Initial Access

Case Studies

The MITRE ATT&CK website contains a number of real cases where each technique has been used. The examples listed here are just a bunch of further examples, particularly interesting because they illustrate all the intrusion steps that followed Initial Access.

• Exploit Public-Facing Application:

  • Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells

• Valid Accounts:

  • Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization
  • The silent heist: cybercriminals use information stealer malware to compromise corporate networks Infostealer malware. Nice publication by the Australian Cybersecurity Centre.

Phishing

Just two resources (I am not even trying to provide a link to relevant incidents; I would not know where to start):

• Internet Crime Complaint Center (IC3) - FBI Have a look at the annual reports: which is the most prevalent crime type by victim count?
• "phishing" search on Computers and Security This is a prestigious scientific journal. The list of papers published in the last year suffices to realize that there is still a lot of ongoing research on this seemingly irrelevant topic. Full text available only from internal UniTS network.

Secure email (SPF, DKIM, DMARC)

These are very interesting topics but not part of this course.

• Tackling Email Spoofing and Phishing High-level description, by Cloudflare.
• Trustworthy Email Technical guide by NIST. In-depth explanation.

Trusted Relationship - Case Studies

Also look at the "Procedure examples" in the MITRE ATT&CK technique.

• Microsoft lost its keys, and the government got hacked
• Microsoft reveals how hackers stole its email signing key… kind of

Supply Chain Compromise

Case Studies

Also look at the References in the MITRE ATT&CK technique (and their sub-techniques).

SolarWinds

A major incident with national security implications.

• CISA Emergency Directive: Mitigate SolarWinds Orion Code Compromise
• Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations Attack description mapped on MITRE ATT&CK.
• Look at the "Solar Winds" section in the Defense - Resources page of this website.

Linux xz compression library

Over a period of over two years, an attacker worked as a diligent, effective contributor to the xz compression library, eventually being granted commit access and maintainership. Using that access, they installed a very subtle, carefully hidden backdoor into liblzma, a part of xz that also happens to be a dependency of OpenSSH sshd on Debian, Ubuntu, Fedora, and other systemd-based Linux systems. That backdoor gives the attacker the ability to run an arbitrary command on the target system without logging in: unauthenticated, targeted remote code execution.

This attack was publicly disclosed on March 29, 2024 and it marks a watershed moment in open source supply chain security.

Because the backdoor was discovered before the malicious versions of xz Utils were added to production versions of Linux, “it's not really affecting anyone...BUT that's only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic to the world.”

• Backdoor found in widely used Linux utility targets encrypted SSH connections
• Timeline of the xz open source attack This post is a detailed timeline of the social engineering aspect of the attack, which appears to date back to late 2021.
• Techies vs spies: the xz backdoor debate An interesting non-technical analysis and perspective.

Interesting examples

• Accounting Ukraine cyber-attack: Software firm MeDoc's servers seized "some of the initial infections were indeed spread via a malicious update to MeDoc. It is Ukraine's most popular accounting software. The cyber-attack - a variant of an earlier virus called Petya - hit businesses around the world including the shipping firm Maersk"
• System utility CCleaner Attack Timeline—Here's How Hackers Infected 2.3 Million PCs Hackers compromised the company's servers for more than a month and replaced the original version of the software with the malicious one. The malware attack infected over 2.3 million users who downloaded or updated their CCleaner app between August and September last year from the official website.
• Digital signature, government certification authority Operation SignSight: Supply-chain attack against a certification authority in Southeast Asia The attackers modified two of the software installers available for download on the website of the Vietnam Government Certification Authority and added a backdoor.
• Browser plugin 500 Chrome Extensions Caught Stealing Private Data of 1.7 Million Users
• Browsers infected by government websites, infected by a website plugin Government websites hit by cryptocurrency mining malware Thousands of sites, including NHS services and the ICO, have been infected by malware that forces visitors’ computers to mine cryptocurrency while using the site. The cryptojacking script was inserted into website codes through BrowseAloud, a popular plugin that helps blind and partially-sighted people access the web.

Software development

You develop software and you could unwillingly distribute malicious software to your customers:

• Supply chain attack hits 26 open source projects on GitHub
• Malicious npm packages caught installing remote access trojans JavaScript and Node.js developers who installed the jdb.js and db-json.js packages were infected with the njRAT malware.
• Hacker group inserted malware in NoxPlayer Android emulator A mysterious hacking group has compromised the server infrastructure of a popular Android emulator and has delivered malware to a handful of victims across Asia in a highly-targeted supply chain attack.

Firmware and routers

• Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers ASUS is believed to have pushed the malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the company’s server and used it to push the malware to machines.
• How the NSA tampers with US-made internet routers The NSA has been covertly implanting interception tools in US servers heading overseas – even though the US government has warned against using Chinese technology for the same reason.

National Security

• Don’t use Huawei phones, say heads of FBI, CIA, and NSA
• Kaspersky bans and allegations of Russian government ties (Wikipedia).
• Commission strengthens cybersecurity and suspends the use of TikTok on its corporate devices

Defense

• Supply chain security guidance (NCSC, UK) Proposing a series of 12 principles, designed to help you establish effective control and oversight of your supply chain.
• Information and Communications Technology Supply Chain Risk Management (CISA)

Analyses

• Israel’s Pager Attacks and Supply Chain Vulnerabilities Bruce Schneier.