Recent Articles Highlight Threat Actors’ Propensity for Focused Targeting of Different Victim Groups

Key Highlights

• Spyware vendors such as NSO Group and Candiru enable government clients to threaten the privacy of a wide array of individuals.

• As ransomware syndicates become more sophisticated, they are taking a business-focused approach, including targeting high-profile victims.

• The global vaccine drive will remain a popular theme for directing high volumes of commodity malware to broad segments of the population, especially in countries lagging in vaccine distribution.

China-based APT Groups Expected to Continue Large-scale Attacks Using Zero-Day Exploits

The United States and the United Kingdom attribute a campaign of Microsoft Exchange attacks earlier this year to the China-based APT group Hafnium. This campaign marks at least the third time in 2021 that China-based threat actors have exploited a zero-day vulnerability—in this case, CVE 2021-26855 (1). Another group very likely hacked the National Finance Center using zero-day 2021-10148 (2), and yet another is accused of exploiting Pulse Secure VPN using CVE-2021-22893 (3). The same report notes that the 33 zero-day vulnerabilities disclosed so far in 2021 already surpass the total from 2020. It is very likely that the uptick in zero-day vulnerabilities is the result of increased detection and disclosure by security teams, and increased utilization by threat actors who can purchase technical capabilities (4). A mature threat hunting program provides the best mitigation for potential zero-day exploits.

Two Further Exploitation Phase Attack Vectors Related to SolarWinds Highlight a Complex Campaign

Russia-based APT groups with links to the same threat actor that trojanized SolarWinds Orion builds prior to 2021 in the Sunburst campaign very likely used an iOS zero-day for exploitation and reconnaissance of victims’ iPhones (5). Another Russian APT with likely links to the Sunburst actors exploited yet another severe flaw in SolarWinds products unknown when Sunburst was disclosed (6). APT attacks often involve multiple exploitation paths to compromise targets. Security monitoring teams must be supported by sufficient network telemetry to link attacks within complex APT kill-chains.

Iran Railroad Attack Illustrates Challenges in Detection and Response for Critical Infrastructure

A cyberattack that affected much of Iran’s national railroad network on July 9 began at least a month prior to the outage, during which period the attackers changed system protocols and passwords and locked out administrators (7). The timing of the attack, just prior to a new Iranian president’s taking office, raises the possibility that the attacks were geopolitically motivated.

Spyware Wielded by Governments Under Pretext of Targeted Surveillance Threaten Individuals’ Privacy

The potential misuse of advanced surveillance software sold by vendors to governments presents yet another threat to personal liberties, privacy, and physical safety. One new report detailing the NSO Group’s Pegasus software as well as another describing private sector surveillance vendor Candiru came to light over the past two weeks (8). NSO Group’s activities, previously reported in 2019 (9), have demonstrated strong demand based on the number of new clients and further exploitation vectors. Pegasus’ target list was comprised of over 50,000 phone numbers, including those of murdered journalists. NSO Group stated it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets.” (10)

Ransomware Syndicates Aggressively Seek Big Name Targets

A report from Palo Alto Networks outlines the advanced TTPs common in many of today’s ransomware attacks (11). Operators now co-opt a wide variety of tooling along with ransomware payloads to more fully compromise a target. Operations more closely align with APT attacks, rather than high-volume, less-sophisticated cybercriminal attacks.

Several recent ransomware incidents illustrate this heighted skill level. A law firm whose clients include many Fortune 500 companies was recently breached by ransomware (12). Railway ticketing systems across parts of the UK were unusable due to ransomware only two months post deployment (13). Kaseya, a global MSP, was also hit with ransomware, affecting dozens of their customers around the world (14).

The escalation in attacks is likely hitting a critical moment as ransomware syndicates target high-profile organizations. REvil infrastructure was taken offline recently over unknown circumstances but was likely related to the succession of high-profile attacks on JBS and Kaseya (15).

Hackers Could Exploit Poorly Tested Biometric Technology

In late June, Windows incorporated a form of facial recognition into its endpoint authentication on Windows Hello for Windows 10.1703 and later (16), enabling users to log in without text-based passwords. Soon after, security researchers at CyberArk Labs discovered a bypass exploit for the facial recognition technology (17). The bypass, which has not yet been used in the wild, stems from a poorly configured implementation. The biometric authentication is unable to distinguish real environments, which allowed CyberArk to create a fake and simplified infrared image against a plain black background to spoof authentication. Microsoft claims 85% of Windows 10 users use the new Windows Hello system.

Upgraded Tooling for Commodity Malware Gives Average Attackers Advanced Capabilities

Intelligence analysts note an increasing pattern of Cobalt Strike adoption in the command and control phase of commodity malware operations (18). Cobalt Strike was developed as a red team tool and was primarily used post-exploitation. More-prominent malware families evolve custom modules over time to bypass security controls, becoming more difficult to disrupt. For example, a new variant of Trickbot, observed since last fall’s takedown by U.S. Cyber Command (19), now exploits virtual systems for installation on target machines (20). Trickbot remains a popular and effective malware utilizing custom development. EclecticIQ analysts have not yet observed Trickbot openly listed in popular Darknet forums, which attests to its continued high value and effectiveness among malware offerings.

Global Vaccine Distribution Remains a Popular Theme for Serving Commodity Malware

Data from Trend Micro shows attacks focused on developments in vaccine awareness, production and distribution initially spiked in September 2020, then declined significantly over the winter in the Northern hemisphere. They surged again after vaccine rollouts in major countries began (21) and are now increasing yet again (22). Trend Micro expects countries that have yet to inoculate their citizens may be the next targets for vaccine-themed malicious activities. EclecticIQ analysts expect these attacks to continue through the rest of 2021.

Appendix.

1. https://www.theguardian.com/technology/2021/jul/19/microsoft-exchange-hack-us-biden-administration-china, https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
2. https://www.reuters.com/article/us-cyber-solarwinds-china/exclusive-suspected-chinese-hackers-used-solarwinds-bug-to-spy-on-u-s-payroll-agency-sources-idUSKBN2A22K8
3. https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
4. https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks
5. https://www.wired.com/story/solarwinds-hackers-used-ios-zeroday-compromise-iphones
6. https://www.darkreading.com/attacks-breaches/targeted-attack-activity-heightens-need-for-orgs-to-patch-new-solarwinds-flaw/d/d-id/1341530
7. https://www.securityweek.com/details-emerge-iranian-railroad-cyberattack
8. https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
   https://www.schneier.com/blog/archives/2021/07/nso-group-hacked.html,
   https://blogs.microsoft.com/on-the-issues/2021/07/15/cyberweapons-cybersecurity-sourgum-malware/
9. https://citizenlab.ca/2019/10/nso-q-cyber-technologies-100-new-abuse-cases/
10. https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus
11. https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/
12. https://threatpost.com/law-firm-fortune-500-breach-ransomware/167951/
13. https://www.zdnet.com/article/hundreds-of-touchscreen-ticket-machines-are-offline-after-a-ransomware-attack/
14. https://www.trendmicro.com/en_us/research/21/g/it-management-platform-kaseya-hit-with-sodinokibi-revil-ransomwa.html
15. https://www.schneier.com/blog/archives/2021/07/revil-is-off-line.html
16. https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-guide
17. https://www.cyberark.com/resources/threat-research-blog/bypassing-windows-hello-without-masks-or-plastic-surgery
18. https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html
    https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware
19. https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html
20. https://threatpost.com/trickbot-malware-virtual-desktop-espionage/167789/
21. https://www.nytimes.com/live/2020/12/14/world/covid-19-coronavirus
    https://www.bbc.com/news/uk-england-55560604
22. https://www.trendmicro.com/en_us/research/21/g/threats-ride-on-the-covid-19-vaccination-wave.html