Summary of Findings
- The compromise of SolarWinds supply chain software is the most significant cyberattack of 2020.
- APT operations combine multiple, victim-specific TTPs to increase intelligence-gathering capability.
- Malware purchased by government organizations presents a danger to journalists working in hostile foreign environments.
- Law enforcement operations against the Joker’s Stash carding marketplace have a low impact.
- Analysis of Egregor ransomware tactics, techniques, and procedures (TTPs) reveals patterns similar to those of other big game hunting variants.
- New Emotet activity likely predicates and precedes new high-impact attacks.
- Increased anti-analysis measures observed in malware evade automated and manual analysis to extend dwell time.
SolarWinds cyberattacks create global impact
The compromise of SolarWinds Orion supply chain software is the most significant cyberattack of 2020. It was exposed by FireEye, which also fell victim to the attack. There are potentially more than 18,000 victims, including government entities and information security companies. Attribution will be difficult until more malware samples are released publicly for analysis. In addition, security researchers have discovered a second threat actor has exploited the SolarWinds software to plant CosmicGale and Supernova malware on corporate and government networks. As of late December 2020, CosmicGale had not been released publicly. Current speculation into attribution does not provide enough evidence to substantiate any links.
APT groups develop further capability by combining multiple victim-specific infrastructures under unified operations
APT groups are adapting while conducting victim-specific micro-attacks that comprise a larger coordinated effort. Attacks attributed to the SideWinder group use a malicious server for distributing malicious LNK files and phishing attacks. The attacks use well-mimicked login pages tailored to each victim with political-leaning lure content that is also victim specific. They target desktop and mobile systems with the goal of exfiltrating information. The geographic area affected is South Asia and surrounding countries, with a concentration on Afghanistan and Nepal. Attacks such as this can provide APT groups aiding state-backed operations with greater intelligence.
Journalists face high risk of espionage attacks from state-supported operations
Citizen Lab reports “zero-click” iOS malware developed by the NSO Group has been used by multiple organizations with links to state support to target journalists. It is suspected that the malware played a role in targeting of some journalists that eventually resulted in death. During 2020, journalists in the Middle East were at the highest risk, followed by those in Central America, according to data from the Committee to Protect Journalists.
Law enforcement operations against carding marketplaces have limited impact
A joint operation between Interpol and the FBI resulted in a takedown of proxy servers related to the Joker’s Stash carding marketplace. The top-level domains supporting Joker’s Stash were unaffected due to their purposely decentralized architecture. The operation on 17.12.2020 will have only a temporary limiting impact on Joker’s Stash, and no effect on the larger carding marketplace on the dark web.
Tracking ransomware TTPs through analysis mitigates risk from leading variants
Egregor ransomware is currently one of the most prominent ransomware families that is meeting the demand created by the retirement of the Maze family, which EclecticIQ Fusion Center reported on in the previous intelligence update. Like other successful big game hunting variants, Egregor pairs with loader bots known to include QakBot and Trickbot to establish access to the network. Historically, paired bots gain access by brute-forcing exposed remote connections, stealing access credentials, and phishing. Egregor exfiltrates data for public extortion prior to encryption.
Emotet activity increases dramatically, indicating new prevalent attacks are imminent
Detected attacks using the modular banking trojan Emotet have surged since the fall. Emotet has been popularized and paired alongside ransomware variants and other banking trojans that present the greatest risk to end users and systems. It has exhibited consistent development by its operators, who seek to continually obfuscate their command and control (C2) and hide from analysis. This strategy allows the malware to stay ahead of security defenses that use C2 infrastructure blacklists to block attacks. A TTP analysis of Emotet provides more details and patterns to better coordinate defenses and mitigate risk from new variants, which have been identified as circulating from at least December 22, 2020.
Malware exhibiting increased obfuscation extends target exploitation timelines
A new GootKit loader version is among many malware families that are exhibiting further obfuscation techniques aimed at preventing analysis and removal. More-complex routines to hide the running code make manual analysis much more time-consuming. As a result, malware operators can use the same piece of malware for longer periods, with greater impact, before they are forced to stop attacks and spend time retooling.
Our final blog of 2020 is part of an ongoing series of biweekly intelligence updates from EclecticIQ. Each blog covers the latest cybersecurity news, industry trends, and current and emerging threats based on our experts’ interpretation of data and other source materials. We may provide updates on the COVID-19 pandemic situation as well.