NovaMDR leverages leading-edge security technology and world-class security experts
We are committed to supporting our customers in their journey towards regulatory compliance.
ForeNova represents a new way for companies to put an end to relentless, and often undetected, cyber threats coming from every direction. With ForeNova’s unified command center, businesses can detect threats that are already inside their network, and previously unknown.
Table of content
Data exfiltration is a costly security breach affecting virtually every organization. Hackers use various techniques, including email phishing attacks, to stage adversary tools to execute their data theft. Hackers' tools, like lateral transfer, move east-west within their victim's network. This tool exploits known vulnerabilities, including the Server Message Block (SMB) protocol. This exploit allows the attacker to move from one host to another to execute rogue file transfers.
The method of attack is well-documented within the MITRE ATT&CK T1570. Preventing this attack starts with the organization deploying extended detection and response (XDR) and managed detection and response (MDR) services. XDR embedded with artificial intelligence collects the security telemetry of all devices and hosts.
Organizations unfamiliar with XDR or MDR are highly recommended to partner with a managed security service provider (MSSP) like Forenova.
The method of attack is well-documented within the MITRE ATT&CK T1570. Preventing this attack starts with the organization deploying extended detection and response (XDR) and managed detection and response (MDR) services. XDR embedded with artificial intelligence collects the security telemetry of all devices and hosts. Organizations unfamiliar with XDR or MDR are highly recommended to partner with a managed security service provider (MSSP) like Forenova.
Lateral movement attacks are complicated to detect. Hackers often use standard protocols like SMB and FTP. Software engineers, application developers, and customer support teams use FTP to move files from internal systems to cloud depositories.
Lateral movement attacks often include various forms of malware. Ransomware attacks, for instance, start with an email phishing campaign. Embedded within these emails are malicious links containing malware, lateral tools, keyloggers, and rogue attachments.
A computer worm is malware that spreads from one computer to another without human activation, usually through a network connection. Worms spread through email phishing attacks, network propagation, security vulnerabilities, and file sharing.
Ransomware malware locks up your data or device until you pay the attacker. Ransomware attacks have developed to include double-extortion and triple-extortion attacks, which raise the stakes by threatening to steal and leak the victim's data online.
Even victims who pay the initial ransom demand or have data backups are still vulnerable. Triple-extortion attacks go a step further by using the stolen data to target the victim's customers or business partners.
Embedded within the malware files are reconnaissance, credential stealing, and protocol exploit functions. As one host becomes encrypted, several others become victims.
“Sandworm Team is a cyber threat group linked to Russia's GRU military unit 74455. In October 2020, the US indicted six GRU Unit 74455 officers for cyber attacks, including the 2017 NotPetya attack, the 2018 Winter Olympics, and Ukraine.”
Sandworm (APT44) uses malicious software and technical tools for espionage and information theft distributed through emails. By infiltrating systems and installing backdoors, they gain access to control the system and steal information using malware such as RATs.
“The threat actor Aoqin Dragon has been targeting government, education, and telecommunication organizations in Southeast Asia and Australia since 2013. They use document lures well-crafted AI email concent with pornographic themes and USB shortcut techniques to spread malware like the Mongall and Heyoka backdoors.”
By disguising executable files as harmless document, they trick users into clicking and executing a backdoor to connect to a C2 server. This tactic, combined with persuasive email content and catchy file names, is effective for targeting APTs.
APT32, a threat group from Vietnam, has been targeting various sectors and countries in Southeast Asia since 2014.
APT32 uses custom malware tools and targets foreign corporations in industries like manufacturing, hotels, and consumer products, as well as network security and technology companies.
APT41 uses over 46 malware families and tools to accomplish their missions. They use a variety of publicly available utilities; malware shared with other Chinese espionage operations, and email phishing. A common tactic is sending spear-phishing emails with attachments to specific individuals within their target organization.
Cl0p ransomware has some unique features that make it dangerous. The ransomware malware can spread through a network and infect multiple computers simultaneously. It uses digital signatures to bypass some security controls. It can also delete Windows System Restore points, making recovery more complex.
“The CL0p ransomware group used a zero-day vulnerability to attack MOVEit Transfer software, starting with an SQL injection through the web application.” They also sent phishing emails to employees for initial access. Cl0p ransomware encrypts files using the AES-256 algorithm and demands a ransom for decryption.
The attack targeted Colonial Pipeline's IT systems but didn't affect the systems that move oil. DarkSide hackers breached Colonial Pipeline, stealing 100GB of data in two hours. Later, They spread ransomware, affecting various systems, including billing and accounting.
In 2017, the WannaCry ransomware infected many computers worldwide by exploiting a Windows vulnerability. A patch had been available before the attack, yet many organizations deplayed in deploying the update.
“Chimera, a Chinese hacking group, uses lateral tool transfer to move remote access tools like Cobalt Strike between compromised systems.” These tools evade security controls and stay hidden in corporate systems for years.
“In December 2015, hackers using BlackEnergy 3 malware disrupted the electricity supply in Ukraine by remotely compromising the information systems of three energy distribution companies.”
The lateral tool attack followed the following kill chain:
Unusual network activity could mean an endpoint has spyware or malware. These malicious executables might connect to a control server, letting attackers steal data and move through the network.
Watch out for unauthorized access attempts and privilege escalation with a robust Privileged Access Management solution. Stick to the Principle of Least Privilege to minimize the risk of credential abuse.
Unexpected traffic from unfamiliar locations could signal unauthorized or malicious activity on your network. Investigate login attempts from regions like Russia or China if your traffic usually comes from the United States or India to prevent potential issues.
An increase in database reads may show a security breach. Attackers can access customer records, causing high read levels. This attack vector leads to data exfiltration or unauthorized changes. Regular monitoring of database activity is crucial to detect unusual read requests.
If there are many requests for a specific file, it should raise suspicion and prompt further investigation.
Security operations teams leveraging network detection and response (NDR) combined with XDR provide the means to detect this lateral tool attack. The characteristics of lateral attacks defined by the MITRE are expected within the policy and rules library within NDR and XDR tools.
“Network intrusion detection and response systems use network signatures to identify and prevent malicious activity at the network level, such as unusual data transfers or adversary malware.”
Multi-factor authentication (MFA) enhances security by requiring additional verification steps, reducing the risk of unauthorized access even if a password becomes compromised.
Network segmentation allows traffic to be blocked from moving laterally. Segmentation policies control North, South, East, and West traffic by restricting only specific ports and protocols within a particular segment. If ransomware malware or lateral tools attempt to propagate using a non-standard or approved port, the connection request will become blocked.
Preventing lateral tool attacks begins with implementing adaptive controls, including NDR, MFA, network segmentation, and patch management, to reduce the vulnerabilities on the various hosts and devices. Reducing the vulnerability reduces the attack surfaces and risk of a lateral attack.
MDR plays a critical role in stopping lateral tool attacks by monitoring the various adaptive controls in an XDR/SIEM solution to help detect and prevent the propagation of East-West lateral movements. Organizations struggling with retaining cybersecurity engineers must investigate MSSPs and their incident response, monitoring, and reporting capabilities.
Forenova Security is a leading provider of cybersecurity services and MDR offerings. For organizations seeking a partner to augment their current security operations (SecOps) team or provide complete 24/7 monitoring and response, threat intelligence, and other cyber defense tools, Forenova Security has access to experienced engineers to meet their business and compliance goals.
Contact us today to discuss your data protection with MDR.