The SafeBreach Hacker's Playbook™ includes simulations for attacks described in US-CERT Alert (TA18-106A), attributed to Russian actors.
This alert covers tactics used by cyber actors which leverage a number of legacy or weak protocols and service ports associated with network administration activities. According to the research, the attackers use these techniques to identify vulnerable devices, map internal network architectures, harvest login credentials, masquerade as privileged users, and modify firmware and OS configuration to hijack, modify, or block traffic traversing routing infrastructure.
Thanks to the depth of the Hacker's Playbook™, many of the attacks -- spanning each phase of this campaign -- are already available, so customers are immediately able to validate security against the techniques indicated by the US-CERT.
SafeBreach recommends all industries and businesses simulate this attack to identify whether or not they are protecting against this campaign. To assess security control effectiveness against techniques involved in this attack, the SafeBreach Breach and Attack Simulation Platform contains many simulations, as highlighted below, to test endpoint and network security controls:
Existing playbook methods already validating security related to TA18-106A
Note: Many methods below are re-used across various phases of this campaign, but only listed once here for clarity.
Stage 1: Reconnaissance
Playbook #174, and 1308 - Telnet Bruteforce
Playbook #1324 and #1325 - SNMP community brute force
Stage 2: Weaponization and Stage 3: Delivery
Playbook #130 Exfiltration via TFTP
Stage 4: Exploitation
Playbook #174 and #1308 - Telnet Bruteforce
Playbook #173 SSH and #1307 - SSH Bruteforce
Stage 6: Command and Control
Playbook #103 and #104 - Exfiltration via FTP STOR
As always, SafeBreach Labs will continue to monitor this alert, and develop new simulations as necessary.
Additional breach methods added recently include:
The Safebreach Hacker's Playbook™ of breach methods simulates these breach scenarios, and thousands more, without impacting users or infrastructure. Breach methods are constantly updated by SafeBreach Labs, our team of offensive security researchers, to help keep customers ahead of attacks.
March 22, 2019
March 18, 2019