“You won’t know you have a problem unless you go and look.”

Neil Wyler, who is known as ‘Grifter’ in the hacker community, made that statement as a precursor to an unforgettable story. An organization hired Grifter to perform active threat hunting. In a nutshell, active threat hunting entails looking for an attacker inside an organization’s environment.

Engagement is a critical first step to any security program. After all, if you set up detection and prevention tools while attackers are already lurking inside, they will blend into the behavioral baseline. The tools will be configured with the attackers’ footprint already embedded into the environment, which makes it more difficult to detect them.

Threat Hunting Engagement

On the first day of the threat hunting engagement, the client showed Grifter detailed documentation. It listed every server, database and other asset connected to the network, in addition to protocols being used, how traffic flowed in and out, the egress and ingress points, how the network was segmented and recent changes to the environment. The level of detail was a rarity for most organizations. It also saved Grifter a day’s work.

He began hunting.

Within minutes he spotted something unusual. Data was leaving the environment, and it looked like personally identifiable information (PII). It included names, addresses, social security numbers, tax identification codes and other highly sensitive information. All of it was unencrypted. Grifter looked at the source of exfiltration, or, in other words, how the PII was leaving the environment.

“Should data ever go out that way?” he asked.

“No, it shouldn’t. That data shouldn’t go anywhere,” the client replied nervously.

Grifter discovered the data was being exfiltrated from a web server that was not included in the inventory documentation. When he mentioned it to the client, it sparked a memory. Nearly a year ago, the company had spun up a test server, which was never decommissioned. For months, the server remained publicly accessible on the internet. To the security team, it didn’t exist. They had forgotten about it. Also within that time frame, the Apache Struts exploit was released. The client had patched its known vulnerable systems, but because the test server was unknown it was overlooked.

Grifter tracked down the destination of the PII and discovered the data was going to a nation-state. For four months, 10 records were taken every two to 10 seconds. The attack flew under the radar. The attackers weren’t noisy. They didn’t exfiltrate a chunk of records at one time daily. To the security team, it looked like normal web traffic, although the traffic wasn’t coming from a ‘normal’ location. The server sat in the research and development department, an unusual place to transmit PII. That’s how Grifter knew something was strange. With some quick math, Grifter concluded the attackers must have slowly stolen millions of records.

Grifter and the client switched from threat hunting to incident response mode.

Top Takeaways

Grifter discussed his top takeaways from the experience. First, the best threat hunters are human. No matter how many tools or blinking boxes sit in your environment, they can’t provide the deep dive that a human hunter can provide. With this incident, a tool may have detected the server, and data leaving it, but it would most likely baseline the activity as normal because the web traffic looked normal.

If the security team set up a rule for the tool, it may have raised a red flag, although many organizations don’t set up rules. And if they do, the main question applied to the rule is, ‘Is that normal or not normal activity for us?’ (In this case, the traffic appeared to be normal.) The client didn’t have rules for the overlooked server despite having the best asset inventory Grifter had ever seen. It only takes one forgotten asset to cause a breach. To find active threats, humans must sit down and look through traffic and endpoint telemetry. Humans must create alerts and mitigations to ensure tools are doing what they are designed to do. Tools can help hunters whittle down data, but humans are still needed.

Grifter also pointed out that for nation-states, data is valuable, no matter the type. For example, let’s say a dating website was breached. If you are not on the website, you may not care. Then, let’s say a government agency is breached. If you don’t work for that agency, you may not care. Finally, let’s say a tax filing company was breached. That may impact you, although you might be offered a free credit score check, and the breach fades into history.

None of those breaches may affect you, yet for nation-state attackers, all of them are valuable. Attackers can correlate the stolen data and use it as a weapon. For example, they can identify a person who subscribed to the dating website and then cross-check the information to see if that person worked for the government agency and retrieve their tax information. They can then use that information to target the person for spear-phishing campaigns, spy recruitment or other nefarious purposes.

The bottom line is: even if a data breach didn’t impact you, it may in the future. This is why all organizations should be hunting for threats with humans.

If you are interested in hearing more stories from Grifter, including how he discovered another nation-state attacker exfiltrating data from a global enterprise, join the upcoming webinar, “Storytime with Grifter: How Russia Exfiltrated Data from a Global Company” on February 3, 2022.

Register here

More from X-Force

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…