The Venafi Threat Intelligence Team found that cyberattacks and APTs that misuse machine identities have increased 1600% over the last five years, according to public data on 110 machine identity threats over a five-year period from 2015 to 2019.
How are machine identities misused by cybercriminals? Venafi vice president, security strategies and threat intelligence explains, “By stealing ‘trusted’ machine identities from global technology companies, perpetrators of APTs can execute effective attacks that don’t raise any alarms until well after the damage is done.” Bocek goes on to warn, ”There’s no doubt we’re going to see a lot more of these attacks in the future.”
An advanced persistent threat (APT) is a prolonged and targeted cyberattack during which an intruder gains access to a network and remains undetected for an extended period of time. The intention of an APT attack is usually to monitor network activity and steal sensitive or confidential data rather than to cause damage to the network or organization.
The goal of most APT attacks is to achieve and maintain ongoing access to the targeted network rather than to get in and out as quickly as possible. APT attacks typically target organizations in sectors such as national defense, manufacturing and the financial industry, as those companies deal with high-value information, including intellectual property, military plans, and other data from governments and enterprise organizations.
Trusted connections can be used to gain initial access, often through advanced exploits of zero-day vulnerabilities. Attackers may use employees’ or business partners’ credentials as a means of remaining undetected long enough to map the organization’s systems and data and devise a strategic plan of attack to harvest company data.
While TLS server certificates enable confidentiality for legitimate communications, these machine identities can also allow attackers to hide their malicious activities within encrypted TLS connections. When a TLS server certificate is installed and enabled on a server, all users who connect (including attackers) can establish an encrypted connection to the server. An attacker who establishes an encrypted connection can then begin to probe the server for vulnerabilities within that encrypted connection.
This is how an APT attack that leverages encrypted connections works.
The Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library. The bug is in the OpenSSL's implementation of the TLS heartbeat extension. When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server. The Heartbleed vulnerability is registered in the NIST NVD database as CVE-2014-0160.
The heartbeat extension is used to keep a connection alive as long as both parties are still there. Occasionally, one of the computers will send an encrypted piece of data, called a heartbeat request, to the other. The second computer will reply back with the exact same encrypted piece of data, proving that the connection is still in place. The heartbeat request includes information about its own length.
The Heartbleed vulnerability came to surface because OpenSSL's implementation of the heartbeat functionality was missing a crucial safeguard: the computer that received the heartbeat request never checked to make sure the request was actually as long as it claimed to be. So if a request said it was 40 KB long but was actually only 20 KB, the receiving computer would set aside 40 KB of memory buffer, then store the 20 KB it actually received, then send back that 20 KB plus whatever happened to be in the next 20 KB of memory. That extra 20 KB of data is information that the attacker has extracted from the web server.
This weakness allows stealing the information protected, under normal conditions, by TLS. While a single heartbeat can be up to 64 kilobytes, there is no actual limitation to the attack. An attacker can either keep reconnecting or keep requesting, during an active TLS connection, arbitrary number of 64 kilobyte pieces of memory content until enough secrets are revealed. The researchers that discovered the vulnerability were able to “steal” the secret keys used for their X.509 certificates, usernames and passwords, instant messages, emails and business critical documents and communication.
There are many well-known, high-profile APT attacks, with dire effects. The GhostNet cyberespionage operation discovered in 2009 was initiated via spear phishing emails containing malicious attachments. The attacks compromised computers in more than 100 countries. The attackers focused on gaining access to the network devices of government ministries and embassies. These attacks enabled the hackers to control these compromised devices, turning them into listening and recording devices by remotely switching on their cameras and audio recording capabilities.
The aforementioned examples of APT attacks highlight both the motivation and the consequences of such an attack. The worst thing that can happen is to disrupt or damage a nation’s critical infrastructure, such as the electric grid, the water supply or the oil industry. Such was the case with Triton malware, which affected the industrial control systems of the Saudi Arabia based oil company SaudiAramco Needless to say, disruption of such systems can directly or indirectly affect the functioning of vital services or, even worse, the state of national security.
Besides APT attacks to critical infrastructure, other targets include healthcare organizations, financial institutions, retail and consumers goods industry, telecommunications, etc. The victim organizations of APT attacks can suffer business disruption, intellectual property loss, customer information loss, such as personal identifiable information (PII) or protected health information (PHI), reputation loss and financial loss due to legal constraints and loss of customers.