Trust was not justified: what types of Trusted Relationship Attacks are there and how to protect yourself from them

[Man]

Any company uses contractors to save resources, time and delegate work. This is convenient, but along with the benefits, it creates information security risks - there is a possibility of attacks through trust relationships.

Attackers first attack one of the company's trusted partners or contractors, and then exploit this vulnerability to penetrate the network. The company's internal infrastructure is usually less secure, which makes it easier to further develop the attack.

Denis Pashchenko.
Deputy Director of the Information Security Department STEP LOGIC.
Attacks through trust relationships are a special case of attacks on the supply chain, when it is initially carried out on a third party (service provider), and then, using its compromised infrastructure and/or data, on the final target - the organization to which the services are provided. The classic scheme of such an attack is hacking contractors using any method: exploitation of software vulnerabilities, social engineering, malware, selection of authorization data, and then - obtaining authorization data used by the contractor for access within the framework of the services provided. This can be done using the same malware, traffic analysis within the contractor's LAN, etc. Then the attacker uses the obtained data to access the target infrastructure.

In this article, we will look at the main characteristics of attacks through trust relationships, their methods and consequences. We will also offer technical solutions and measures that will help companies protect themselves from such attacks and minimize their consequences.

What is a Trust Attack?​

A trusted relationship attack is a type of cyberattack where attackers first attack the infrastructure of one company that has legitimate access to the target company's resources and then exploit this vulnerability to penetrate the victim's infrastructure. The first link in this chain may be subsidiaries or contractors.

Kamil Sadykov.
Leading Information Security Analyst Innostage SOC CyberART.
Supply Chain Attacks are primarily developed through trust relationships. We are seeing more and more examples of attackers attacking less secure suppliers or partners with an eye on their more secure customers. The goals of such attackers can be different; recently, we have seen an increase in attacks related to hacktivism.
The second type of attacks, Spear Phishing, or phishing through trusted contacts, uses compromised or fake accounts of employees or partners to send emails with malicious content or links to users of the organization.
Also worth noting are Third-Party Account Compromise - compromise of partner accounts (usually purchased on shadow forums) and API-based Attacks - attacks through APIs and integrations, when hackers exploit vulnerabilities or security flaws in the intermediary system using the organization's API to attack it.

Trust-based attacks are usually carried out by APT groups. Their targets are large commercial companies and government organizations, whose confidential data they are trying to obtain. For example, Positive Technologies reported that the new APT group ChamelGang attacked the fuel and energy complex and aviation industry of the Russian Federation for information.

According to Denis Kuvshinov, Head of the Information Security Threat Research Department at Positive Technologies, industrial enterprises are not always able to detect an ATP attack themselves and may consider themselves safe for several years. But in practice, cybercriminals can penetrate the infrastructure of an industrial enterprise and gain control over it. But attacks often develop quite quickly. Thus, to gain access to the infrastructure of a target fuel and energy complex enterprise, the group compromised a subsidiary using a vulnerable version of a web application on the open source platform JBoss Application Server. And after just two weeks, the cybercriminals penetrated the parent company's network and remained undetected for three months.

Sergey Polunin.
Head of the IT infrastructure solutions protection group at Gazinformservice.
In general, the “Trust attack” class of attacks itself was among the top three most popular in 2023. The fact is that in the modern world, companies rarely do anything on their own from start to finish. Usually, contractors are involved, in the case of IT — all kinds of system integrators. And this is where the problems begin, when no one controls how well the contractor is solving information security issues. If attackers gain access to the contractor, then there is every chance of getting to the end customer. This could be anything from a virus attack to direct access to the infrastructure.

Another example of highly professional cybercriminals who use attacks through trust relationships is the Shedding Zmiy group, which was reported by experts from the Solar 4RAYS cyber threat research center. It turned out that Shedding Zmiy had been spying on Russian organizations since at least 2022. Its victims were the public sector, industry, telecom and other sectors of the Russian economy. Solar Group reported that Shedding Zmiy uses publicly available malware and unique software, and sometimes uses compromised legitimate servers to download viruses.

In addition to the theft of confidential data, a cybercriminal attack can result in irreparable damage to an organization and disruption of its operations. For example, the Danish railway network experienced a major failure in 2022. Trains across the country were stopped due to a hacker attack on the software testing environment of an IT subcontractor of the Danish railway operator DSB.

Types of attacks through trust relationships​

In an analytical report on cyber attacks investigated by the Lab.

Kaspersky, attacks through trust relationships are named one of the trends of 2023. The popularity of this vector is explained by the fact that cybercriminals can use it to carry out a large-scale attack. At the same time, it will require significantly less effort than when attacking each victim individually.

Detecting an attack through trust relationships requires a fairly high level of maturity of companies. Even highly qualified information security employees do not guarantee quick detection of cybercriminals in the infrastructure, since the hacker's actions are disguised as the actions of employees of a contractor or subsidiary organization and look legitimate. According to a report by Kaspersky Lab, half of such attacks were detected only after a data leak was discovered, and a quarter of victims contacted us after their data was encrypted.

Oleg Skulkin.
Head of BI.ZONE Threat Intelligence.
Most often, attackers seek to compromise the IT infrastructure of small contractors in order to gain access to the infrastructure of their customers. Often, as part of the attack life cycle, attackers obtain legitimate authentication material, which allows them, for example, to make VPN connections to external IT infrastructures. At the same time, for the victim, such actions will look completely legitimate, as if they were actually carried out by the contractor.

During a trust attack, cybercriminals use a variety of widely used methods. These include:

• Phishing
• Exploitation of vulnerabilities
• Trusted Domain Attacks and Cache Poisoning
• Brute force attacks
• Chain attacks or Kill Chain
• Qui pro quo (service for a service)
• and others.

Semyon Rogachev.
Head of Incident Response at Bastion.
In our experience, the most common attacks that occur through trust relationships are those involving espionage and ransomware. In some cases, attackers first engage in espionage and then pass the target on to other attackers who launch the ransomware, etc.

Often, contractors or subsidiaries are less secure than a large parent organization and become a “door” into the target infrastructure for cybercriminals.

Methods of protection against attacks through trust relationships​

Any connection to an organization’s infrastructure carries potential risks. A company can provide access to its systems in different ways: from issuing logins and passwords to allocating a number of systems for work. Even if the customer organization uses information security tools, they cannot guarantee the security of the contractor. For example, the service provider’s employees may not follow digital hygiene rules and store logins and passwords for accessing the target network in an unsafe place.

Vyacheslav Novoselov.
CEO of SkyDNS.
DNS protection and filtering of illegal/infected resources as the first level of protection against the human factor
Access rights delineation: clear delineation of roles and employee access rights to critical information minimizes the risk of data leaks.
Implementation of multi-factor authentication (MFA).
Use of threat detection solutions such as EDR (Endpoint Detection and Response) and SIEM (Security Information and Event Management).
And, of course, it is always important to train employees in digital literacy, promptly update antivirus programs and conduct regular security audits of the corporate network as preventive measures.

One of the important elements of building protection in an organization against attacks through trust relationships is technical solutions.

Here are some of them:

• Multi-factor authentication.
• Intrusion Detection and Prevention Systems (IDS/IPS).
• UBA (User Behavior Analysis) systems.
• VPN with strong authentication.
• Access management systems (Identity and Access Management).
• Threat Detection and Response Systems.
• Regular Penetration Testing.
• Secure Communication Channels.

These technical solutions will help to significantly increase the level of network and data security, protecting against attacks through trust relationships and other cyber threats.

Alexander Gavrilov.
Head of the Department for Implementation of Infrastructure Information Security Tools, Cloud Networks.
When it comes to detecting attacks through trust relationships, the most effective solutions here are PAM, EDR, NTA and SIEM. PAM allows you to organize access to the target resource, take into account and control actions and distribution of working time; while the password for the target resource will be unknown to the service provider (contractor). EDR is needed for proactive protection at the host level through continuous monitoring, detection and prevention of suspicious activity on target resources. NTA is used to detect attacks at the network level, detect legitimate and illegitimate tools, and to investigate incidents. All events received from solutions of this class should be aggregated and analyzed in SIEM systems, and if illegitimate activity occurs, they should be formed into an incident and notify the security officer. It is also worth saying that all this is relevant provided that there are no obvious gaps in protection using NGFW and antivirus solutions.

In addition to using technical means, experts give the following recommendations to protect against attacks through trust relationships:

• Segment the network.
• Limit user privileges by issuing new accounts.
• Grant access to contractors for a fixed period of time.
• Deny direct access to infrastructure.
• Provide file exchange within the infrastructure and with contractors through a secure file sharing service.
• Conduct testing using the Assumption Breach method.
• Monitor activity on your infrastructure outside of business hours.

These measures will help companies better prepare for potential attacks through trust relationships and minimize their impact.

Alexander Bleznekov.
Head of Information Security Strategy Development at Telecom Birzha.
There is no magic pill or specific means of protection that will protect you. The process is important here. Study what the provider needs to provide the service and build security around this process and introduce the appropriate controls.

It is important to remember that a large percentage of attacks are made possible by the human factor, so it is necessary to conduct regular training for employees. Talk about attack methods, remind about threats, the need to follow digital hygiene rules, and conduct knowledge tests.

Nikita Leokumovich.
Head of Digital Forensics and Cyber Intelligence Department, Angara Security.
The main class of solutions is a person. Competent planning of infrastructure protection, as well as the organization of close monitoring of events, lies primarily with a person.

There is no single technical solution for minimizing this type of attack, and in principle, it cannot exist. It is necessary to combine various solutions, such as NGFW, IAM, CASB, EDR on end hosts, and even DLP will make a great contribution to identifying this type of attack. All these protection tools generate information security events, which for convenience can be accumulated, processed and analyzed in one place using SIEM systems.

Conclusion​

Outsourcing interactions are becoming more and more common, and control over contractor security is not regulated by law and is hardly possible in practice. In order to gain access to company data, intruders can attack one of the contractors or partners.

In this environment, understanding and preventing attacks through trust relationships is critical to ensuring the security of data and infrastructure in the face of growing cyber threats.

Source