1. INITIAL ACCESS
   1. RVA Attack Analysis
   2. Impact
   3. Mitigation/Remediation

INITIAL ACCESS

WHAT

Initial Access [TA0001] is the step during which cyber threat actors attempt to obtain unauthorized access to a victim organization’s internal network. These attacks depend on remotely positioned adversaries gaining internal access to an organization’s network. Typically involving techniques that allow some level of anonymity, access steps are often conducted from a “safe” distance from the target, such as the attacker’s country of origin. However, there are many instances of adversaries gaining network access through an insider threat or from locally planted media (e.g., CD, DVD, USB) containing malware.

WHY

Gaining initial access to an organization’s network is one of the primary goals of a threat actor in determining the success of their campaign. If initial access is established undetected, threat actors may have ample time to steal sensitive information, pacing

³Although APT39’s targeting scope is global, its activities are concentrated in the Middle East. Masked behind its front company, Rana Intelligence Computing Company (Rana), the Government of Iran employed a years-long malware campaign that targeted Iranian dissidents, journalists, and international companies in the travel sector.

themselves to avoid triggering network detections and alarms. Preventing initial access should be one of the primary goal organizations establish to protect their network assets and to keep sensitive information intact.

HOW

APT39 uses a variety of custom and publicly available malware and tools at all stages of the attack lifecycle. APT39 has sent spearphishing emails with malicious attachments (Phishing: Spearphishing Attachment [T1566.001]) or hyperlinks (Phishing: Spearphishing Link [T1566.002]), typically resulting in a POWBAT infections. In addition to using a specific variant of the POWBAT backdoor, APT39 has primarily leveraged the SEAWEED and CACHEMONEY backdoors. APT39 also used attack techniques such as SQL Injection (Exploit Public-Facing Application *[T1190]) to gain a foothold on publicfacing applications. After compromising web servers, APT39 has proceeded to install web shells, such as ANTAK and ASPXSPY, and has used stolen, legitimate credentials to compromise externally facing Outlook Web Access (OWA) resources (Server Software Component: Web Shell* [T1505.003]).

RVA Attack Analysis

Phishing: While conducting assessments, the RVA team obtained initial access using phishing links [T1566.002] 49 percent of the time and phishing attachments [T1566.001] 9.8 percent of the time. Phishing is the delivery of targeted emails that often include malicious links or attachments designed to provide the adversary an entryway into the recipient’s computer. An adversary’s phishing success rate depends on multiple factors, such as the perceived authenticity of the email’s content and presentation, host protections (e.g., antivirus and malware detection software), and the network’s boundary protection mechanisms.

Exploit Public-Facing Applications: Attacks on public-facing applications made up 11.8 percent of successful attempts at gaining initial entry during RVAs. This type of attack involves exploiting the vulnerabilities associated with applications that are accessible from the internet. The existence of these vulnerabilities is typically public knowledge and, as a result, there may be several active exploits or proof of concepts (POCs) associated with them. Targets for these attacks include websites, databases, and network services (e.g., Secure Shell [SSH], Telnet, File Transfer Protocol [FTP]).

Valid Accounts: The use of legitimate accounts made up 11.8 percent of successful attempts at gaining initial entry during RVAs. In many cases, gaining initial access through valid accounts is made possible via insecure software development practices. Examples include hard-coded passwords in web application code, default credentials for well-known applications, and unintentional information disclosure of account information on public forums or open-source code repositories.

Impact

Successful entry is often the first win achieved by a malicious actor. With internal access, attackers are privy to private systems and information. The next step for the attack—whether it be lateral movement, mission disruption, or gaining increased privileges—may not be possible without this initial access.

Mitigation/Remediation

• Control execution through allowed application lists.
• Disable macros.
• Monitor the execution of Living Off the Land Binaries (LOLBins).
• Identify and remediate public facing vulnerabilities to help prevent initial access using a proactive patch management program.
• Train users to be aware of suspicious emails as well as the common indicators of social engineering attempts.
• Utilize a cloud service provider for mail exchange (MX) that implements strong email security, including Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and attachment vulnerability scanning.
• Used together, these technologies form a strong anti-phishing mechanism for an organization’s mail exchange.
• Implement—if a cloud provider is not an option—an email technology that will:
  • sandbox or review email attachments for any malicious functionality, and
  • review email messages for malicious external links and domains.

Table of Contents

• INTRODUCTION
• INITIAL ACCESS
• COMMAND AND CONTROL (C2)
• LATERAL MOVEMENT
• PRIVILEGE ESCALATION
• COLLECTION
• EXFILTRATION
• CONCLUSION
• REFERENCES