication, timely patching, the use of antivirus software and strong data encryption.

Banda also stressed that think-tanks should be aware that mobile devices can be a particularly weak link.

“Considering 85 percent of mobile phishing attacks occur outside of email, the days of only paying attention to email-based phishing attacks is well past,” he said. “Phishing attacks are targeting mobile users across text messaging, social messaging platforms and mobile apps.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and other security experts, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.