
Advanced hackers are infecting IT providers in hopes of hitting their customers - close04
https://arstechnica.com/information-technology/2019/09/advanced-hackers-are-infecting-it-providers-in-hopes-of-hitting-their-customers/
======
dragonsh
In current times given the proliferation of technology in every business and
our daily life, it will be hard for any company to say they are not an IT
company. But it will require a fundamental change in thinking for many
companies to move the mindset from IT being a support to one of the core
competency in the company.

Indeed they need to treat it like their core business and if necessary hire
the services of ethical hacker to make sure they are prepared for the disaster
and can survive.

But its easier said than done, most fortune 500 will still prefer to pay 5 or
6 digit sums to consultant to design a security instead of hiring ethical
hacking services, to make sure in case of attack their processes and systems
work.

Indeed they hire the services of the same IT outsourcing service provider to
design the security, who themselves are a target. Most of this IT outsourcing
company including IBM and Accenture are cost arbitrage firms providing
manpower at a cost which is higher than the cost of that consultant. So except
security by obscurity, I doubt they will be able to build a robust system or
process to survive an attack.

Except big tech companies like Google, Apple, Microsoft or Facebook most are
not having programs for bounty hunting or security audits. Hopefully other
companies also have such programs in place with openness and transparency.

~~~
close04
> consultant to design a security instead of hiring ethical hacking services

One does not exclude the other. And also consider that even the best security
practices are not guaranteeing anything. Hackers can afford to fail 1000
times. The company only has to fail once.

~~~
dragonsh
An ethical hacker will bring down the systems. Indeed I believe that whatever
security is in place there is a possibility of a hack. So by using ethical
hacker you let the whole system die and see if company can recover or continue
either with disaster recovery or paper based process or combination of
multiple strategy. This is what I meant by ethical hacking service. Based on
practical experience with the top consulting firms can say confidently besides
security by obscurity and security practice which is a copy paste of some pre-
defined strategy by so called their experts, almost none employ or pay ethical
hackers to bring down their own security or process to show that their
strategy works.

~~~
close04
> you let the whole system die and see if company can recover or continue
> either with disaster recovery or paper based process or combination of
> multiple strategy.

You're not describing a security breach scenario here but basically a disaster
scenario. It's security vs. resiliency. I mean there are plenty of threat
models to protect from, hackers trying to steal secrets, hackers trying to
take down your systems, etc. But in the end security is about making sure you
detect and/or stop the attacker, other processes take care of rebuilding after
they took you down.

So you wouldn't hire an ethical hacker to take down your systems but rather to
identify weak points, exploit them, infiltrate the system and then possibly
exfiltrate data. The aftermath of what the hacker did is something else
entirely and will be dealt by your disaster recovery, business continuity
processes, PR, etc.

------
ga-vu
Source: [https://www.symantec.com/blogs/threat-
intelligence/tortoises...](https://www.symantec.com/blogs/threat-
intelligence/tortoiseshell-apt-supply-chain)

The Symantec blog is actually more on point, while the Ars piece just picks
and chooses what to cite.

I also don't see why Ars calls these hackers "advanced." They use mundane
Windows backdoors, like most hacker groups. Probably a FUD title on Ars' part.

~~~
phaus
Historically the term Advanced Persistent Threat has been used to refer to
groups that appear to be a part of some kind of well funded/organized entity.
It doesn't have much to do with the actual sophistication of the attack.
However, an unusual level of sophistication could potentially be a piece of
evidence that indicates a significant amount of resources one would only
expect to see in a large company or government operation.

Also, in this particular claim Symantec said the attacker used proprietary
malware. Does't guarantee that it's advanced but that is something most small
groups or individuals don't bother with.

There are, of course, exceptions to everything. That's why it should ideally
take a good amount of evidence gathered over a significant period of time to
determine whether any given group is likely to be an APT.

Another thing to consider is that even an advanced attacker gains nothing by
using their most sophisticated techniques when drive-by downloads and
malicious email links/attachments still work so well in 2019 that they account
for the overwhelming majority of major data breaches.

------
ciucanu
That's another reason for putting another router after your ISP's box. As long
as I'm not an admin on that one, they can do a lot of shady things. Also using
a DNS server with external forwarders (PiHole is great for that).

~~~
programd
Not only that, but the quality of commercial router security is appalling. See
for example

[https://www.securityevaluators.com/whitepaper/sohopelessly-b...](https://www.securityevaluators.com/whitepaper/sohopelessly-
broken-2/)

That paper needs wider exposure, though sadly it didn’t get much traction here
when I submitted it.

------
Neil44
Ransoming of IT MSP's is 100% a thing now. They know that if they can
compromise an account that has access to the companies RMM then they can hit
hundreds of businesses with a few clicks. As an IT provider who uses these
tools it certainly keeps me awake at night.

~~~
close04
Many MSPs have far laxer policies than the customers they are servicing.
Sometimes they will even go out of their way to undermine the customer's
policies in order to cut costs or make the work easier. It makes them a far
softer target while almost guaranteeing the same payoff - if you breached the
MSP, getting to the customer becomes a much more trivial affair.

------
thrower123
This is probably a great strategy. There are a lot of IT providers out there
that are... less than totally competent. From the little places that handle
the "my Outlook isn't working" questions for local small businesses, to the
global services divisions of Fortune 100 tech companies, these places have
enormous access. They also tend to not treat their people particularly well...

------
dvfjsdhgfv
Something smells fishy here. On the one hand they seem to be very advanced, on
the other they do a very bad job covering their tracks and everything points
to Iran, with the discovery just a few days after the drone attack. Call me
paranoid but this just doesn't add up.

~~~
dboreham
False Flag ops are not unknown in history..

