This is an excerpt from a piece we authored for our membership. CloudHopper, first discussed about a month ago by PwC UK and BAE are targeting Managed Service Providers for VPN and RDP credentials. Brilliant. When I first read the piece I assumed this to mean Managed Security Service Providers had been targeted.. which would be bad, but colocation facilities? Not a new TTP but still brilliant.
"CloudHopper, a new name for APT 10 has been identified stealing VPN/Remote Desktop credentials from Managed Service Providers in an effort to obtain administrative level direct access to network infrastructure mechanisms. In our opinion, this is significant. In almost every presentation, at least one financial presenter talks about “systemic threat”. This, we believe, is the epitome of systemic –get the administrative credentials to the network perimeter, change the authentication, and obtain unfettered, unchallenged access to any of the MSP’s customer base. (View the full report: https://community.redskyalliance.org/docs/DOC-5046)"
This actually scares the hell out of me.
Four years ago we rented colo-space for a malware analysis sandbox. The colo-provider had all of the right words in their list of certifications —ISO 27001, PCI, HIPAA, etc. After a walk-around of the facility, we signed the contract for a two year stint.
Within a month we started noticing fun things happening on the box. Fortunately for us we hadn't opened it up for our Red Sky membership; we were still very much in our testing phase. It was clear to us however that the machine had been compromised —so we drove to Boston, removed the server from the rack and brought it back to Manchester where we mounted it locally. We found that the colo had the necessary tools to monitor the systems, but not monitor the security. In fact, they had all of the right tools and skills, but never monitored for the things that would have allowed them to see unauthorized access —something we'd paid for.
The idea that VPN/RDP credentials are stolen and pathways are used is not at all new. In fact, these were the first cases that I can remember after building my APT team when I worked at 'that really big defense contractor', over ten years ago. These accounts are most prized, and in many cases in large companies administrative credentials —domain credentials —those that most often have VPN and RDP access to many many servers across the horizontal become one of the single most effective vectors for systemic breach. And when it's done in a colocation facility where small and medium sized companies are most likely to host? Not new, but still brilliant.
When asked why he robbed banks, Willie Sutton replied, “I rob banks because that’s where the money is.” Why target colo facilities? Because that's the pathway to small company innovation and potentially, larger accesses.
BT
This may or may not be a surprise to many of you, but I've been running Red Sky and Wapack Labs since February 2012 when I joined my old friend Jim McKee in building Red Sky.
This week I told him that I felt like I was getting dumber with every day that passed, and that every minute that I dealt with prospecting, taxes, managing the team, and all of the other things that go along with being CEO, I miss out on time spent staying sharp on the things that I really love doing.
So on Monday I anointed him President, and started doing analysis again. I'd forgotten how much fun it is, but also it's like going back to working out after being off for a while —your muscles hurt afterward! Yes, my brain hurts tonight but it's a good hurt.
My first task? We write tailored weekly products as an intelligence provider to some big companies. Yesterday I wrote my first one in nearly six months. There are several more to come.
So, CEO? Not me. Chief, Intelligence Operations? Oh yeah…
Tanqueray Martini. Shaken, not stirred.