The last few years have seen a trend of the cyber threat landscape growing steadily more hostile, with 2023 seeing a significant level of activity from Advanced Persistent Threat (APT) groups.
From the most well-organized criminal gangs to state-sponsored actors, APTs represent one of the most challenging and dangerous cyber threats facing organizations today. They have access to the most advanced attack knowledge and tools, and the resources to doggedly pursue their targets until they succeed.
These groups are set to be just as prolific in 2024 and beyond, so organizations must familiarize themselves with the most prominent attack trends and harden their security postures against these sophisticated and evolving threats.
How are APTs striking their targets?
In the first half of 2023 alone, Rapid7 tracked 79 distinct attacks orchestrated by state-backed actors. Close to a quarter (24%) of the attacks we analyzed made use of exploits against public-facing applications. The attacks were spread across infiltrating governments, critical infrastructure, and corporate networks, often serving as a gateway to broader, more damaging assaults.
Spear phishing with an attachment is also an attack vector of choice for APT groups. The deceptively simple yet effective technique was employed in 23% of these attacks, while 22% involved the abuse of valid accounts.
There are also numerous motives driving these state-sponsored groups. Cyber warfare has become increasingly prevalent in recent times, particularly in relation to the ongoing conflict in Ukraine, with cyberattacks on critical infrastructure mirroring physical military strikes.
Cyber espionage activity has also ramped up, with operatives aiming to extract valuable intelligence or intellectual property for political or economic leverage. Linked to this, many attacks have financial objectives, targeting the private sector to circumvent economic sanctions or fund state regimes.
Senior Director of Threat Analytics at Rapid7.
Exploiting vulnerabilities old and new
APT groups are often synonymous with zero-day attacks. Zero-day vulnerabilities are extremely valuable assets within the cyber criminal economy, and we have found remote code executions (RCEs) for network devices such as Juniper and Cisco selling for more than $75,000 on the dark web.
The often superior resources and expertise of APT groups means they are more likely to either discover or purchase new vulnerabilities and first integrate them into their attacks. By the midway point of 2023, roughly a third of all wide-spread vulnerabilities were used in zero-days.
That said, it’s a mistake to think that these elite groups are restricted to using elite tools. APTs are as opportunistic as any other criminal gang and will readily use old and well-known vulnerabilities if their target hasn’t closed them.
Among the older vulnerabilities that saw prevalent exploitation in 2023 are CVE-2021-20038, a Rapid7-discovered vulnerability in SonicWall SMA 100 series devices, and CVE-2017-1000367, a vulnerability in the sudo command that allows for information disclosure and command execution. An APT even used a vulnerability from 2013 (CVE-2013-3900)—ten years old, and successful.
The popularity of these older vulnerabilities underscores a critical oversight in many cybersecurity strategies. There is a tendency to focus on emerging threats, which often leads to the neglect of existing yet still exploitable weaknesses.
Overall, Rapid7 saw a wide range of tactics from APT groups across commonly deployed enterprise technologies, with a notable emphasis on network edge devices. Routers, security appliances, print management software, and Voice Over IP (VOIP) solutions have emerged as prime targets, highlighting a strategic shift towards exploiting the often-overlooked vulnerabilities at the network periphery.
Securing against advanced threats starts with the fundamentals
Defending against a determined APT adversary armed with a previously unseen zero-day is a challenging proposition. That said, organizations that have taken steps to harden their perimeter present a difficult target that can often send these groups off in search of easier prey.
As mentioned, there is a tendency to become overly focused on advanced security measures, which can inadvertently leave more obvious attack paths open. A continuous focus on vulnerability management fundamentals is particularly important here. Establishing clear, measurable patching cycles and prioritizing actively exploited vulnerabilities will reduce the risk of APTs gaining easy access through old vulnerabilities and reduce the threat window of newly discovered exploits.
Similarly, identity-based security is very important here, especially multi-factor authentication (MFA). Nearly 40% of all security incidents Rapid7 analyzed in the first half of 2023 were linked to inadequate MFA implementation, particularly in VPNs, virtual desktop infrastructures, and SaaS products. MFA is a critical line of defense, especially against APTs exploiting public-facing applications. While it can be subverted by sufficiently determined foes, a solid MFA process will make life far more difficult for attackers.
Dodging favored APT tactics
Looking at more advanced security measures, anti-data exfiltration should be a priority. This is particularly important with espionage being an increasingly common motivation among state-backed APTs.
Key measures here include alerting on or restricting unusually large file uploads and monitoring large volumes of traffic to a single IP or domain. Vigilance in monitoring unusual access to cloud storage platforms like Google Drive, SharePoint, and ShareFile is also essential. Additionally, implementing egress filtering, restricting local admin privileges on hosts, and monitoring for the presence or usage of data transfer and archiving utilities are crucial steps in fortifying an organization's cybersecurity posture.
Rapid7 also noted a rampant abuse of Microsoft OneNote for spreading malware, predominantly through phishing emails. Blocking .one files at the perimeter or email gateway will help curb this threat.
Prioritizing network-edge device security is another key strategy. Devices such as VPNs, routers, and file transfer appliances should be on a high-urgency patch cycle. These technologies, often the first line of defense, are primary targets for attackers and require immediate attention in the event of identified vulnerabilities.
Preparing for what’s to come
As APTs and ransomware evolve in sophistication, it is urgent for organizations to reinforce their security postures, prioritizing fundamental practices like MFA, vigilant patch management, and proactive vulnerability assessments. Firms that harden their defenses and keep track of the latest trends will have the best chance of fending off or lessening the impact of these threat groups.
We've featured the best malware removal.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
