Understanding Initial Access Vectors
Overt Operator
January 11, 2023
Photo: Unsplash
An offensive cybersecurity engagement's most challenging and crucial piece is achieving initial access to the target system. Whether the target is a corporate network, end-user device, or a specific cloud resource, without access, the operation fails.
TTPs for initial access can vary depending on funding, risk acceptance, and intent. Low-level cyber actors do not have the endless pockets of a nation-state, so they primarily rely on open-source tools and tactics with a lower technical threshold. While nation-states tend to use the same tactics as criminal organizations, they also have the funding to research and potentially produce zero-day exploits and exquisite toolkits to evade detection and swiftly gain access to targets.
Credentials/Masquerades:
Utilizing default or compromised username/password combinations to log in as a user or administrator.
Access through stolen or weak credentials is the leading cause of compromised systems. Legitimate user accounts are under far less scrutiny, which makes being detected far less likely. Throughout my career, I have found that masquerades using legitimate credentials are the most straightforward and fruitful operations. Masquerade operations are widespread among nation-state actors, ransomware groups, hacktivists, and other threat actors. However, not all credentials are created equal. Credentials for a user are less prized and may provide a different amount of access than administrative, SYSTEM, or root credentials would. A threat actor will exploit a target system using credentials for a server, an email, a web login, or even a cloud resource.
Victim credentials can be purchased, found, and harvested via several methods, all of which are illegal under the Computer Fraud and Abuse Act
Darknet brokers and forums
Human access and social engineering
Intelligence systems (SIGINT; platforms that do not use plain text protocols)
Man in the middle (MITM) attacks
The abuse of legitimate credentials is often an extremely effective tactic that enables threat actors to blend into the target environment while limiting risk to their operations.
Spear Phishing:
The practice of tricking internet users, typically through deceptive emails, websites, or messages, into revealing personal or confidential information that attackers can use to further their goals.
Another common tactic for access generation is Spear Phishing. During a spear phishing campaign, an attacker will craft an email to dupe the user into clicking a link, executing a file, or opening a document. Most of the resources required are inexpensive, and threat actors can set up and launch a campaign in minutes.
Some of the resources required to conduct a spear phishing attack are:
Target Emails (recipients)
A ‘spear’ to lure the target into clicking a link, downloading a malicious file, or opening a file with embedded macros or scrip
A server to send the phishing email(s) from Simple Mail Transfer Protocol (SMTP)
A command-and-Control (C2) server to catch the callback from the victim
A domain name the attacker controls that are made to look benign, innocuous, or legitimate to the target. For example, microsoft1.net or teslacarsusa.com
A payload to upload to the target machine either by Microsoft Office macro, VBscript, or other means.
Spear phishing requires testing to ensure the delivered payload can reach the target. Specifically, testing if the payload will make it through an email service provider and testing the payload against various Windows security products to ensure the victim is not alerted to the malicious payload. Providers like Gmail and O365 scan .pdf, .docx, .xlsx, and other files to look for malicious scripts and embedded macros. A sophisticated actor will have to test the access method and payload to ensure successful deployment to the victim.
Generally, spear phishing is considered an easy and inexpensive tactic. Thus, it is used by low-level cybercriminals and advanced nation-state actors such as "Turla", APT 38, and APT 41. It is also worth mentioning that many APTs and nation-states combine information operations with spear phishing campaigns.
For example, Russian state-sponsored actor "PRIMITIVEBEAR"; AKA "Gamaredon" or "WinterFlounder". This threat actor 2021 would send phishing emails to Ukrainian officials with .docx files that appeared to be legitimate current events topics on the tensions between Russia and Ukraine. However, these .docx files were embedded with VB scripts and macros that, once executed, would allow them to access Ukrainian government systems and entities of interest. PRIMITIVEBEAR also purposely crafted the .docx files to appear legitimate and forced narratives that supported a Russian information campaign leading up to the invasion of Ukraine.
Protocol Exploitation:
A cyber-attack in which an attacker uses known software/protocol vulnerabilities to gain access or attempts to misuse a system with criminal intent.
Finally, the third most common initial access vector is using Common Vulnerabilities and Exposures (CVEs) and other exploits to gain access to a target. Like spear phishing and masquerades, nation-states and cyber criminals use CVEs and other exploits to gain access to targets. Since CVEs are typically published as soon as they are found, threat actors use them to access unpatched target systems.
Zero Days:
A significant vulnerability discovered and exploited before it is known to or addressed by the vendor or maker.
Regarding zero days – the target will likely be unaware of an attacker’s presence. The best exploit is a pre-authentication, encrypted, remote code execution (RCE). This is because there is no credential or token needed to accomplish the exploit; encryption provides anonymity since the packets sent to the target are encrypted and cannot be intercepted in plain text, making the tradecraft and exploit ‘unseen’ by admins and security researchers, and as the name suggests, RCEs are remote allowing the actor to operate away from the material point of the target.
Conclusion
Access through stolen or weak credentials is the leading cause of compromised systems. Legitimate user accounts are under far less scrutiny, which makes being detected far less likely. Throughout my career, I have found that masquerades using legitimate credentials a the most straightforward and fruitful operations. Masquerade operations are widespread among nation-state actors, ransomware groups, hacktivists, and other threat actors. However, not all credentials are created equal. Credentials for a user are less prized and may provide a different amount of access than administrative, SYSTEM, or root credentials would. A threat actor will exploit a target system using credentials for a server, an email, a web login, or even a cloud resource.