An incident response perspective
In the last two years, DarkLab has helped clients respond to, and recover from, numerous network intrusions. Our clients span a variety of sectors in Hong Kong and Macau, including financial services, real estate, telecommunications, and aviation, among others. The organisations we helped also varied greatly in size and cyber security maturity. Some employed just a handful of personnel with no dedicated security function, while others were large international organisations with an established CISO and security teams.
This range of incident response experience means that DarkLab is in a unique position to identify cyber threats to Hong Kong companies across multiple sectors. In this article, we share some of the threat trends we have observed first hand, and highlight effective mitigation methods companies can implement to thwart them.
Common attacks against companies in Hong Kong
In 2018, we were called in to help investigate a significant number of business email compromise (BEC) frauds against financial services companies. BEC frauds see threat actors sending emails to employees, often in the finance department, to instruct them to direct funds to a bank account that scammers control. For the fraud to work, the email needs to appear to originate from an internal, trusted email account.
While email spoofing is the simplest option for threat actors, in most of the incidents we observed threat actors instead directly compromised an email account. This allowed them to monitor their victim’s incoming emails and hijack an email thread to grant their fraudulent request greater credibility. While BEC scammers usually spent no more than a couple of days in their victim’s accounts, we saw one incident where their presence remained undetected for almost a week.
In 2019, the most common type of attacks were ransomware and cryptomining. Cryptomining incidents were mostly caused by automated botnets. Intrusions were often detected promptly by victims due to the unusually high CPU usage required to generate cryptocurrency.
Ransomware attacks instead showed a higher degree of stealth and manual lateral movement. For instance, in a ransomware intrusion attackers operated in the infected network only outside standard office hours. By also exploiting living-off-the-land techniques intruders managed to remain unnoticed until the encryption routine was activated some 20 days later.
Threat intelligence suggests that last year ransomware and cryptomining threats were on the rise globally, showing how threats to Hong Kong closely follow global threat trends.
Main initial attack vectors exploited
The initial attack vectors for most incidents we investigated were abuse of internet-facing infrastructure, often exploiting brute-force attacks or stolen credentials to access servers with enabled remote desktop protocol (RDP) and secure shell (SSH).
For instance, a client in the shipping industry had ten servers infected by the Anacron cryptomining malware. Upon investigation, we discovered attempted bruteforce attacks against the same SSH server for almost a month, suggesting automated botnet activity. Once logged in, the malware spread to 10 additional servers that shared the same password as the infected web server.
Ransomware infections that initiated on a public-facing RDP server were also relatively common. For instance, we responded to one such incident involving the Dharma/Crysis ransomware that was affecting a real estate development company.
In at least one case, however, a publicly available exploit enabled a ransomware attack against a company in the professional services sector. Attackers exploited a known vulnerability in Windows IIS (CVE-2017-7269) to gain initial access to a server used for testing, which was left exposed to the internet. After stealing multiple IT user accounts with the highest privileges, the attacker compromised and encrypted 62 Windows servers causing significant business disruption.
Espionage intrusions against organisations in Hong Kong
Although less numerous, we also witnessed prolonged and organised network intrusions against companies in Hong Kong carried out by skilled threat actors.
In an incident in late 2019, we responded to a supply-chain compromise carried out by a likely espionage group against a Hong Kong client in the aviation sector. The attacker targeted a subsidiary of the client by exploiting an unpatched firewall vulnerability to obtain valid VPN credentials. Once inside the victim’s network, the threat actor conducted extensive reconnaissance and staged various tools on internal servers. Tools included the credential dumping Mimikatz, NBTScan for network scanning, and PSExec for lateral movement.
After more than a month in the subsidiary’s network, the threat actor exploited the trusted connection with the main organisation’s network to move across. Fortunately, the intrusion in the main organisation’s network was detected in time and it did not result in exfiltration of data. Nonetheless, we saw similar tactics, techniques and procedures used against another Hong Kong critical national infrastructure company in 2018. This suggests that espionage threat actors continue to pose a threat to Hong Kong organisations in strategic sectors.
Despite the range of potential threats to companies in Hong Kong, cyber security best practices and common hygiene methods can help deter a significant portion of the cyber attacks we observed.
To improve your organisation’s resilience to cyber attacks we suggest to:
- Enforce the use of multi-factor authentication for remote access
- Restrict domain admin rights
- Limit exposure of public-facing systems
- Ensure that best practices for network segmentation are observed
- Conduct regular security awareness training for IT and non-IT staff
- Perform regular cyber attack simulations to ensure resiliency
- Consider establish or outsource a Security Operation Centre (SOC) for security log monitoring and threat hunting
- Ingest timely Cyber Threat Intelligence feeds and reporting for proactive defense against upcoming threats
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.