Demystifying: R00tK1t ATT&CK, Detect and D3FEND Initial Access

Scope of the Article:

I'm mapping it on MITRE Att&ck Framework so that the readers can immediately implement it in the environment. we will also be discussing some Mitigations and hardening suggestions for the safeguard of the Digital landscape of an organization.

• Who and what is R00tK1t.
• It's Primary Targets.
• Common attack procedures Mapped on MITRE Att&ck Framework.
• Potential Mitigations.
• Hardening Suggestions

In this Article, we will only be covering initial access techniques which are most important to detect the initial intrusion.

Introduction:

According to reports. On January 26th, the hacking group R00TK1T announced via their Telegram channel their plan to launch a cyber-attack campaign against Malaysian infrastructure. The same threat was also posted on the dark web, warning that "chaos is brewing" and advising Malaysians to prepare for infrastructure collapse. The hackers' message ominously declared that "no system is safe, no data secure."

National Cyber Coordination and Command Centre, Malaysia (NC4) established that the R00TK1T plan was initially announced on the group’s Telegram group on January 26th. The multi-agency cybersecurity team also believed that the hacking group was part of a “retaliation team” that acts upon cyber-attacks ignited by the ongoing conflict in the Middle East. Based on historical data, the agency also established that the campaign would include web defacement, stealing confidential documents, and network intrusion with or without insider help.

Primary Targets of R00tK1t:

As per the reports and analyzing victims and their relations, it is safe to assume that the threat group is targeting the Muslim majority countries and due to the recent geopolitical situation of the region.

Industries Priority-wise:

As the behavior of the group is inline with a hacktivist group the priority of the targets for the this group is as below:

• State's Security Departments i.e. Police, Army and other sensitive security agencies.
• Economic institutions(Banks and Regulatory Authorities).
• Government Websites.
• Corporations carrying Anti-Israel narratives.

Technique Tactics and Procedures:

As per the latest findings against R00tK1t, they are hiding rootkits in sophisticated malwares such as Trojans, RATs, Droppers, Viruses and Worms. We will discuss some of the key stages and and techniques of MITRE Att&ck by which we can detect the threat and remediate it timely.

Initial Access:

It is the most initial and the vulnerable stage of an attack, I will discuss some of the techniques being used by R00tkit.

MITRE T1199: Trusted Relationship

Recent Examples of compromise:

Maxis has been reportedly hit by their cyberattack. “While we did not identify anything related to our own systems, we identified a suspected incident involving unauthorized access to one of our third-party vendor systems that resides outside of Maxis’ internal network environment” the telco said.

During the SolarWind Compromise, APT29 also gained access through compromised accounts at cloud solution partners, and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems.

And there has been instances where threat groups leveraged third party software and MSPs to get the initial access within the environment.

Detection(s):

• Monitor and analyze traffic patterns associated to protocols that do not follow the expected protocol standards and traffic flows i.e. extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure from a trusted entity.
• Unusual Logon sessions from third party vendors via VPN or any other authorized remote access service(such as zoom and webex sessions as they have the ability to share screen and controls) i.e. logon in Off hours or concurrent logons.
• Correlate other security systems with login information (such as a user has accessed to a service or a server that doesn't pertains to them, has an active login session but has not entered the building or does not have VPN access).

Mitigation(s):

• Require MFA for all delegated administrator accounts.
• Require MFA for VPN services.
• Properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary.

MITRE T1190: Exploit Public-Facing Application

As per the reports, R00tK1t's main targets are the public facing servers and hosted websites.

APT Groups in the past has used vulnerabilities of VPNs, Firewalls, Proxies, Exchanges and Applications to gain the initial access.

Detection:

• Monitor for any anomalous traffic observed on firewall, In case you have NGFW like PALOALTO or Fortigate in place then, then monitor for the threat vectors being observed and block them before any vulnerability is grasped by the threat actor.
• Monitor for 403 error code on Web Application Firewall, multiple 403 may indicate that someone is intercepting and manipulating the payloads to attack and multiple "not found" status codes may summerize that someone is doing directory traversal on the concerned website and having a visibility of your Webapp's infrastructure of directories.

Mitigations:

• Patch the vulnerabilities of the public facing servers and also the servers hosting the web application.
• Harden the application Firewall policies.
• Harden the applications themselves to avoid any unlikely scenario.

MITRE T1133 External Remote Services:

APT29, has used compromised identities to access networks via VPNs and Citrix.

A group used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services.

Adversaries has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment.

Detection(s):

• Unusual Logon sessions from third party vendors via VPN or any other authorized remote access service(such as zoom and webex sessions as they have the ability to share screen and controls) i.e. logon in Off hours or concurrent logons.
• Correlate other security systems with login information (such as a user has accessed to a service or a server that doesn't pertains to them, has an active login session but has not entered the building or does not have VPN access).

Mitigation(s):

• Enforce Policy and SOPs to take remote in the organization and tightly monitor it for any anomaly.
• Block every services to take remote besides the one which is in the standard procedure of the organization.
• Require MFA for all delegated administrator accounts.
• Require MFA for VPN services.
• Properly manage accounts and permissions used by employees.

MITRE T1566: Phishing

Phishing has been the most famous technique used by attackers to deliver there malicious code. there is no need to present any example of its destructive power as many of the infections spread from this technique.

Mitigations:

• Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
• Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.
• Cyber Awareness: Users can be trained to identify social engineering techniques and phishing emails.

Conclusion:

While this article focuses on initial access, it serves as a technical resource for bolstering defenses against evolving threats. By implementing suggested mitigations and hardening suggestions, organizations can enhance resilience against adversaries like R00TK1T. Ongoing vigilance and proactive defense remain critical in safeguarding digital integrity.