Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Advanced Attackers Step up Recon Efforts, Mandiant Reports

Sophisticated attackers are expanding their reconnaissance methods to gain an advantage in their quest to compromise data.

According to a new report from Mandiant entitled ‘Attack the Security Gap’, attackers are starting to target data related to network infrastructure, processing methodologies and system and administration guides in order to gather information they can use to exploit networks and system more efficiently.

Sophisticated attackers are expanding their reconnaissance methods to gain an advantage in their quest to compromise data.

According to a new report from Mandiant entitled ‘Attack the Security Gap’, attackers are starting to target data related to network infrastructure, processing methodologies and system and administration guides in order to gather information they can use to exploit networks and system more efficiently.

“While basic reconnaissance of victim networks is nothing new, over the last year we have seen evidence of attackers expanding the type of reconnaissance activities they perform and utilizing more sophisticated tools and tactics to map victims’ networks,” the report notes. “In addition to network mapping, we saw multiple instances where the first documents the attackers stole were related to network infrastructure, processing methodologies and payment card industry (PCI) audit data. The attackers also took various system administration guides to identify human targets and to further scope the victim networks. We have also seen instances where the attackers opened native Microsoft tools (such as dns.msc) to gather the reconnaissance data they needed.”

This information can be used to identify network and system misconfigurations that can be exploited to gain additional access within the victim’s network, according to the report.

Once sophisticated attackers are inside an organization, they burrow themselves deep into networks and often go undetected. According to the report, attackers spend an estimated 243 days on a victim’s network before they are discovered. Though this is 173 days fewer than in 2011, many organizations remain compromised for years before a breach is detected, Mandiant noted.

“During our investigations in 2012, we found an increase in the number of outsourced and managed service providers who were compromised and used as a primary access point for attackers to gain entry to their victims’ networks,” according to the report. “We have worked with clients who were both the compromised outsourced service provider and the compromised clients who employ these services.”

“In many instances, the attackers initially gained access to the service provider solely as a means to find a way into their real target – the client of the service provider. In those cases, we have seen the attackers compromise the first victim – the outsourced service provider – gather the intelligence they need to facilitate their compromise of the second victim, and then lay dormant at the first victim for months or even years, only accessing backdoors at those companies if they need to regain access to the second victim.”

Mandiant’s investigations also revealed that many organizations get targeted by more than one attack group, and in some cases, the attacks occur in succession. In 2012, 38 percent of the targets in the cases investigated by Mandiant were attacked again after the original incident was addressed. The top three industries being targeted are the aerospace industry, energy, oil and gas and pharmaceuticals.

 “We’ve seen first-hand that a sophisticated attacker can breach any network given enough time and determination,” said Grady Summers, Mandiant vice president and one of the report’s contributing authors, in a statement. “It’s not enough for companies to ask ‘Are we secure?’ They need to be asking ‘How do we know we’re not compromised today? How would we know? What would we do about it if we were?’”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.