Targeted Attacks Leveraging Domain Credentials
Number: AL14-031
Date: 29 July 2014
Purpose
The purpose of this Alert is to bring attention to targeted attacks using compromised domain credentials.
Assessment
CCIRC has received a report of advanced persistent threat (APT) activity in ongoing targeted attacks using compromised domain credentials.
The apparent objective of this activity is the theft of intellectual property, trade secrets, and other sensitive business information. Although this activity appears to be limited at the time of writing, it is important to note that this type of attack is highly adaptable and can be used to target various critical infrastructure industries.Suggested action
- CCIRC recommends that organizations review Microsoft Security Advisory 2963983 and consider implementing the suggested workarounds to help mitigate the risks.
- Consider installing Microsoft's Experience Mitigation Toolkit 4.1 (EMET). The Enhanced Mitigation Experience Toolkit (EMET) helps mitigate the exploitation of vulnerabilities by adding additional protection layers that make them harder to exploit. NOTE: EMET 3.0 does not mitigate this issue.
- Review CCIRCs Mitigation Guidelines for Advanced Persistent Threats (TR11-002) that helps define APT, describes typical APT attack methodologies and to introduces mitigation and monitoring techniques that may reduce the risk to organizations.
- Implement the first 4 of the Top 35 mitigations, as noted in CCIRC's TR11-002 Mitigation Guidelines for Advanced Persistent Threats.
References:
- CCIRC's TR11-001 Malware Infection Recovery Guide
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2011/tr11-001-eng.aspx
- CCIRC's TR11-002 Mitigation Guidelines for Advanced Persistent Threats
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2011/tr11-002-eng.aspx
- Top 4 Strategies to Mitigate Targeted Cyber Intrusions
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/tp-strtgs-eng.aspx
- CSEC Top 35 Mitigation Measures - Guidance for the Government of Canada
https://www.cse-cst.gc.ca/en/publication/itsb-89a
- FireEye Blog, New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks
http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html
- FireEye Blog, Clandestine Fox, Part Deux
http://www.fireeye.com/blog/technical/targeted-attack/2014/06/clandestine-fox-part-deux.html
- CCIRC Advisory AV14-024 - Microsoft Security Bulletin Release (Out of Band) – Security Update for Internet Explorer (2965111)
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2014/av14-024-eng.aspx
- CCIRC Alert AL14-029 - Vulnerability in Internet Explorer Could Allow Remote Code Execution
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2014/al14-029-eng.aspx
- Microsoft - Security Advisory 2953095: recommendation to stay protected and for detections
http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx
- Microsoft Security Bulletin MS14-021 - Critical
https://technet.microsoft.com/library/security/ms14-021
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca
- Date modified: