by Mike Behrmann, Director of DFIR
Advanced Persistent Threat Reflective of Changing Threat Landscape
News of the Russian Foreign Intelligence Service’s (SVR) use of Brute Ratel, a new commercial post-exploitation framework, has been making headlines throughout the cybersecurity industry. The first company to break the news, Palo Alto’s Unit42, warned readers about how effective the BRc4 tool was at “defeating modern EDR and AV detections capabilities1.” Confirmation of losing yet another powerful commercial post-exploitation framework (see Cobalt Strike) to the “bad guys” is indeed noteworthy as a defender but it got me thinking about APTs in the larger strategic picture.
There’s been a subtle change in the threat landscape over the few years that hasn’t gotten enough attention but should impact US businesses at a decision-making level. Advanced persistent threats (APT), and here I’m referring to nation-state sponsored computer network exploitation, now impacts US businesses of all sizes and verticals. The impact is not necessarily due to deliberate targeting by state-sponsored APTs based the victim’s perceived data or assets, rather US businesses have increasingly become part of the collateral damage from deliberate APT targeting efforts and or larger geo-political conflicts.
Traditional APT Targeting Efforts
Military or state intelligence agencies directed state-sponsored APTs to conduct computer-based espionage against targets in possession of national defense information, science and technology, politics, economics, or the like. Their goal was to collect information for intelligence purposes, typically. Those information requirements were similar, if not the same as the ones the human intelligence (HUMINT) elements pursued. As a result, targets were more predictable than not. Relatively few US businesses matched this profile therefore the risk posed by state-sponsored APT to said businesses was slim unless they were a defense contractor, think tank, or major corporation rife with strategic intellectual property.
Examples of Recent APT Attacks
NOBELIUM
Enter NOBELIUM and their SUNBURST malware. This prolific December 2020 attack, attributed to the SVR, was a prolific supply chain attack targeting SolarWinds’ Orion Platform operated by as many as 18,0002 victim organizations of all shapes, sizes, and verticals. Over a period of months, the SVR thoroughly penetrated the popular enterprise software’s corporate network and ultimately compromised their software’s distribution pipeline using advanced tradecraft. US companies and government agencies were completely unaware that their own trusted network monitoring tool had become the conduit for APT initial network access, including titans of industry like FireEye3. Microsoft’s security team noted how this campaign deviated from earlier SVR targeting attempts but still employed advanced tradecraft reserved for targets of strategic interest:
“NOBELIUM has historically targeted government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers. With this latest attack, NOBELIUM attempted to target approximately 3,000 individual accounts across more than 150 organizations, employing an established pattern of using unique infrastructure and tooling for each target, increasing their ability to remain undetected for a longer period of time.”
However, the impact of this attack was not limited to the couple hundred target organizations who experienced follow-on network intrusions. Effectively, each of the approximately 18,000 organizations Orion Platform using the software were forced into a panicked incident response motion to assess and mitigate their own risk themselves. These included small and medium sized businesses of no foreign intelligence value based on my direct experience with clients at the time.
HAFNIUM
In March 2021, Microsoft made waves when they noted that a China-based state-sponsored APT called HAFNIUM was actively targeting vulnerable public-facing Microsoft Exchange servers.4 The threat actor used a zero-day exploit referred to as ProxyLogon to exploit under patched servers. The zero-day exploit code proliferated. Numerous non-HAFNIUM threat actors, including ransomware operators, began leveraging the exploit to compromise and implant instances of the popular on-premise mail appliance. Victim organizations were slow to recognize the threat and adopt the patch, leaving thousands5 of organizations compromised by numerous actors simultaneously. New derivative exploits like ProxyShell6, ProxyToken7 and ProxyOracle8 emerged that continued to grow the attack vector. By late August, security vendor Huntress reported they were still observing attacks using the family of exploits.9 ProxyShell in particular was leveraged by ransomware actors to create initial access into victim organizations and facilitate domain-wide encryption events. Miscellaneous threat actors attempt to use these exploits against Exchange servers to this day, based on evidence seen our 2022 case work.
Sandworm
The FBI credited Russian APT Sandworm with exploiting small office and home (SOHO) routers, popular with numerous small and medium sized businesses, going back as far as 2018. The campaign was widely attributed to Main Military Intelligence Directorate of the Russian General Staff (GRU) and managed to infect over 500,000 devices across 50 countries with malware referred as VPNFilter.10 Compromised routers were then used to facilitate follow-on system compromise, manipulate network traffic, and conduct data theft.
In late February 2022, just as the Russian invasion of Ukraine began, the same APT was charged with exploiting and implanting WatchGuard firewalls, a popular choice among SMB and midmarket organizations, with malware referred to as Cyclops Blink. The Cybersecurity & Infrastructure Security Agency (CISA) described the targeting in both campaigns as “indiscriminate and widespread”.11
Antigen Security responded to an attack on SonicWall VPN appliance owned by a Midwest law firm that was formally attributed to the GRU by the FBI during the same time period. Needless to say, the small firm which specialized in medical malpractice law possessed nothing of military or intelligence value. They were simply a target of opportunity, an easy outlet for the GRU to inflict pain against US interests likely based on the US support for the under siege Ukrainian government.
Recommendations to Strengthen Your Cyber Defenses
Antigen Security has seen evidence of victim businesses preventing or disrupting ransomware attacks by adopting a series of best practices:
Threat Vulnerability Scanning
It starts with good IT hygiene practices such as continuously patching public-facing appliances and servers. This fundamental step dramatically shrinks a business’ attack surface to both APT and eCrime threat actors alike. Threat vulnerability scanning software focused on an organization’s internal and public-facing assets can help make this routine but critical job easier to accomplish.
Antigen Titan Defense
Sophisticated threats are most readily observed on the endpoint via behavior-based detections rooted in endpoint detection and response (EDR) telemetry. Antigen Security’s Security Operations Center is powered by Red Canary managed detection and response tooling, which is based on world class threat detection engineering and threat intelligence. Best-of-breed technologies like Red Canary are a now a necessity to companies of all sizes given the risk posed by APTs.
Yearly Tabletop Exercises
The options don’t end there. I am now of the opinion that most organizations stand to gain more from an Incident Response Planning workshop, including tabletop exercises, than yet another repetitive penetration test where its findings will wind up mired in inter-office bureaucracy if not altogether ignored. Smart people, even very technical IT people, freak out following major security incidents. It’s understandable. But much of the chaos is avoidable. When people plan and practice for a major incident, their ability to orient and correctly action the real thing increases dramatically.
Hire an IR Firm for Year-Round Coverage
Last, but not least, obtain an IR retainer or year-round from a firm you know. Decision-making criteria should include responsiveness and availability. Cyber insurance is practical, but the classic insurance board of providers model is often slow and of unpredictable quality in many cases. Antigen is offering a brand new, membership-based incident response solution (Antigen Rapid Response) that can take the place of a traditional IR firm retainer, and offers more advantages, as well as significant discounts.
References
- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/#Conclusion
- https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html
- https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://www.bleepingcomputer.com/news/security/conti-ransomware-now-hacking-exchange-servers-with-proxyshell-exploits/
- https://www.huntress.com/blog/proxyshell-vs.-proxylogon-whats-the-difference
- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/proxytoken-another-nailbiter-from-microsoft-exchange/
- https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-2-ProxyOracle/
- https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit
- https://us.norton.com/internetsecurity-emerging-threats-vpnfilter-malware-targets-over-500000-routers.html
- https://www.cisa.gov/uscert/ncas/alerts/aa22-054a
About the Author
Mike Behrman, Director of Digital Forensics and Incident Response
Mike Behrmann served at the National Security Agency for seven years where he focused on leading computer network exploitation operations and was later deployed to the FBI Detroit Division’s Cyber Task Force as a Threat Analyst.
He has also held leadership roles at NetWorks Group, Domino’s, and Blumira.
Mike has earned numerous Global Information Assurance (GIAC) certifications over his career and holds advanced degrees in both International Affairs and Information Assurance.