The National Cyber Security Centre (NCSC) has issued an alert on the recent trend of Chinese State-linked hackers targeting SOHO devices or small office and home office computers. These SOHO devices are easier targets for hackers with outdated software and once compromised, can be used to launch further attacks into the network.
But how exactly do these attacks take place and what steps can business owners take to prevent this type of cyber threat from affecting their company?
“China is the Epoch-defining Challenge”
The NSCS is an offshoot of GCHQ—the cybersecurity arm of Mi5. During a speech at a conference in May, the director of the GCHQ said, “Russia and Iran pose immediate threats, but China is the epoch-defining challenge.”
Director of GCHQ Anne Keast-Butler went on to say that, “the next generation of advanced telecoms will make the world a global cloud of interconnectivity.”
However, with increased connectivity comes a greater risk of threat—especially for those businesses connected to networks over multiple environments using a range of home and office-based devices.
These can be easy targets when not running the latest software, with no updates to security systems and infrequent patching and vulnerability scanning.
How did the Authorities Hack the Hackers?
One thing that Chinese state hacking groups are not particularly known for is publicly releasing details of their methods and tactics, so how did the authorities hack the hackers and find out their operational techniques?
The initial report came from the Australian Cyber Security Center, which alerted a company in Australia to a potentially compromised web application.
With the company’s permission, they installed sensors on the business computers and were able to track the activity of the PRC-linked cyber criminals.
When the hacking group came back to hack into the company’s network, the authorities in Australia were able to get quite a detailed account of their activities.
The group of cyber attackers are known as APT40 and are connected to Chinese Security Services.
SoHo Devices have been specifically targeted by malicious groups such as APT40 due to their vulnerability, presenting an easy target for sophisticated state-sponsored actors.
Thanks to the work of the Australian authorities, detailed sensor data was obtained on APT40 activities in the target company's network.
With their activity tracked, it was possible to establish quite a comprehensive timeline of their actions, revealing the hacker group's tactics and techniques.
Timeline of a Data Breach—How State-backed Hacking Groups Such as APT40 Operate
Host Enumeration
The initial entry point for the hackers is usually through a public-facing custom web application developed by the company itself.
Using host enumeration, the malicious actor is then able to gain a detailed map of all the endpoints and hosts on the network.
Through this method, hackers can gather information about the network, including IP addresses, DNS, usernames, and network protocols, enabling them to find vulnerabilities on SOHO devices and breach the network.
Installing Web Shells
Once a vulnerability has been spotted as a key entry point, the hackers will repeatedly attempt to gain access until they breach the endpoint security.
In the case discussed above, APT40 used web shells to gain access, but what exactly is a web shell and how does it work?
A web shell is a malicious script that allows remote access to a web server through a web browser. It works almost like a fake version of the site and allows the hackers to control the server.
Once they have breached the network, the hackers install a web shell that acts like a permanent backdoor into the system, allowing them to come and go as they please, potentially launching additional attacks.
When they have gained access through out-of-date applications, the hacker group can seek to extend its access within the target network.
Escalating Privileges and Achieving Persistence
Once a sustained connection to the company's network has been established, the hackers will seek to elevate their privileges and level of access up to the level of the web server.
In the case discussed, the initial attempts to increase the hackers’ level of access were unsuccessful, so they switched tactics and started looking at a compromised service account they had found the details for. APT40 used an open-source tool called Secure Socket Funnelling (SSF) to tunnel traffic from the hacker’s computers into the internal networks of the company. The sensor data showed multiple IP addresses being used to attempt to access the network, suggesting either a team of hackers working together or a single individual using multiple devices.
Mounting Shares
After further enumeration where the hackers map out all the connections and devices in the network, looking for weaknesses, the hacking group will find another user account that can be compromised.
This account is then used to mount shares on Windows machines, allowing them to successfully extract data from the server.
Mounting an SMB share, or Server Message Block share, allows you to access files on another computer on your network as if they are part of your own directory tree.
Malicious IP Blocked
With the APT40 case, the malicious IP was blocked by the target company, the data breach was seemingly contained, and no further activity from APT40 was recorded, ending the timeline of the data breach.
How To Avoid This Type of Attack—Steps for Mitigation
Firewalls - ensure you have adequate firewall protection in place to avoid lateral movement within your network
Enforce least privilege - limit users to the minimum amount of access they need to carry out their job roles
Use MFA - multi-factor authentication works as an added layer of security and means that the compromised account details or passwords on their own will not be enough to gain access without, for example, the user’s mobile phone or access to their email.
Managed service accounts - having your IT systems and cybersecurity posture under constant supervision from dedicated professionals will help to detect any intruders and strengthen your defences
Replace end-of-life equipment - old hardware such as laptops and desktop PCs that have become out of date can be a prime target for hackers as they work almost like a swinging door that allows them access to the network
Review custom applications - audit all your existing custom web apps in terms of their functionality and remove or disable those that do not meet the requirements
Patch applications (and operating systems) - ensure you have everything patched and up to date, various tools and solutions can be used to do this automatically
Cybersecurity solutions - deploy high-level IT security solutions, including vulnerability scanning, infrastructure monitoring, and penetration testing
What is Vulnerability Management and How Can It Stop Cyber Threats From Actors Such as APT40 and Other State-sponsored Groups?
What do the cyber attacks from the Chinese State-linked APT40 and the recent hacking of Microsoft have in common?
They could all have been avoided with effective vulnerability management.
What exactly is vulnerability management and how can it help to prevent these types of attacks?
Vulnerability scanning is a technological method of searching through all endpoints and components in a network to locate any potential threats that malicious actors could exploit.
Vulnerability management is the effective administration and oversight of all potential threats to the security of your business, aiming to reduce the risk by identifying vulnerabilities such as outdated software, updates needed, and any hardware that may present a risk, then taking steps to resolve these such as deleting legacy applications and downloading patches.
Visibility
One tangential benefit of having an effective vulnerability management solution in place is that the user gains a good overview of every device in their business network.
Your business might not employ the most sophisticated cyber methods but the hackers certainly do, and can quickly locate the main vulnerability in a home office device or custom web application.
In many cases, business owners simply have no knowledge of certain devices and are unaware that they are even connected to the network, especially over complex environments incorporating home, office, and remote working.
With vulnerability management tools, the entire network can be mapped out for the user providing greater visibility and giving the business owner a better understanding of how all the components fit together, whilst helping to identify problem areas or endpoints and take steps to mitigate these issues.
Assigning Risk a Number
Another further advantage of using vulnerability management tools is that they assign a numerical value of risk to all applications and devices in a network. This provides a clear picture of the overall security posture of an organisation whilst also allowing the business owner to hone in on specific issues with particular applications and endpoints.
The vulnerability management software can prioritise threats based on this overall risk score.
Automated Identification and Resolution of Issues
Certain vulnerability management tools will provide the user with automated systems to scan through the network, identify the vulnerabilities and automatically take steps to resolve these such as downloading patches or notifying the user.
With vulnerabilities across the network being automatically detected and fixed by the software, this goes a long way to improving the security posture of the organisation. However, there is another option that provides even more security for businesses from serious hacking groups.
Vulnerability Management and Vulnerability Scanning as a Service
At Lyon Tech we go one step further in providing security for business owners from serious hacking groups.
We provide business owners with fully managed vulnerability management solutions, offering the latest technology in vulnerability detection and resolution, along with a dedicated team of professional security engineers to monitor the data and actively respond to any potential threat.
Vulnerability management software in itself may be ineffective without the trained personnel needed who are specially qualified to operate the technology and quickly respond to any data breach as it happens, where minutes can mean the difference between millions in lost revenue and lasting reputational damage for your company.
With fully managed cybersecurity solutions from Lyon Tech, our clients can rest assured they have the very highest level of security systems, equipped to deal with the most sophisticated malicious actors.
On top of effective vulnerability management, the cybersecurity solutions we provide include
-
Live infrastructure monitoring
-
Security system auditing
-
Vulnerability management/vulnerability scanning
-
Patch management
-
Continual network analysis
-
Intrusion detection and response
-
24/7 IT Help Desk
-
Penetration Testing
-
Staff awareness training on cybersecurity/reacting to data breaches
Contact Lyon Tech
If you are looking to secure your business from the most advanced threats, contact our expert advisors today.
At Lyon Tech we provide a wide range of solutions to provide your business with the best possible defence against data breaches and unauthorised access from malicious actors.
We would be happy to provide more information on vulnerability management, explain how it works in more detail and which systems would be most suitable for your needs.
Contact our friendly team or you can take a look at our free guide on top vulnerability management tools.
If you have any questions relating to vulnerability scanning, vulnerability management, or cybersecurity in general, get in touch today and our expert team will be more than happy to answer any queries you may have.