The news of this month includes some fascinating threat intel discoveries as well as talking about some of our favorite tools, like MITRE Engage. Read on to find out what our team is talking about this month.
Time to “Engage”: How the Department of Defense Can Maneuver Against the Adversary in Cyber
The primary driver for cybersecurity in the defense sector is a risk of a cyber strike from adversaries. A strong capable defense for all warfighting systems and support infrastructure is essential and requires defensive elements within cyber to step-up their game. In the past, there has been a lack of framework to truly govern and create a means of direct interaction with adversary forces by defensive cyber professionals. That has changed with the new MITRE Engage framework, which enables cyber defenders a methodology to ‘Engage’ the adversary and take the fight from a reactive model to a proactive campaign.
In this article, they outline how Engage changes the way defense is conducted. The reactive model of old is transformed into a proactive construct that enables cyber defenders the ability to conduct adversary engagement. This is essential in the Department of Defense, where 60% of the cyber capability within the DoD is dedicated to the defense of its architecture, and the adversary is pervasive in its desire to infect our networks and systems and limit our ability to conduct warfare.
“This article talks about one of our favorite topics, MITRE Engage! We totally agree that Engage changes the way defense is conducted, as well as the author’s sentiment that the reactive model of old is being transformed into a proactive construct that enables cyber defenders the ability to conduct adversary engagement.” — The Leadership Team
Source: Medium, May 26
Hackers Are Now Hiding Malware In Windows Event Logs
This article describes how a highly skilled threat actor was able to use a technique that had not previously been used in the wild to plant fileless malware in a Windows host file system without raising alerts. The investigation revealed that the malware was part of a “very targeted” campaign and, according to Denis Legezo, lead security researcher at Kaspersky, the entire campaign “looks impressive”. One of the most interesting parts of the attack is injecting shellcode payloads into Windows event logs for the Key Management Services (KMS), an action completed by a custom malware dropper. Kaspersky says that the dropper’s purpose is to loader on the disk for the side-loading process and to look for particular records in the event logs (category 0x4142 - ‘AB’ in ASCII. Then, if no such record is found, it writes 8KB chunks of encrypted shellcode, which are later combined to form the code for the next stager. The new technique is sure to rise in popularity.
“At CounterCraft, we are always looking for new techniques being used in the wild to make sure that our DeepSense agents are able to detect most advanced attacks. Highly sophisticated and targeted attacks such as these are especially dangerous for companies and organizations, and cyber deception can make the difference between detecting them early or when it is too late.” — Fernando, Founder
Source: Bleeping Computer, May 10
Yours Truly, Signed AV Driver: Weaponizing An Antivirus Driver
Ransomware groups continue to plague the digital environment and use new and interesting techniques to bypass Antivirus (AV) and Endpoint Detection and Response (EDR) solutions and ensure the successful execution of their ransomware payloads. There are three different versions: a self-contained PowerShell script, dropped alongside the Avast driver, that installs and loads the driver and executes a small number of functions to control the driver; an executable that unpacks and loads in memory a small executable to control the driver; and a batch script that installs a service to load the Avast kernel driver, then launches a PowerShell script to decode, load and execute the controller in memory. This article delves into the implementation of the third variant of the attack where the attacker uses a batch script as described in the third bullet point above.
“While the use of kernel drivers to target and kill AV and EDR solutions1 prior to encryption has been known and discussed for some time, the abuse of a signed and valid driver from an Antivirus vendor2 was surprisingly effective.” — David Barroso, Founder and CEO
Source: Aon, May 20
New ransomware strains linked to North Korean govt hackers
Important ransomware strains have recently been linked to APT38, a North Korean-sponsored hacking group. They target and steal funds from financial institutions worldwide, and typically deploy destructive malware on their victims' networks during the last stage of their attacks, in order to destroy any traces of their activity. The attribution was made via analyzing code and artifact similarity with VHD ransomware. The two strains were being deployed on victims' networks via the cross-platform MATA malware framework, a malicious tool exclusively used by Lazarus operators, according to Kaspersky. By visualizing the code using Hilbert curve mapping, it became clear that PXJ, Beaf, and ZZZZ share a notable amount of source code and functionality with VHD and TFlower ransomware, with Beaf and ZZZZ being almost exact clones of each other.
“Once again, we’re shown how sophisticated and organized adversaries are. In this case, North Korea has a multitude of ransomware, malware, and other malicious software at its disposal to extort money (cryptocurrency) from its victims. The need to have tailored CTI and take a proactive cybersecurity stance to defend against nation state attacks and other bad actors is now. Without applicable CTI you can’t defend against a threat you know nothing about.” — Shunta Sanders, Lead Senior Architect
Source: Bleeping Computer, May 4
A Stealthy New Espionage Group is Targeting Corporate Mergers and Acquisitions
A new espionage actor is breaching corporate networks to steal emails from employees involved in big financial transactions like mergers and acquisitions. The group UNC3524, classified and tracked by Mandiant, hits corporate targets that hint at financial motivation but also spends a longer-than-average dwell time in a victim’s environment, suggesting an intelligence gathering mandate. In some cases, UNC3524 remained undetected in victims’ environments for as long as 18 months, versus an average dwell time of 21 days in 2021.
Mandiant credits the group’s success to the use of a novel backdoor — tracked as “QuietExit” — on network appliances that do not support antivirus or endpoint detection. Their movements are very advanced, including high operations security, adept evasive skills, and a large IoT botnet.
“The motivation of UNC3524 is not just to make money but also (or perhaps, mainly) to gather intelligence about big companies. And the fact that they attack network appliances that don’t support the use of antivirus makes them very dangerous for any company. Cyber deception is definitely one of the best defenses against such advanced APTs.” — Fernando, Founder
Source: Tech Crunch, May 3