Preventing MITRE ATT&CK Lateral Tool Transfer Attacks: Comprehensive Strategies and Real-World Examples

Data exfiltration is a costly security breach affecting virtually every organization. Hackers use various techniques, including email phishing attacks, to stage adversary tools to execute their data theft. Hackers' tools, like lateral transfer, move east-west within their victim's network. This tool exploits known vulnerabilities, including the Server Message Block (SMB) protocol. This exploit allows the attacker to move from one host to another to execute rogue file transfers.

The method of attack is well-documented within the MITRE ATT&CK T1570. Preventing this attack starts with the organization deploying extended detection and response (XDR) and managed detection and response (MDR) services. XDR embedded with artificial intelligence collects the security telemetry of all devices and hosts.

Organizations unfamiliar with XDR or MDR are highly recommended to partner with a managed security service provider (MSSP) like Forenova.

Overview of Lateral Tool Transfer Attacks

The method of attack is well-documented within the MITRE ATT&CK T1570. Preventing this attack starts with the organization deploying extended detection and response (XDR) and managed detection and response (MDR) services. XDR embedded with artificial intelligence collects the security telemetry of all devices and hosts. Organizations unfamiliar with XDR or MDR are highly recommended to partner with a managed security service provider (MSSP) like Forenova.

Common Characteristics and Behavior of Threat Actors

Lateral movement attacks are complicated to detect. Hackers often use standard protocols like SMB and FTP. Software engineers, application developers, and customer support teams use FTP to move files from internal systems to cloud depositories.

Stages of a Lateral Tool Transfer Attack:

1. Reconnaissance
   
   The step in the lateral tool transfer attack is to identify which hosts have exposed vulnerabilities. Hackers can do this using reconnaissance tools like Nmap and Messcan. Once the hosts become identified, hackers can exploit them and run processes like NetStatShow and IPconfig to learn additional network information.
2. Stealing Credentials
   
   “Attackers use techniques like credential dumping, social engineering, typo-squatting, and phishing to steal login credentials and gain access to a network. “
   
   Email phishing attacks provide the means for hackers to load malicious tools on the hosts like Mimikatz. This tool helps hackers steal cached passwords stored in plaintext and any certificates currently stored in memory.
   
   Loading keylogger programs through an email phishing attack is also very common. Many endpoint security programs have successfully detected keyloggers loaded on vulnerable hosts.
3. Logging into Vulnerable Hosts
   
   After the survey and credential stealing are complete, hackers successfully exploit a vulnerable host. The hacker will execute the data exfiltration while continuity recons the adjacent networks, steal credentials from the next vulnerable hosts, and move undetected laterally through the network.
   
   When attackers have admin access to a network, they can move around without being caught. They can change their tactics based on what they learn, making it harder to find them. Using system tools makes it even harder to catch them. It's important to find and remove these intruders fast to avoid big losses.

Role of Malware in Lateral Tool Attacks

Lateral movement attacks often include various forms of malware. Ransomware attacks, for instance, start with an email phishing campaign. Embedded within these emails are malicious links containing malware, lateral tools, keyloggers, and rogue attachments.

Common Types of Malware Used

Worm

A computer worm is malware that spreads from one computer to another without human activation, usually through a network connection. Worms spread through email phishing attacks, network propagation, security vulnerabilities, and file sharing.

Ransomware

Ransomware malware locks up your data or device until you pay the attacker. Ransomware attacks have developed to include double-extortion and triple-extortion attacks, which raise the stakes by threatening to steal and leak the victim's data online.

Even victims who pay the initial ransom demand or have data backups are still vulnerable. Triple-extortion attacks go a step further by using the stolen data to target the victim's customers or business partners.

Embedded within the malware files are reconnaissance, credential stealing, and protocol exploit functions. As one host becomes encrypted, several others become victims.

Threat Actors Using Internal Spear-Phishing

Sandworm Team

“Sandworm Team is a cyber threat group linked to Russia's GRU military unit 74455. In October 2020, the US indicted six GRU Unit 74455 officers for cyber attacks, including the 2017 NotPetya attack, the 2018 Winter Olympics, and Ukraine.” 

Sandworm (APT44) uses malicious software and technical tools for espionage and information theft distributed through emails. By infiltrating systems and installing backdoors, they gain access to control the system and steal information using malware such as RATs. 

Aoqin Dragon

“The threat actor Aoqin Dragon has been targeting government, education, and telecommunication organizations in Southeast Asia and Australia since 2013. They use document lures well-crafted AI email concent with pornographic themes and USB shortcut techniques to spread malware like the Mongall and Heyoka backdoors.”

By disguising executable files as harmless document, they trick users into clicking and executing a backdoor to connect to a C2 server. This tactic, combined with persuasive email content and catchy file names, is effective for targeting APTs.

APT32

APT32, a threat group from Vietnam, has been targeting various sectors and countries in Southeast Asia since 2014.

APT32 uses custom malware tools and targets foreign corporations in industries like manufacturing, hotels, and consumer products, as well as network security and technology companies.

APT41

APT41 uses over 46 malware families and tools to accomplish their missions. They use a variety of publicly available utilities; malware shared with other Chinese espionage operations, and email phishing. A common tactic is sending spear-phishing emails with attachments to specific individuals within their target organization.

CL0p Ransomware Gang

Cl0p ransomware has some unique features that make it dangerous. The ransomware malware can spread through a network and infect multiple computers simultaneously. It uses digital signatures to bypass some security controls. It can also delete Windows System Restore points, making recovery more complex.

“The CL0p ransomware group used a zero-day vulnerability to attack MOVEit Transfer software, starting with an SQL injection through the web application.” They also sent phishing emails to employees for initial access. Cl0p ransomware encrypts files using the AES-256 algorithm and demands a ransom for decryption.

Examples of Lateral Tool Attacks

Colonial Pipeline

The attack targeted Colonial Pipeline's IT systems but didn't affect the systems that move oil. DarkSide hackers breached Colonial Pipeline, stealing 100GB of data in two hours. Later, They spread ransomware, affecting various systems, including billing and accounting.

WannaCry

In 2017, the WannaCry ransomware infected many computers worldwide by exploiting a Windows vulnerability. A patch had been available before the attack, yet many organizations deplayed in deploying the update.

Cobalt Strike

“Chimera, a Chinese hacking group, uses lateral tool transfer to move remote access tools like Cobalt Strike between compromised systems.” These tools evade security controls and stay hidden in corporate systems for years.

Ukraine Power Station Breach 2015-2016

“In December 2015, hackers using BlackEnergy 3 malware disrupted the electricity supply in Ukraine by remotely compromising the information systems of three energy distribution companies.”

The lateral tool attack followed the following kill chain:

• Corporate networks became compromised through spear-phishing emails containing BlackEnergy malware.
• The Russian hackers took control of SCADA and turned off substations remotely.
• “The Russians disabled and destroyed IT infrastructure components like power supplies, modems, RTUs, and switches.”
• KillDisk malware destroys files on servers and workstations.

Identifying Indicators of Compromise Related to Lateral Tool Transfer Attacks

Unusual Outbound Network Traffic Volumes

Unusual network activity could mean an endpoint has spyware or malware. These malicious executables might connect to a control server, letting attackers steal data and move through the network.

Questionable Activity Around Privileged Account Access

Watch out for unauthorized access attempts and privilege escalation with a robust Privileged Access Management solution. Stick to the Principle of Least Privilege to minimize the risk of credential abuse.

Specific Increases in Activity in Geo Locations Above the Normal Traffic

Unexpected traffic from unfamiliar locations could signal unauthorized or malicious activity on your network. Investigate login attempts from regions like Russia or China if your traffic usually comes from the United States or India to prevent potential issues.

Spikes in Database Reads

An increase in database reads may show a security breach. Attackers can access customer records, causing high read levels. This attack vector leads to data exfiltration or unauthorized changes. Regular monitoring of database activity is crucial to detect unusual read requests.

Repetitive Access For The Same File

If there are many requests for a specific file, it should raise suspicion and prompt further investigation.

How to Prevent A Lateral Tool Transfer Attack?

Security operations teams leveraging network detection and response (NDR) combined with XDR provide the means to detect this lateral tool attack. The characteristics of lateral attacks defined by the MITRE are expected within the policy and rules library within NDR and XDR tools.

Network Detection and Response(NDR)

“Network intrusion detection and response systems use network signatures to identify and prevent malicious activity at the network level, such as unusual data transfers or adversary malware.”

Multi-factor Authentication (MFA)

Multi-factor authentication (MFA) enhances security by requiring additional verification steps, reducing the risk of unauthorized access even if a password becomes compromised.

Network Segmentation

Network segmentation allows traffic to be blocked from moving laterally. Segmentation policies control North, South, East, and West traffic by restricting only specific ports and protocols within a particular segment. If ransomware malware or lateral tools attempt to propagate using a non-standard or approved port, the connection request will become blocked. 

Conclusion

Preventing lateral tool attacks begins with implementing adaptive controls, including NDR, MFA, network segmentation, and patch management, to reduce the vulnerabilities on the various hosts and devices. Reducing the vulnerability reduces the attack surfaces and risk of a lateral attack.

Why Forenova Security for Preventing Lateral Tool Attacks?

MDR plays a critical role in stopping lateral tool attacks by monitoring the various adaptive controls in an XDR/SIEM solution to help detect and prevent the propagation of East-West lateral movements. Organizations struggling with retaining cybersecurity engineers must investigate MSSPs and their incident response, monitoring, and reporting capabilities.

Forenova Security is a leading provider of cybersecurity services and MDR offerings. For organizations seeking a partner to augment their current security operations (SecOps) team or provide complete 24/7 monitoring and response, threat intelligence, and other cyber defense tools, Forenova Security has access to experienced engineers to meet their business and compliance goals.

Contact us today to discuss your data protection with MDR.