The neverending story of Advanced Persistent Threats
As the name would suggest, advanced persistent threats are attacks that use a continuous and sophisticated hacking technique to gain access to a system and remain inside for a prolonged period, which may result in potentially destructive consequences.
The Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat activity. And one of the biggest examples of a successful advanced persistent threat attack was the SolarWinds incident. According to its report, the evidence suggested that the threat actor behind the attack, DarkHalo, had spent six months inside OrionIT’s networks to perfect their attack. And the rest of course is history.
Another example of an advance persistent threat attack is HoneyMyte. HoneyMyte modified a fingerprint scanner software installer package on a distribution server in a country in South Asia. Not only did it modify a configuration file, but it was also able to work on installation even without network connectivity. The Trojanized installer appears to have been staged on the distribution server from March to June.
GReAT researchers feel that 2022 is going to see advanced persistent threats becoming more advanced and target more areas as well. One of the biggest changes will be from the Politicization that is playing an increasing role in cyberspace, the return of low-level attacks, an inflow of new advanced persistent threat actors, and an explosion of supply chain attacks.
What’s more concerning is how the private sector is seeing an influx of new advanced persistent threat players. This includes the recent Project Pegasus surveillance spyware. The researchers also have seen developers of advanced surveillance tools increasing their detection evasion and anti-analysis capabilities – as in the case of FinSpy – and using them in the wild – as was the case with the Slingshot framework.
Other targeted threat predictions for 2022 include:
- Mobile devices – 2021 saw wild zero-day attacks on iOS devices and is expected to continue in 2022. Simply because security products on iOS are either curtailed or simply non-existent, giving advanced persistent threats the perfect opportunity.
- Supply chain – Weaknesses in the supply chain, especially when it comes to vendor security can compromise customers. Such attacks are particularly lucrative and valuable to attackers because they give access to a large number of potential targets.
- Work from home – As expected, cybercriminals will continue to use unprotected or unpatched employees’ home computers as a way to penetrate corporate networks. Social engineering to steal credentials and brute-force attacks on corporate services to gain access to weakly protected servers will continue.
- Outsourced services and cloud security – More businesses are incorporating cloud computing and software architectures based on microservices and running on third-party infrastructure, which is more susceptible to hacks.
- States clarify their acceptable cyber offense practices – There is a growing tendency for governments both to denounce cyberattacks against them and at the same time conduct their own. Next year some countries will publish their taxonomy of cyber offenses, distinguishing acceptable types of attack vectors.
- A return of low-level attacks – Owing to the increasing popularity of Secure Boot among desktop users, cybercriminals are forced to look for exploits or new vulnerabilities in this security mechanism to bypass its security system.
- Intrusions in the META region – Geopolitical tensions in the region are increasing, which means cyber espionage is on the rise. Moreover, new defenses in the region are constantly improving and becoming more sophisticated. Taken together, these trends suggest that the main advanced persistent threat attacks in the META region will target Africa.
For Ivan Kwiatkowski, a senior security researcher at Kaspersky, there are dozens of events happening every day that are changing the world of cyberspace. He pointed out that these changes are quite difficult to track, and even more difficult to foresee.
“Nevertheless, for several years now, based on the knowledge of our experts, we have been able to predict many future trends in the world of cybersecurity. We believe it is crucial to continue to track advanced persistent threat-related activities, evaluate the impact these targeted campaigns have, and share the insights we learn with the wider community,” said Kwiatkowski.
29 March 2023
28 March 2023