How APT groups evolved in 2023
Recent years have seen a trend towards the cyber threat landscape becoming increasingly hostile, with 2023 seeing significant levels of activity from Advanced Persistent Threat (APT) groups.
From the most highly organized criminal gangs to state-sponsored actors, APTs represent one of the most challenging and dangerous cyber threats facing organizations today. They have access to the most advanced offensive knowledge and tools, and the means to doggedly pursue their goals until they succeed.
These groups will be just as productive in 2024 and beyond. Thus, organizations must familiarize themselves with the most prominent attack trends and strengthen their security posture against these advanced and evolving threats.
How do APTs achieve their goals?
In the first half of 2023 alone, Rapid7 tracked 79 different attacks orchestrated by state-backed actors. Nearly a quarter (24%) of the attacks we analyzed used exploits against public applications. The attacks spread across infiltrating governments, critical infrastructure and corporate networks, often serving as a gateway to broader, more damaging attacks.
Attachment spear phishing is also a prime attack vector for APT groups. The deceptively simple but effective technique was used in 23% of these attacks, while 22% involved misuse of valid accounts.
There are also numerous motives driving these state-sponsored groups. Cyber warfare has become increasingly common recently, especially in relation to the ongoing conflict in Ukraine, with cyber attacks on critical infrastructure mirroring physical military attacks.
Cyber espionage activities have also increased, with agents seeking to extract valuable intelligence or intellectual property for political or economic power. Linked to this, many attacks have financial objectives, targeting the private sector to circumvent economic sanctions or finance state regimes.
Senior Director of Threat Analytics at Rapid7.
Exploiting old and new vulnerabilities
APT groups are often synonymous with zero-day attacks. Zero-day vulnerabilities are extremely valuable assets within the cybercriminal economy, and we found remote code executions (RCEs) for networking devices like Juniper and Cisco selling for more than $75,000 on the dark web.
The often superior resources and expertise of APT groups make them more likely to discover or acquire new vulnerabilities and integrate them into their attacks first. By mid-2023, roughly a third of all widespread vulnerabilities were used in zero-days.
That said, it is a mistake to think that these elite groups are limited to using elite tools. APTs are as opportunistic as any other criminal gang and will readily exploit old and known vulnerabilities if their target has not closed them.
Among the older vulnerabilities that were widely exploited in 2023 are CVE-2021-20038, a vulnerability discovered by Rapid7 in the SonicWall SMA 100 series devices, and CVE-2017-1000367, a vulnerability in the sudo command that exposes of information and the execution of assignments. . An APT even exploited a vulnerability from 2013 (CVE-2013-3900) – ten years old and successful.
The popularity of these older vulnerabilities underscores critical scrutiny in many cybersecurity strategies. There is a tendency to focus on emerging threats, which often leads to neglecting existing, but still exploitable, weaknesses.
Overall, Rapid7 saw a wide range of tactics from APT groups across common enterprise technologies, with a notable emphasis on network peripherals. Routers, security equipment, print management software and Voice Over IP (VOIP) solutions have emerged as prime targets, highlighting a strategic shift towards exploiting the often overlooked vulnerabilities at the network edge.
Protecting yourself against advanced threats starts with the basics
Defending against a determined APT opponent, armed with a previously invisible zero-day, is a challenging proposition. That said, organizations that have taken steps to harden their perimeters present a difficult target that can often send these groups scrambling in search of easier prey.
As mentioned, there is a tendency to focus too much on advanced security measures, which can inadvertently leave more obvious attack paths open. A continued focus on the fundamental aspects of vulnerability management is particularly important here. Establishing clear, measurable patch cycles and prioritizing actively exploited vulnerabilities will reduce the risk of APTs gaining easy access through old vulnerabilities and narrow the threat window of newly discovered exploits.
Likewise, identity-based security is very important here, especially multi-factor authentication (MFA). Nearly 40% of all security incidents Rapid7 analyzed in the first half of 2023 were related to inadequate MFA implementation, particularly in VPNs, virtual desktop infrastructures and SaaS products. MFA is a crucial line of defense, especially against APTs that exploit public applications. While it can be undermined by sufficiently determined enemies, a solid MFA process will make life much more difficult for attackers.
Evasion was APT’s favorite tactic
Looking at more advanced security measures, anti-data exfiltration should be a priority. This is especially important as espionage is an increasingly common motivation among state-backed APTs.
Key measures here include alerting or limiting unusually large file uploads and monitoring large amounts of traffic to a single IP address or domain. Vigilance in monitoring unusual access to cloud storage platforms such as Google Drive, SharePoint and ShareFile is also essential. Additionally, implementing outbound filtering, limiting local administrator rights on hosts, and monitoring the presence or use of data transfer and archiving tools are critical steps in strengthening an organization’s cybersecurity.
Rapid7 also found widespread misuse of Microsoft OneNote to spread malware, mainly through phishing emails. Blocking .one files at the perimeter or email gateway will help curb this threat.
Prioritizing the security of network peripherals is another important strategy. Devices such as VPNs, routers, and file transfer devices need to undergo a high urgency patch cycle. Often the first line of defense, these technologies are the primary target of attackers and require immediate attention in the event of identified vulnerabilities.
Preparing for what is to come
As APTs and ransomware become increasingly sophisticated, there is an urgent need for organizations to strengthen their security posture, prioritizing foundational practices such as MFA, vigilant patch management, and proactive vulnerability assessments. Companies that strengthen their defenses and follow the latest trends will have the best chance of fending off these threat groups or reducing their impact.
We have recommended the best malware removal.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro