Slingshot: The How, What And Who

By   Matt Walmsley
EMEA Director , Vectra | Mar 14, 2018 04:30 am PST

How these routers have been hacked:

“Domestic connections and users typically offer a low defence and as a result, criminals will target them at home. Dropping an APT onto users at home will give them a beeline into an organisation – having them innocently walk the compromised PC into the work environment, bypassing any perimeter defences. Mobility and BYOD all bring risks which require the rapid detection and response to the subtle indictors of compromise inside the corporate network. Most organisations have perimeter defences, and some kind of AV end-point on their corporately controlled PCs. However, many organisations remain blind to nefarious activity that is happening across their internal network as attackers orchestrate, recon, move, escalate privileges and steal or manipulate data. The fact that ‘Slingshot’ is a 6-year-old campaign just goes to show the threat detection gap is alive and well, particularly for advanced attacks.”

What organisations can do to defend themselves against this sort of attack:

“Whilst traditional signature approaches are useless at spotting previously unseen and unknown threats, there are multiple ways to spot previously unseen APTs, active inside your organisation. To do this, a behavioural-based approach is required in order to spot the very weak signals of compromise that identify post-intrusion attacker activity within the network. The challenge is that task is laborious, slow, and poor efficacy if performed manually.

“Enterprises that recognise this ‘detection gap’ are increasingly moving to automated threat hunting tools that can operate autonomously. Using AI, businesses can detect hidden attacker behaviour, correlate and provide evidence as well as pull context of the attack, and integrate into the security incident response workflow to automate some or all of the response actions. In this regard, AI can then free up security analysts’ time to make quick, informed decisions whilst enabling an agile response to active threats -reducing attacker dwell time, and ultimately business risk.

“Any defence is imperfect; that’s why enterprises need to build up their detection and response capabilities to ensure they have an adaptive security architecture that defends against what it can, and quickly detects and responds to what it cannot. A healthy paranoia is needed, we need to have a ‘I’m compromised, where?’ mind-set.”

Who could be behind the attacks:

“Given the complexity, ‘stealthy-ness’ and feature-rich construction of ‘Slingshot’ we can speculate that the bad actor is well resourced and has high order technical capabilities. If we then look at the deployment footprint of the affected MicroTik routers, and the reported victims including individuals, government organisations – with Africa and the Middle East highlighted as key targets – we can further speculate that this is potentially a nation state driven attack.”

Lessons learned:

  1. Product developers need to manage their digital supply chain risk. We need to be asking questions here including how and where could software library and modules coming into your produce be compromised and how would you spot them? What quality assurance is there on the selection and use of third party code, and what is the provenance of the code? Are there steps should as digital signature and certificates to validate the code is ‘as advertised’ and hasn’t been manipulated?
  2. Patch, patch, patch – It’s a well sung song but ensuring that the latest versions of code are always used will reduce the risk of known-vulnerabilities.
  3. IoT and infrastructure devices are often easier to compromise and use to orchestrate attacks. Sub-OS root kits completely evade OS level security controls, and many IoT devices have poor security architectures. Aside from keeping OS and Firmware up-to-date, it’s important to be able to spot rogue behaviour from IoT and infrastructure devices. For example, Vectra’s security researchers demonstrated how to turn an IP camera into a network backdoor, without affecting its operations.

[su_box title=”About Matt Walmsley” style=”noise” box_color=”#336588″][short_info id=’104668′ desc=”true” all=”false”][/su_box]

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x