Attention Network Defenders: These Attackers Read Your Email
What if threat actors targeting your network stay one step ahead of you because they already know your security team’s next move?
This is happening.
And the explanation behind it is part of a recent joint advisory by several U.S. agencies.
“NSA, CISA, and the FBI have observed state-sponsored cyber actors monitoring network defenders’ accounts and actions, and then modifying their ongoing campaign as needed to remain undetected.”
The email spy tactic revelations are part of a broader advisory that explains an ongoing and global cyberattack campaign by Chinese nation-state threat actors. Here are key details and suggested mitigations.
Current Tactics by Chinese Nation-State Threat Actors
Targeting Small Businesses and Work-from-Home Devices
CISA, the FBI, and the NSA say China-backed threat actors are building an attack infrastructure that gives them the capabilities to communicate with compromised networks and steal data. These actors are targeting devices that security teams find difficult to defend or patch, including small office and home office routers, and Network Attached Storage (NAS) devices. Threat actors route command-and-control (C2) traffic through these devices as mid-points in their attacks, according to the reports.
Top Targeted Devices and Vulnerabilities
The U.S. agencies say the threat actors exploit known vulnerabilities that remain unpatched, and are targeting the following network devices the most:
Targeting Telecommunications and Network Service Providers
The ultimate targets for this nation-state backed campaign appear to be telecom and network providers. The threat actors use open-source tools (like RouterSploit and RouterScan) for reconnaissance and vulnerability scanning, to find unpatched routers within these types of organizations.
After discovering where they can gain access, they leverage initial entry to go deeper into a network, according to the advisory:
“Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting.”
They use this access to uncover more credentials, escalate privileges and sometimes automate the exploitation of network traffic within larger organizations. They typically exfiltrate traffic from an organization’s network and then send it to their C2 infrastructure.
Threat Actors Shift Tactics to Avoid Detection
These nation-state actors also stay on top of news cycles and security research. They pivot approaches and tools to make detection and attribution more difficult, by doing the following:
- Modifying infrastructure and toolsets immediately after ongoing campaigns are exposed
- Mixing custom tools with publicly available tools, especially those native to the network environment
- Monitoring network defender emails to stay ahead of detection and response efforts
These techniques are being used against both private and public sector organizations.
Mitigating the Threat of Nosy Nation-State Threat Actors
CISA, the NSA, and the FBI list multiple mitigations that will reduce your risk of being targeted by these nation-state-backed attacks.
Here are three of the techniques:
Immediately remove or isolate suspected compromised devices from the network
Segment networks to limit or block lateral movement
Keep systems and products updated and patched as soon as possible after patches are released. Consider leveraging a centralized patch management system to automate and expedite the process.
Along with these common-sense best practices, consider being extremely careful about what your team says via email during an active incident response or investigation into an existing attack, because your attackers might be reading it.
If you’re battling this malware or a similar threat, you’ve come to the right place, regardless of your existing BlackBerry relationship.
The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.
We have a global consulting team standing by to assist you, providing around-the-clock support where required, as well as local assistance. Please contact us here.