WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
On February 28th, 2017 the US Department of Justice indicted a notorious hacker, Alexsey Belan, and his FSB (Russia’s internal security service) handlers for a massive hacking spree that compromised Yahoo and used that access to attack many additional targets. In response to the indictment, Chris McNab wrote an essential guide to the tactics, techniques and procedures (TTPs) used by Alexsey Belan that he and his colleagues observed in their incident response work.
As with our previous work on the GRU, FIN7, and North Korean indictments, we’ve used the Mitre ATT&CK™ framework to play back the findings from the indictment. In future blogs in this series, we’ll continue to use ATT&CK to map some of the biggest cyber indictments to come out in the last few years. We’ll also end with a review of the most common TTPs used by these attackers and top mitigation tips for defending against them. One key difference is that this blog details more attacker activity in production service environments rather than attacks against user endpoints in corporate environments.
The indictment names Yahoo as the chief target for Alexsey and his FSB handlers (we use “Alexsey” and “attackers” interchangeably throughout this blog post). As one of the world’s most popular email services, Yahoo held the email accounts for several FSB targets, namely, “email accounts of Russian journalists; Russian and U.S. government officials; employees of a prominent Russian cybersecurity company; and numerous employees of U.S., Russian, and other foreign webmail and internet-related service providers whose networks the conspirators sought to further exploit”. As well as this, “the conspirators sought access to accounts of employees of commercial entities, including executives and other managers of a prominent Russian investment banking firm; a French transportation company; U.S. financial services and private equity firms; a Swiss bitcoin wallet and banking firm; and a U.S. airline”. Yahoo was targeted due to the data that they held, rather than being the end goal for the attackers. Organizations should consider how their data or access could be used by attackers against other targets.
Note: the numbered “Stages” below reflect the ATT&CK framework ordering
Alexsey used Google searches to identify web servers associated with target companies. Once he discovered some web servers, he would profile them to look for weaknesses. Additionally, he used LinkedIn to research employees working for target companies and discovered personal websites run by those employees that he then exploited to gain initial access.
While not directly related to the breach of Yahoo, the attackers used their access to Yahoo to develop their targeting options. The indictment states: “The conspirators frequently sought unauthorized access to the email accounts of close associates of their intended victims, including spouses and children, to gain additional information about and belonging to their intended victims”.
DS Mitigation advice: Awareness of an organization’s security posture at the perimeter and beyond is critical for understanding where attackers might begin targeting an organization. Employees need to be informed that their personal assets such as email accounts or Internet-connected devices may well be targets for attackers looking to then pivot up into corporate or other environments.
Chris McNab observed that Alexsey used a known bug in WordPress, specifically CVE-2011-4106, for which there was a publicly available exploit to gain access to a server in the marketing department of a company he targeted. Most likely this server was not considered to be a high value asset but was a crucial foothold for the attack. In the case of the employee’s personal website, Alexsey exploited a custom file upload flaw (likely Local File Inclusion or Remote File Inclusion) to gain access to the environment.
DS Mitigation advice: Publicly available exploits represent a very high risk to an organization running vulnerable software that is Internet-facing. This is because the capability is now available to any interested attackers. It is recommended that patches for publicly available exploits should be prioritized. In the cases where patching is not feasible, additional compensating controls such as access control lists or firewalling should be applied to mitigate the risk. Employee’s personal systems should not contain any corporate credentials.
The indictment states that: “Spear phishing messages typically were designed to resemble emails from trustworthy senders, and to encourage the recipient to open attached files or click on hyperlinks in the messages”. This is a common technique for attackers. By assuming the identity of a trusted source, they can take advantage of pre-existing trust relationships. This adds legitimacy to their malicious emails and significantly increases their chances of successfully phishing their victim. Alongside spearphishing with attachments, the attackers also sent “Other spear phishing emails[that] lured the recipient into providing valid login credentials to his or her account(s), thereby allowing the defendants to bypass normal authentication procedures”.
DS Mitigation advice: Use of an email filtering system or service can help to identify some spearphishing threats, particularly around malicious attachments. Office365 users should consider Microsoft’s Advanced Threat Protection (ATP), a cloud-based email filtering service. Employees need to be made aware that even emails from trusted sources should be treated as untrusted and caution is needed when opening attachments. Additional controls can be used to transform risky attachments to safer file formats. Black lists for web traffic can be used to detect and block known malicious URLs if they happen to be opened.
An innovative TTP used by the attackers was to compromise Internet-facing source control systems using recovered credentials and to use that access to commit a JSP (Java Server Page) web shell, which gives the attackers control of the web server, to the production code base. Due to how the code deployment process was constructed, the attackers were able to self-approve the code commit and therefore the web shell was deployed into production. Chris McNab details this process in the “Lack of 2FA + The Cloud =” section of the Medium article.
DS mitigation advice: An effective code review process is essential for security as well as general code quality. Requiring a “four-eyes” process where multiple code reviewers are mandated can mitigate the risk associated with developers wittingly or unwittingly self-approving code changes. Code reviewers need to look for security issues as well as concerns relating to performance, stability, correctness, etc.
Once Alexsey gained unprivileged access to a Linux environment, he would use a publicly available exploit (CVE-2010-3856) for the Linux kernel to gain privileged access, that is, root user access. This process is described in the “Use of LinkedIn to Target Peripheral Systems” section of the Medium article.
DS Mitigation Advice: As with gaining initial access, publicly available exploits are one of the highest risks for organizations. With privilege escalation exploits in the kernel (affecting any operating system), the affected machine must be rebooted after patching for the patch to be applied. The use of a patch management solution can help to keep an environment patched to an appropriate level.
The indictment states: “BELAN downloaded to Yahoo’s network from the BELAN Computer a program known as a “log cleaner.” This program sought to remove traces of the intrusion from Yahoo’s records (logs) of network activity, to make the conspirators more difficult to track”.
DS Mitigation advice: Attempts to modify system logs, such as the Event ID 1102 on Windows, should be logged wherever possible. Centralized logging where logs, such as syslog, are automatically forwarded to central location can mitigate an attacker attempting to alter the logs on a local system.
Once Alexsey had elevated his privileges to be root on a Linux system, he would grab the password hashes from the /etc/shadow file, which is where Linux stores the hashes for its user accounts. Alexsey would also backdoor the authentication system, most likely to log cleartext credentials for when users logged into the system.
Alexsey also used non-technical means to uncover credentials for a particular environment. Specifically, he accessed internal resources like wikis, ticketing, bug tracking, and version control systems in order to steal credentials for VPNs and cryptographic material that was used for further exploitation. The Medium article section “Technical Details” describes this attack.
An effective technique used by the attackers to gain access to inboxes of targets was to use cookie “minting”, specifically, “the conspirators engaged in the manual creation of account authentication “cookies” known as “minting,” to gain unauthorized access to victim webmail accounts”. Effectively the attackers were creating fraudulent session cookies and using them to gain access to the target inboxes. As session cookies are typically created after the authentication process had succeeded, this approach had the benefit of bypassing any two factor authentication (2FA) used by the targets. This cookie minting approach was a significant component of the attackers’ post-exploitation activities and one of the main ways that they made use of their access to the Yahoo environment.
The attackers also discovered that the same cookies created in the staging environment were also valid in the production environment. This reflects a standard attacker approach of looking for the less well-protected systems that which are easier to compromise instead of starting with the most hardened and protected systems.
DS Mitigation advice: Storing directly reusable credentials in wikis and other information systems is not advised. Usage of a password manager for secure password storage and sharing is recommended. Logging user logins to accounts on customer-facing services is essential for detecting anomalous behavior. Corporate VPNs should use strong 2FA solutions such as TOTP or U2F for the second factor rather than relying on information which can be stolen from inside of the corporate environment. Cryptographic material needs to be separated between production and staging environments.
Once Alexsey gained access to an environment he used the well-known and powerful nmap tool to enumerate the machines on the internal network. This is standard technique to discover internal resources and this was part of the approach that Alexsey used to find the corporate wiki and other systems. The Medium article describes this process in the “Technical Details” section.
DS Mitigation advice: Network segmentation can be used to limit which systems an attacker can interrogate after a successful compromise. This can be achieved with host and network firewalls and/or VLANs (Virtual Local Area Networks). While internal IDS (Intrusion Detection System) systems can detect nmap and other scans, there are standard evasion techniques used by attackers – for example, slowing the scan down to the extent that it becomes difficult to differentiate from legitimate traffic.
According to the indictment, the attackers stole a copy of the Yahoo User Database (UDB): “The UDB was, and contained, proprietary and confidential Yahoo technology and information, including, among other data, subscriber information, such as: account users’ names; recovery email accounts and phone numbers, which users provide to webmail providers, such as Yahoo, as alternative means of communication with the provider; password challenge questions and answers; and certain cryptographic security information associated with the account”. This UDB was then used to:
DS mitigation advice: Monitoring account activity, including admin accounts, is important for uncovering anomalous and/or malicious behavior.
Alexsey and his FSB handlers represent a class of motivated and capable attackers. They were comfortable using existing attack tools but were also capable of discovering their own flaws where required. They were also skilled enough to identify that cookies minted in the staging environment worked in production and how this could be taken advantage of. The attackers showed tactical flexibility and intent, which was a dangerous combination.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.