Our last release looked at the APT40 targeting the maritime industry and associated persistence techniques.
For this week’s TTP Tuesday we are releasing a new APT40-themed chain based on how APT40 gains a foothold into organizations. This chain utilizes techniques found in watering-hole and password reuse attacks. The chain contains 5 TTPs with the end goal of identifying valid credentials for SMB or RDP connections.
A watering hole attack has quite a few definitions, but essentially you are setting up a resource that will eventually be visited by the target you are interested in. Typically, you would inject your code into a website that is accessed by numerous parties, with the goal of successfully exploiting the target you have your sights on.
In the chain, we set up a single-page website that requests a user to log in. Upon entering your information, the website will send the credentials that were entered into the form, as well as the operating system listed in the user-agent header back to Operator.
Utilizing the credentials gained from a detected Windows OS, the next TTPs will check those credentials against SMB and RDP for the remote host. Your initial agent running these TTPs will be notified if the credentials were valid.
Watch a demonstration: APT40 Government Organizations
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg