By Barry “Baz” Shaw, Senior Engineering Manager, Technology Partner Programs, Endace
On Aug 29th, Government Cybersecurity agencies from around the world released a joint advisory detailing how nation-state threat actors are compromising networks across the world, particularly in the US, Australia, Canada, New Zealand and the UK: www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a www.darkreading.com/cybersecurity-operations/cisa-fbi-nsa-warn-chinese-global-espionage-system
These attacks are primarily focussed on telecommunications, government, lodging and military networks, and the tactics, techniques, and procedures (TTP) overlaps with APT (Advanced Persistent Threat) actors linked to multiple China-based entities. These threat actors are exploiting well-known vulnerabilities in VPN servers and web user interfaces on switches and routers. Even devices not owned by targets of interest are being compromised in order to provide additional attack pathways to the intended targets. Upon gaining a foothold in a network, persistence is achieved by modifying ACLs, opening services on non-standard ports to avoid detection, and tunnelling C2 and exfiltrated data to obfuscate malicious activity.
Of note in this particular instance is the use of PCAP collection on the target network by the threat actors. Once they’ve gained a foothold on the network infrastructure, the native capability of some routers to record PCAPs is then used to capture TACACS+ (authentication) traffic. When transmitted in clear text (or weakly encrypted) this authentication traffic exposes users credentials which can then be used to elevate the attacker’s access and enable them to move laterally across the network.
The use of network sniffing to extract credentials in authentication traffic is a common technique of threat actors (attack.mitre.org/versions/v17/techniques/T1040/). As we continue to see the stubborn use of unencrypted and weakly-encrypted protocols on networks, these insecure communications remain prime targets for credential gathering. Additionally, the uses of maliciously collected PCAP is evolving, with the ArcaneDoor campaign taking this a step further and exfiltrating captured PCAPs for remote analysis (attack.mitre.org/campaigns/C0046/). Exfiltrated PCAPs may contain anything from authentication data to file objects.
PCAP data is the ground-truth for what is happening on the network, and it is the source that all other network and security telemetry is derived from. Threat actors know this and value the raw unfiltered and unsampled intel that it provides about the target. This begs the question: if your adversaries see value in collecting PCAPs off your network, shouldn’t you be capturing full PCAP too!?
If you are not recording your network traffic, your security team has less visibility into network activity than your attackers – which makes the job of protecting your network impossibly difficult. With PCAP at their fingertips, SOC analysts can see exactly what’s happening on the network, making for faster, more accurate investigation and resolution of security incidents – as this excellent blog post from Cisco’s Steve Nowell describes.
That full PCAP data is so valuable to attackers also highlights a stark warning that wise defenders should heed. PCAP data must be protected and secured to the highest standards. Can you trust packet capture solutions that aren’t FIPS and Common Criteria certified? Or packet capture sources that can’t be properly locked down and protected from access by attackers?
For more blogs in our Endace SOC series, see here:
https://blog.endace.com/tag/soc/