Introduction
As the threat of European conflict grows along the Ukrainian Russian border, Sekuro is tracking an escalating cybersecurity threat, originating from a combination of state-sponsored adversaries and opportunistic cybercrime gangs.
We noted a similar rise in cybercrime as the COVID-19 pandemic [1] took hold in early 2021, where instances of ransomware distribution and business email compromise soared.
Our Threat Response and Intelligence Operations (TRIO) Centre team [2] has processed and distilled data from hundreds of threat intelligence sources, noting a significant uptick in incident reports related to APTs (Advanced Persistent Threats) [3].
As widely reported in the news over the past week, we’ve seen Ukrainian critical infrastructure targets come under direct cyberattack, causing outages across government and financial services websites, and communication services under pressure from Distributed Denial of Service (DDoS) [4] attacks.
This fast-evolving situation means unpredictable outcomes for Australian organisations. As Australia moves alongside its NATO allies to enforce sanctions on Russia [5], we may come under heightened pressure from our adversaries.
By correlating the attacker’s intent and capability against target organisations and sectors, it is possible to predict the sorts of tactics, techniques and procedures (TTPs) attackers may use against our clients. Our TRIO Centre Threat Intelligence team has cross-referenced likely APT group TTPs against previously attacked Australian organisations, which we use to determine the attack signatures we expect to see should our clients come under direct or indirect attack.
By determining the commonality of tactics, techniques, and procedures, Sekuro has mapped APT behavioural patterns to security control objectives and suggests several hardening practices to protect ICT infrastructure and environments, no matter the target organisations’ size, scale, and sector.
While some of these recommendations are simply good security hygiene, and Australian organisations should already be doing them, it is worth highlighting their importance under the increasing pressure and breadth of attacks.
Mitigation Strategies
Sekuro partners with various threat intelligence companies and is working with their global teams of analysts to ensure we have the most up to date and actionable advice for our clients. If you want more information on any of our sources, contact the TRIO Centre team.
Sekuro’s investigation into APT groups reveals a long list of TTPs we monitor from the TRIO Centre, which aligns to various security controls utilised within our ‘clients’ infrastructure. From that perspective, readiness is more about checking that security controls are functioning as expected and reminding people about the threat posed by phishing, spear-phishing and general online fraud. What follows is a collection of recommendations as a reminder of all organisations’ things.
Prioritising patch management
As part of an APTs attack plan, their initial foothold into the victim’s environment results from the information they gather during their reconnaissance phase. Throughout this period, APTs actively scan target networks to identify and map out what systems are live on the network, and more importantly, what services are running on those systems.
Using integrated hacking tools as part of a suite of Linux distributions, these APTs can easily correlate their findings with free, publicly accessible online databases which store exploits for the given version of a particular service, software or system. This approach enables an APT to map their attack plan and perform a successful, pin–point accurate and often catastrophic execution of exploitation.
In the context of APTs identifying target systems and mapping target services, organisations must know which systems are vulnerable and how to patch them. With the latest software version, APTs struggle to run widely used exploits, forcing them to pivot to another attack vector or point of entry.
Weighing emphasis on the importance of patching public-facing infrastructure, systems and services, critical patches and updates related to security vulnerabilities should be patched immediately. A notable example is the recent Log4j [6] exploit, which caused massive operational disruptions to organisations worldwide.
For some of our clients, the Sekuro SOC keeps technical teams aware and prepared to address gaps through continual vulnerability scanning and context-based risk assessments to aid operational decision-making.
recommendations
- Run a complete vulnerability assessment of externally facing infrastructure if tools and time permit.
- Check and update operating systems and applications if possible.
- Check critical application vendor websites for the latest patches and vulnerability announcements.
- Mask running services from scans where applicable and disable unused ports and protocols.
- If you don’t already do this, consider implementing a centralised patch management system.
Dealing with legacy and end-of-life software
Suppose an ATP gains a foothold in your environment and discovers a legacy system or application. This discovery may be the beachhead the attacker needs to escalate privileges and take over your network. Not only can the ATP exploit this unpatched legacy system, but without segregation and/or hardening, the APT could leverage its weaknesses against other more robust systems in your environment.
The best solution is to eliminate the threat by removing the software, service or system. However, practicality suggests that in most cases, organisations rely on these sorts of legacy systems for crucial operational activities, so removal is not usually a short term option.
In these cases, security people like to talk about defence-in-depth, a layered approach to security controls used to fortify and segregate systems or services by enforcing stricter security measures the closer you get to your critical assets.
Defence-in-depth assists in cyber risk mitigation, slowing attackers down and giving defensive teams the time to detect and respond to the attack. In a breach situation, defence-in-depth can reduce the overall impact of a compromise and potentially save reputations and associated critical assets, even if a subset of assets were compromised.
recommendations
- Where possible, move sensitive data and credentials to a secure, and up-to-date system.
- Ensure that an original image of the base legacy system has been stored in a secure location, allowing for quick restoration in the event of a breach.
- Implement elevated monitoring of legacy systems to identify indicators of attack. Sekuro can assist your organisation with our Security Operation Centre (SOC).
Promoting employee IT hygiene and awareness
As we operate in the age of increasing ease and volume of mass disinformation [7] , which we’ve observed being leveraged by state-sponsored APTs, employee awareness of the current threat landscape is paramount to your organisation’s security.
With the pandemic presenting the challenge of distributed workforces [8] worldwide, this drastically increases your organisation’s attack surface should it be improperly managed.
Security awareness programs and keeping employees in the loop regarding new attack patterns is critical, as people are often your organisation’s first line of defence. Advisories from Sekuro can be used internally to create information to be consumed by all.
recommendations
- Train employees to identify social engineering techniques and phishing emails.
- Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that are used for phishing malware distribution are necessary for business operations.
Applying the Principle of Least Privilege
Following initial access, APTs are known to move laterally to maintain persistence in your network and more importantly, compromise other privileged accounts [9]. Although security professionals perceive it as common knowledge, the Principle of Least Privilege is fundamental.
By enabling end-users to perform their role via the principle of least privilege, alongside the internal IT teams, this security measure is crucial in slowing and at most times stopping an APT from being able to pivot throughout an organisation’s infrastructure or environment.
recommendations
- All internal privileged accounts should be monitored and audited for those no longer in use.
- Turn off or disable unnecessary services (e.g., Powershell) or administrative functionality within devices.
- Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM.
- Responsibly manage accounts and permissions used by parties in trusted relationships within your business supply chain.
Identity & Access Management
Shown in the recent Microsoft Cyber Signals report [10], the adoption rate of MFA (Multi-factor authentication) is at a staggeringly low 22%.
State-sponsored APTs and ransomware gangs alike rely just as heavily on presented opportunities besides motive and capability. The use of multi-factor authentication should be enforced on all employees, without exception and the enforcement of strong password policies.
recommendations
- Employ password storage solutions to ensure credentials are securely stored and not reused elsewhere.
- Disable the storage of clear-text passwords in LSASS memory.
- Move away from SMS as a source of multi-factor authentication as they are easily circumvented through social engineering.
Aggressively reduce the attack surface
Ultimately, all the mitigation strategies above serve to disrupt the capability of APTs in chaining vulnerabilities to breach your organisation. [11]
By actioning the points above and maintaining an accurate inventory of IT solutions and assets, your organisation can effectively address solutions that are no longer needed, assisting the process of decommissioning them. Through addressing the people, process and technology aspects of cyber security, your organisation’s attack surface is primarily reduced, hindering possible breaches in the uncertain future.
Technical Details
APT Groups
Pictured is a table of APTs (Advanced Persistent Threats) correlated through the latest threat actor database from MITRE & Crowdstrike.
High-risk threat actors are highlighted below based on several key criteria, namely –
- Are they currently active?
- Have they targeted Australia institutions?
- If so, what sectors have they targeted?
- Have they been successful?
| APT | Country | Targets Australia | Academic | Financial | Manufacturing | Technology | Government |
|---|---|---|---|---|---|---|---|
| Labyrinth Chollima | North Korea | Yes | Yes | Yes | Yes | ||
| Pinchy Spider | Russia | Yes | Yes | Yes | Yes | Yes | Yes |
| Twisted Spider | Russia | Yes | Yes | Yes | Yes | Yes | Yes |
| Viceroy Tiger | India | Yes | Yes | Yes | Yes | Yes | |
| Wizard Spider | Russia | Yes | Yes | Yes | Yes | Yes | Yes |
| Carbon Spider | Russia | Yes | Yes | Yes | Yes | ||
| Cozy Bear | Russia | Yes | Yes | Yes | Yes | Yes | |
| Deadeye Jackal | Arab Republic | Yes | Yes | Yes | |||
| Doppel Spider | Russia | Yes | Yes | Yes | Yes | ||
| Fancy Bear | Russia | Yes | |||||
| Hammer Panda | China | Yes | Yes | Yes | |||
| Mythic Leopard | Pakistan | Yes | |||||
| Ocean Buffalo | Vietnam | Yes | Yes | Yes | |||
| Remix Kitten | Iran | Yes | |||||
| Ricochet Chollima | North Korea | Yes | Yes | ||||
| Silent Chollima | North Korea | Yes | Yes | Yes | |||
| Stardust Chollima | North Korea | Yes | Yes | ||||
| Venomous Bear | Russia | Yes | Yes | ||||
| Wicked Panda | China | Yes | Yes | Yes |
APT Activity
Pinchy Spider is primarily a ransomware criminal group behind the development and operation of GandCrab and REvil ransomware, based in Russia.
Pinchy Spider sells access to their ransomware under an affiliate program with a limited number of accounts, referred to as Ransomware-as-a-Service (RaaS). They are also known to incentivise ransom payment by threatening to leak exfiltrated data and hold encrypted data hostage.
- At the beginning of January 2018, Pinchy Spider first established its ground via the operation of GandCrab [12] ransomware, which was distributed via malware-laden email attachments using botnets.
- Pinchy Spider pivoted to REvil ransomware in April of 2019, with similar tactics pursued to take down targets with their rebranded ransomware. This new form of GandCrab was first advertised on the XSS Russian hacking forum by user ”UNKN”.
- On the 14th of January 2022, REvil operators had been reported arrested in Russia after the FBI and INTERPOL performed a successful operation. [13]
Twisted Spider is the criminal group behind the development and operation of Maze and Egregor ransomware. Although it has not made an appearance in recent times, the techniques used by Twisted Spider to gain access to an organisation are relevant today amongst other APTs.
Initial access for Maze and Egregor ransomware was achieved through spam and phishing campaigns, acquiring credentials subsequently leveraged to distribute Qakbot, a banking trojan malware.
Twisted Spider made its first appearance on the cyber scene with Maze [14] ransomware from the beginning of May 2019 until November 2020, using exploit kits (EK), spam campaigns, and acquired RDP credentials.
- In September of 2020, Twisted Spider was using Egregor [15] ransomware, which is a modification of both Sekhmet and Maze ransomware. Initial access to the malware was gained using Mallard Spider’s QakBot [16] banking trojan, the targeting of external Virtual Private Network (VPN) and Remote Desktop Protocol (RDP) remote access services.
Wizard Spider is a criminal group with ties to the Russian government. Incredibly capable and well-funded, Wizard Spider is attributed to the development and distribution of several malicious tools, allowing them to target a wide range of industry sectors.
Active since 2016, Wizard Spider’s tools include TrickBot, Ryuk, Conti and BazarLoader.
- Recognised as the core development and distribution adversary of TrickBot, Ryuk, Conti and BazarLoader, Wizard Spider has been active since 2016.
Labyrinth Chollima is attributed to the DPRK’s (Democratic People’s Republic of Korea) state-sponsored cyber unit and is active in collecting political, military, and economic intelligence on North Korea’s adversaries.
Viceroy Tiger is attributed to private threat actors originating from India operating across multiple industries, mainly for financial gain and intelligence gathering. Whilst not directly attributed to Russia, these APTs may take advantage of the emerging threat landscape.
Tactics, Techniques & Procedures
This advisory uses the MITRE ATT&CK for Enterprise framework. See below for a table of the MITRE ATT&CK tactics and techniques observed.
By overlaying the methods employed by the APTs to compromise their targets, we begin to form commonalities on tactics, techniques and procedures used.
In this report, we draw a focus on the following tactics –
| Tactic | Tactic ID | Technique | Technique ID |
|---|---|---|---|
| Initial Access | TA0001 | Drive By Compromise | T1189 |
| Exploit Public Facing Application | T1190 | ||
| External Remote Services | T1133 | ||
| Phishing | T1566 | ||
| Trusted Relationship | T1199 | ||
| Valid Accounts | T1078 | ||
| Execution | TA0002 | ||
| Exploitation for Client Execution | T1203 | ||
| Scheduled Tasks | T1053 | ||
| Windows Management Instrumentation | T1047 | ||
| Persistence | TA0003 | ||
| Boot or Logon Autostart Execution | T1547 | ||
| Create or Modify System Process | T1543 |
Initial Access [TA0001]
Drive-by Compromise [T1189]
- Labyrinth Chollima has delivered RATBANKA via compromised legitimate websites.
- Pinchy Spider have used multiple CVEs to compromise web resources and deliver malware kits.
Exploit Public Facing Application [T1190]
- Pinchy Spider has been observed exploiting Oracle WebLogic vulnerabilities.
External Remote Services [T1133]
- Wizard Spider has accessed victim networks using stolen credentials via vulnerable VPN infrastructure. [17]
- Pinchy Spider has used publicly accessible RDP and remote management and monitoring (RMM) servers to gain a foothold into the victim’s environments.
Phishing [T1566]
- Pinchy Spider has conducted multiple malicious spam (malspam) campaigns to access the victim’s environments.[18]
Trusted Relationship [T1199]
- Pinchy Spider has breached Managed Service Providers (MSP’s) [19] to deliver malware to MSP customers.
Valid Accounts [T1078]
- Wizard Spider has used valid credentials privileged accounts to access domain controllers. [20]
Execution [TA0002]
Exploitation for Client Execution [T1203]
- Labyrinth Chollima has exploited Adobe Flash vulnerability CVE-2018-4878 for execution. [21]
Scheduled Tasks [T1053]
- Wizard Spider has used scheduled tasks to establish TrickBot and other malware persistence.
Windows Management Instrumentation [T1047]
- Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally. [22]
- Lazarus Group malware SierraAlfa uses the Windows Management Instrumentation Command-line application wmic to start itself on a target system during lateral movement.
Persistence [TA0003]
Boot or Login Autostart Execution [T1547]
- Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
- Wizard Spider has established persistence via the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and a shortcut within the startup folder.
- Labyrinth Chollima malware sample adds persistence on the system by creating a shortcut in the user’s Startup folder. [23]
Create or Modify System Process [T1543]
- Wizard Spider has established persistence by installing TrickBot under a service named ControlServiceA.