1. COLLECTION
   1. RVA Attack Analysis
   2. Impact
   3. Mitigation/Remediation

COLLECTION

WHAT

After achieving a presence within an organizations network, collection of sensitive internal data is often one of the primary goals of an attacker. Attempts to pull this data from within the compromised network using C2 channels may be the next steps in their attack plan.

WHY

APT39’s significant targeting of the telecommunications and travel industries reflects efforts to collect personal information on targets of interest and customer data for the purposes of surveillance and to facilitate future operations. Telecommunications firms are attractive targets given that they store large amounts of personnel and customer information, provide access to critical infrastructure used for communications, and enable access to a wide range of potential targets across multiple verticals.

HOW

Undetected adversaries with an internal foothold and elevated privileges may have access to file systems and directories containing sensitive information, as well as network shares with access typically limited to specific users (e.g. Admin Shares). APT39 has used the tool CrackMapExec to enumerate network shares searching for stores of sensitive data. Once found, APT39 has used tools such as 7-zip and WinRAR to create data archives.

RVA Attack Analysis

Data from Local System: Sensitive information identified by the assessment teams was found primarily on local systems. This sensitive information accounted for 32.2 percent of successful attempts at locating sensitive data. Local file systems and databases are typical sources of local data.

Data from Network Share Drive: The RVA reports revealed that data on shared drives constituted 30.5 percent of successful data access attempts. Network shares are often used to segment data for role-based access, such as Admin shares. Remotely accessing network shares is not a finding itself. The weakness exhibited here exists when users who should not be permitted to view specific data are granted access to shares due to misconfigured permissions.

Impact

Allowing adversaries to locate and collect sensitive data negates the intended function of network security, communication security, operation security, and physical security efforts.

Mitigation/Remediation

• Unfortunately, data collection cannot be directly remediated. Any activity conducted during collection uses existing system features such as operating system directory structure or database queries. For this reason, it is critical that defenses are implemented to limit the effectiveness of the attack phases leading up to and following data collection.
• Effective network monitoring will aid in the detection of collection efforts. Use of honey tokens or honey files will alert network defenders of malicious collection attempts.
• Deploy data loss prevention (DLP) tools to detect and alert on unauthorized data access.

Table of Contents

• INTRODUCTION
• INITIAL ACCESS
• COMMAND AND CONTROL (C2)
• LATERAL MOVEMENT
• PRIVILEGE ESCALATION
• COLLECTION
• EXFILTRATION
• CONCLUSION
• REFERENCES