Targeted Attacks Leveraging Domain Credentials

Number: AL14-031
Date: 29 July 2014

Purpose

The purpose of this Alert is to bring attention to targeted attacks using compromised domain credentials.

Assessment

CCIRC has received a report of advanced persistent threat (APT) activity in ongoing targeted attacks using compromised domain credentials.

The apparent objective of this activity is the theft of intellectual property, trade secrets, and other sensitive business information. Although this activity appears to be limited at the time of writing, it is important to note that this type of attack is highly adaptable and can be used to target various critical infrastructure industries.

Suggested action

References:

  1. CCIRC's TR11-001 Malware Infection Recovery Guide
    http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2011/tr11-001-eng.aspx

  2. CCIRC's TR11-002 Mitigation Guidelines for Advanced Persistent Threats
    http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2011/tr11-002-eng.aspx

  3. Top 4 Strategies to Mitigate Targeted Cyber Intrusions
    http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/tp-strtgs-eng.aspx

  4. CSEC Top 35 Mitigation Measures - Guidance for the Government of Canada
    https://www.cse-cst.gc.ca/en/publication/itsb-89a

  5. FireEye Blog, New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks
    http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html

  6. FireEye Blog, Clandestine Fox, Part Deux
    http://www.fireeye.com/blog/technical/targeted-attack/2014/06/clandestine-fox-part-deux.html

  7. CCIRC Advisory AV14-024 - Microsoft Security Bulletin Release (Out of Band) – Security Update for Internet Explorer (2965111)
    http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2014/av14-024-eng.aspx

  8. CCIRC Alert AL14-029 - Vulnerability in Internet Explorer Could Allow Remote Code Execution
    http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2014/al14-029-eng.aspx

  9. Microsoft - Security Advisory 2953095: recommendation to stay protected and for detections
    http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx


  10. Microsoft Security Bulletin MS14-021 - Critical
    https://technet.microsoft.com/library/security/ms14-021

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: