APT The Mask (aka Careto) Targets Secure Shell Keys
Kaspersky Labs recently revealed the details of a sophisticated APT named “The Mask” or by its Spanish name “Careto”. The Mask is known to have infected at least 380 unique victims in over 31 countries. In operation since 2007, the primary targets of this APT are government institutions, diplomatic offices, energy companies, research institutions, private equity firms and political activist organizations. The sophistication and targets of the APT suggest it is the work of nation-state actors as opposed to criminal organizations.
The Mask focuses on stealing 2 types of information: First, all forms of documents and end user communications. Second, it seeks to steal credentials, encryption keys and notably, Secure Shell keys which enable the APT to hop from one system to another within the victim network. It exfiltrates information from the network using encrypted connections.
What are some lessons the Mask teaches us about APTs in general?
- No amount of end user training and education will adequately safeguard an institution from APTs. A good end user training program can significantly reduce the success rate of a phishing campaign but it is a known fact that “someone always clicks”.
- Once in the network, APTs can be virtually undetectable. It took seven years for The Mask to be unveiled.
- Perimeter defenses are largely incapable of preventing APTs from entering the network and communicating with their command and control.
You cannot fully trust the integrity of your endpoints or the communications in and out of your network. However, you should have visibility into those communications. Most current defenses, including next generation firewalls and data loss prevention systems either are incapable of looking inside encrypted channels or the capability is there but not actually used in deployment. APTs like the Mask rely on encryption for removing data and for hopping across the network. This is one reason they have been so successful in avoiding detection. Full traffic visibility combined with intelligence applied to that visibility, can enable the activities of APTs to be detected and stopped before too much damage is done. A layered defense strategy must include network level visibility that is capable of monitoring encrypted channels. The era of blind trust is ending.