Cyberwarfare / Nation-State Attacks
,
Endpoint Security
,
Fraud Management & Cybercrime
Routing Malicious Traffic Through Hacked IoT Devices Is Leading to ‘IoC Extinction’
Covert networks comprised of hacked domestic devices underpin a mounting number of Chinese nation-state hacking operations, warned British, U.S. and a slew of other national cybersecurity agencies.
See Also: Debunking the Myth: Securing OT Is Possible
Mainly Western government agencies on Thursday warned that the majority of Chinese nation-state threat actors now funnel communications through compromised edge devices located inside the same country as their target. These networks comprise hacked small office, home office routers, Internet of Things equipment and smart devices such as web cameras, digital video recorders, firewalls as well as network-attached-storage devices.
“We have seen a deliberate shift in cyber groups based in China utilizing these networks to hide their malicious activity in an attempt to avoid accountability,” said Paul Chichester, director of operations at Britain’s National Cyber Security Center, which is part of intelligence agency GCHQ, during the agency’s annual CyberUK conference, held this year in Glasgow, Scotland.
The advisory builds on previous warnings and “consolidates insights and proactive advice from across the international cybersecurity community to help network defenders combat the use of covert networks,” Chichester said.
Covert network users include the Chinese nation-state threat actor tracked as Flax Typhoon, which primarily targets Taiwan, as well as Volt Typhoon, which specializes in prepositioning designed to execute “disruptive or destructive cyber activity” against Western critical infrastructure, according to the U.S. Cybersecurity and Infrastructure Security Agency.
Bouncing network traffic through a swarm of compromised devices helps attackers obscure their origin and makes tracking, combating and attributing these types of attacks difficult. Covert networks are run by an array of private sector entities in China and provide services to different groups of attackers, including criminal enterprises (see: US Prosecutors Indict iSoon Chinese Hacking Contractors).
Greater adoption of covert networks by Chinese attackers across every stage of an intrusion has led to individual indicators of compromise, oftentimes tied to specific IP addresses used in the last stage of an attack, becoming less effective, officials warned. The same goes for organizations that employ geofencing – for example by rejecting log-in attempts that originate from outside the country.
“Because the covert networks are constantly refreshed and share nodes across multiple threat groups, defenders face ‘IoC extinction’ – indicators of compromise disappear as quickly as they are discovered,” the agencies said.
“Back in the day, you would have adversaries who would either co-opt or covertly buy some infrastructure, and they’d use that piece of infrastructure for a long period of time, and as defenders, you could be confident that that was a strong indicator,” Chichester told reporters.
“It makes it much, much harder to really know whether an indicator is really bad. If they’re only using that for a week or a month or day, if we share those IoCs, it’s much harder for the defenders – the false positive rate goes dramatically up, and they become much weaker indicators of compromise, rather than strong indicators,” Chichester said.
As attackers have become more agile, so too must defenders, in part by not relying on static data such as IP addresses. Experts urged a much more intelligence-driven approach, including the use of real-time threat feeds.
The NCSC said it’s now attempting to document the hacker tradecraft, including attack methodologies, which they document using the Mitre ATT&CK knowledge base that categorizes adversary tactics and techniques.
In light of the rising use of covert networks, the NCSC has issued detailed guidance, recommending that organizations of all sizes create baselines of their edge device traffic – including all VPN and remote access connections, as well as “adopt dynamic threat feed filtering that includes known covert network indicators.” It also recommends using, wherever possible, two-factor authentication, together with “zero trust controls, IP allow lists and machine certification verification.”
For large and high-risk organizations, officials said they “should consider active hunting of suspicious SOHO/IoT traffic, geographic profiling and machine learning-based anomaly detection.”
For critical national infrastructure organizations, including ones that must comply with U.K. network and information systems regulations, they also pointed to the NCSC’s Cyber Assessment Framework, which details best practices for protecting vital services and CNI across the energy, healthcare, transport, government and other sectors.
The advisory has the backing of cybersecurity agencies across the Five Eyes intelligence partnership – comprising Australia, Canada, New Zealand, the United Kingdom and United States – as well as Germany, Japan, the Netherlands, Spain and Sweden.
Click Here For The Original Source.
