Per reporter: Zhu Chengxiang
The Russian-Ukrainian conflict has aroused worldwide concern. While the two sides exchanged fire on the battlefield, the network confrontation without gun smoke has already begun, and hacking organizations and APT organizations with different interests have entered the public eye.
On February 25, Xinhua reported that anonymous, an international hacking group, launched a "cyber war" against Russia on February 24 against Russia's military operations in Ukraine and admitted to attacking the website of Russia Today.
According to the Global Times quoted by the British Independent, the Russian Kremlin website malfunctioned at the time of Russia's special military operations in Ukraine.
More rigorous than hackers, what is the APT organization?
In addition to the Russian-Ukrainian conflict, the hottest semiconductor design company at present, NVIDIA, has also been targeted by hacking organizations.
On the morning of February 26, there were reports that the cyberattack had interrupted some of NVIDIA's business for at least two days. Due to the response and containment measures after the malicious intrusion of the Network, Nvidia's internal email system and development tools cannot be used during this period.
Subsequently, on the afternoon of February 26, the emerging network ransomware organization Lapsus $ announced in its social software channel group that it had successfully broken through Nvidia's network firewall and stole nearly 1TB of data. It is a South American hacking group that has attacked Brazil Post, Portugal's largest television station and newspaper outlet Impresa.
Unexpectedly, Nvidia quickly fought back, and on February 27, Lapsus$ suddenly announced that Nvidia had hacked the computer it used to hack NVIDIA.
Speaking of cyber confrontation, the APT organization must be mentioned. Anonymous, a hacking organization that launched a cyber attack on Russia, is not an APT organization in the strict sense, because it is not as deep and long-term as the APT organization.
So-called APT attacks, also known as advanced sustainable threat attacks, are more targeted and complex than ordinary hacking tools, often have a continuous nature, and are more stealthy. The purpose of the APT organization is mainly to obtain political and economic benefits as a starting point, steal the core information of the target, or destroy the key infrastructure of the other party.
In other words, the impact of APT attacks is not limited to the virtual network world, but also to the physical world.
For example, in February 2021, the Florida Water Plant in Florida became the target of a cyber attack by hackers, who attempted to use technical means to poison a water supply system that supplied 15,000 people in the area. The attackers remotely accessed the Systems of the Oldsma Water Plant and tried to raise the sodium hydroxide levels to a level large enough to put the public at risk of poisoning. Fortunately, the staff detected the system abnormality in time and corrected it immediately, thus stopping the occurrence of the disaster.
Compared with ordinary hacking organizations, APT organizations have stronger technical capabilities, some APT organizations can be said to be leading the world, and their organizational rigor is more rigorous than that of ordinary hacker groups, and many APT organizations have national backgrounds. In terms of the purpose of attacks, APT organizations with national backgrounds often launch attacks led by national interests, and there are also APT organizations with economic interests as the mainstay. The ordinary hacker group is often dominated by commercial interests and economic interests.
So, which industries are more affected by APT attacks? According to the "2021 Advanced Threat Posture Research Report" released by Anheng Information, in 2021, the proportion of government, defense, finance, aviation, and medical and health departments affected by APT attacks was 15.52%, 6.16%, 5.91%, 4.43%, and 3.69%, respectively, ranking high.
Step by step: APT attack methods are endless
The reporter learned that the current APT attack methods include watering hole attacks, phishing and spear phishing, zero-day (0day) attacks, social engineering attacks and so on. For example, the 0day attack is to use the vulnerability that has not been patched to launch an attack, while the social engineering attack is to use the weakness of human nature to attack, mainly using deception and disguise, by breaking through the victim's psychological defense line, using the victim's curiosity, trust relationship, psychological weakness and so on to attack.
Among the more common means, such as masquerading as an email from a partner, the content of the email and attachments are carefully designed, if the victim is deceived by the content, and clicks on the elaborate attachment file, then the victim's computer is likely to be lost.
The ukrainian power outage, which is better known in the industry, is a typical example of a social engineering attack. In December 2015, the attackers first delivered a phishing email with the subject line "Ukrainian President partially mobilized order", in which the victim clicked on and launched a malicious macro document of BlackEnergy, a type of malware used to create botnets for DDoS attacks, out of curiosity. After obtaining the relevant credentials, BlackEnergy began to probe network assets, move laterally, and finally gain control of the system.
The attack caused a massive power outage lasting several hours in parts of the Ukrainian capital Kiev and western Ukraine, with at least three power zones attacked.
In addition, the Lazarus organization uses social media such as Twitter to target the continuous infiltration of security researchers engaged in vulnerability research and development of different companies and organizations, and the attackers have set up a series of social media accounts on social media such as Twitter, which post some security-related updates and comment on each other to expand the impact.
After having a certain degree of influence, the attacker will actively seek out security researchers to communicate and ask about the security researchers' research areas and areas of interest. After determining the security researcher's field of study, if there is an overlap, the attacker will use the learning communication as an inducement to send poc, exp, and other engineering files to the researcher. The whole process feels very real, and the disguised content is very suitable for the victim's work content, so it is very likely that he will fall into the trap without noticing.
How to protect against APT attacks?
Lazarus is the APT organization with the highest number of APT attacks in the world in 2021. According to the 2021 Advanced Threat Posture Research Report released by Anheng Information, Lazarus, Kimsuky and APT29 ranked among the top three in terms of attacks, and the attacks of these organizations were highly targeted and sophisticated due to geopolitical factors.
How should we respond to the social engineering attacks that APT organizations like Lazarus are used to on social media?
First of all, as an individual, you should always be vigilant, do not easily open email attachments, do not click on unknown links at will, be vigilant about unfamiliar social objects, always pay attention to personal privacy, do not arbitrarily post some important personal information to social media, and carefully confirm in some places where you need to fill in the content of real information.
Enterprises and institutions should also timely train relevant network security awareness, as well as the understanding of some network security related technologies, so that enterprise employees can better understand and prevent.
For the attack of APT organizations, enterprises and government agencies cannot be 100% discovered and defended, and can only improve the defense system as much as possible. Specific measures include the need to regularly patch and upgrade facilities and security tests to minimize weaknesses; deploy monitoring equipment in all aspects of the attack surface, and establish a three-dimensional defense-in-depth system to grasp threat intelligence in a timely manner and make prevention and decisions in advance.
It is worth mentioning that in 2021, a large number of new mobile device malware targeting ios and Android operating systems has emerged, and it is easy for gray and black cybercriminals to profit from mobile malware such as bank Trojans, and APT organizations can also install spyware, keyloggers, etc. on the mobile devices of the victims to monitor and steal the victim's information. As a result, attacks against mobile devices have increased significantly this year, and the tactics of attacks have become more sophisticated.
So, what harm will APT attacks bring to ordinary people's mobile phones? Will these organizations use mobile phones as an entry point to infiltrate the internal networks of companies and institutions, thereby stealing confidential information, paralyzing the network, etc.?
In this regard, Anheng Information industry insider said: "The general public is generally less likely to become the target of APT attacks, and the targets of APT attacks are often targeted, such as personnel of a certain key organization, personnel of a certain technology company, and personnel of a military unit. ”
In addition, "in general, APT organizations attack mobile phones, using mobile phones as an entrance to invade the internal networks of companies and institutions, etc. have certain operational complexity, although not common, but it is not impossible." The above-mentioned industry insiders added.
According to the "2021 Advanced Threat Situation Research Report" released by Anheng Information, as the new crown epidemic continues, the informatization of the medical industry is developing rapidly, but the digital medical system in some countries is not yet perfect, so it has become the hardest hit area of the attack. As a result, medical research will continue to be a target for threatening attackers.
In addition to this, the threats to the INDUSTRIAL environment of ICS (Industrial Control Systems) will continue to grow. For example, the Colonial Pipelines attack that occurred in the first half of 2021 fully demonstrated the security risks in the ICS environment. It is important to note that ICS is at the heart of critical infrastructure, and once attacked, the normal functioning of the country will be seriously affected. Due to the lack of a sound network protection program in the ICS environment, it is easy to become the target of attacker intrusion, and attacks against industrial control systems will continue to increase.
Industry data overview
Statistics show that in January 2022, the number of malicious computer programs spread in China reached as many as 220 million times, and February rose slightly by about 1.43% compared with January. In February, the number of malicious computer transmissions in China showed an upward trend every week, reaching the highest in week 4, reaching 72.119 million. In terms of the number of hosts infected with computer malicious programs in China, the data in January was 5.585 million, and in February it reached 6.036 million, up 8.08% month-on-month. Malicious programs can damage files, cause system abnormalities, steal data, etc., which is very harmful to computers and must be paid great attention to.
From the total number of backdoor websites implanted in China, 1792 in February, down 18.86% from 2130 in January, of which the number of government websites in February 13, compared with 2 in January, rose significantly, the government is still the first choice for network attacks.
Judging from the number of counterfeit websites and vulnerabilities, February has dropped significantly compared with January. Among them, the number of counterfeit websites increased from 460 in January to 355 in February, and the decline in the number of counterfeit websites was also attributed to the success of the national anti-fraud work. The number of vulnerabilities decreased by 21.36% from 2045 in January to 1685 in February, of which high-risk vulnerabilities were also significantly reduced. For security vulnerabilities, you must download the application in the formal channel and update it immediately, and do not take chances.
Data decoding APT attack: Government departments are the most affected
According to the monitoring situation of Anheng Hunting Laboratory, there were about 201 APT attacks in 2021. In 2021, APT organization activities were mainly concentrated in South Asia and the Middle East, followed by East Asia, and APT attacks in Southeast Asia have slowed down.
The organization distribution of APT attack events in 2021 is as follows:
Judging from the distribution of countries to which the attacks occurred, some new victim countries have emerged, such as Afghanistan, Colombia, Georgia, Latvia, etc. This may indicate that the APT organization is trying to expand the scope of its activities.
The distribution of APT attack victim countries in 2021 is as follows:
In terms of industry distribution, the government sector is still its main target, followed by the defense, finance, aviation, and health care sectors.
The distribution of industries affected by APT attacks in 2021 is as follows:
In addition, according to the statistics of Anheng Hunting Laboratory, as of November 2021, a total of 58 0-day vulnerabilities in the opposition of mainstream manufacturers have been disclosed throughout the year. Among them, CVE-2021-1732 and CVE-2021-33739, two wild 0-day vulnerabilities, were captured and disclosed by Anheng Hunting Laboratory.
What is a 0-day vulnerability? A 0-day vulnerability, also known as a "zero-day vulnerability," is a vulnerability that has already been discovered (and may not have been made public) and has not yet been officially patched. No one but the discoverers knew about the existence of this vulnerability. Once discovered and effectively exploited by attackers, it will cause great damage.
Anheng Hunting Labs combed through the 2021 wild 0-day vulnerabilities and the APT associations specifically using them, as follows:
Judging from the trend of changes in the number of wild 0-day vulnerabilities disclosed from 2018 to 2021, the number of wild 0-day vulnerabilities has increased year by year in recent years. The growth trend is most pronounced in 2021, with more than twice as many disclosures in 2021 as it did in all of 2020.
Judging from the distribution of vendors involved in the wild 0-day vulnerabilities, the most disclosed manufacturers in 2021 are Microsoft, followed by Google and Apple.
From the distribution of the types of wild 0-day vulnerability products, the most "favored" by the wild 0-day vulnerability in 2021 is the browser vulnerability, followed by the operating system vulnerability.
From the perspective of the distribution of vulnerability types belonging to the wild 0-day vulnerabilities, the largest proportion in 2021 is remote code execution vulnerabilities, followed by privilege escalation vulnerabilities.
Scan the QR code or click "Read the original article" to download the 2021 Advanced Threat Posture Research Report:
Reporter | Zhu Chengxiang
Editor| Liang Xiao
Proofreading | Lu Xiangyong
Daily economic news integrated China News Network, CCTV News, Financial Associated Press, Per Economic Network, public information, etc
After Delta, the Aumechjong strain became a global pandemic,
Click on the image below or scan the QR code below to see the latest epidemic data
Daily economic news