Even the most sophisticated advanced persistent threat groups (APT) tend to stick with old tactics, techniques, and procedures as long as they work. However, whenever needed, the groups can innovate in extremely dangerous ways.
A threat campaign last quarter — in which a so-far-unknown attacker modified platform-level firmware to plant exceptionally persistent and hard-to-remove malware on an organization's system — is a case in point.
It was one of several new and sophisticated attack tactics that security vendor Kaspersky observed in the third quarter of this year as APT groups diversified their tool sets in larger numbers than usual. In a report this week, Kaspersky described the activity as "curious" and an example of how APT threat actors reinvent themselves and their tool sets even as they rely on old tools and tactics when possible.
Mark Lechtik, senior security researcher at Kaspersky, says at least two organizations were infected with the malicious firmware implant. Both were diplomatic entities based in Asia.
He describes the attack as involving the introduction of rogue logic into existing Unified Extensible Firmware Interface (UEFI) firmware. UEFI is a specification for the interface between a computer's operating system and platform firmware. UEFI has mostly replaced the traditional BIOS in modern PCs.
The UEFI modification allowed the attacker to install malware that was so persistent it could survive operating system reinstallation and even replacement of the hard drive. "Such campaigns are not very common for several reasons," Lechtik says. "Most notably, introduction of rogue logic into an existing UEFI firmware is a complicated process that typically requires finding security soft spots in the targeted platform."
To install malware on a device via the UEFI firmware, an attacker would need to find a way to write to the SPI flash chip, determine if the firmware in question enforces digital signatures, and then find a way to bypass those mechanisms, he says.
In order to execute such an attack successfully, an attacker would likely need some kind of physical access to the target device and get it to boot from a USB with a utility that can overwrite the UEFI firmware with malicious code. At least one other entity, surveillance company the Hacking Team, used the same tactic to deploy a backdoor on systems. "It is plausible that in spite of the complexity of compromising UEFI firmware, there are more cases of infection in the wild that we are yet to discover," Lechtik says.
Another example of a threat actor that diversified its tool set in a unique manner last quarter was Ke3chan, an APT group believed to be based in China. Kaspersky researchers observed the threat actor using steganography to hide malware in a Windows Defender binary digitally signed with Microsoft's Authenticode code-signing technology.
Cracking the Code
"We see various sorts of steganography in use in different attacks by different APT actors," says Ariel Jungheit, senior security researcher at Kaspersky. What made this attack different was the manner in which an Authenticode-signed executable was abused, he says. "Ke3chang found a way to embed the payload without invalidating the Authenticode signature — something we haven't seen being used by a threat actor before."
More generally, APT groups targeted more platforms, developed new infection chains and leveraged legitimate services as part of their attack infrastructure, Kaspersky said in its report. As an example of the expanded use of legitimate services in attacks, Jungheit points to threat actors using Google Drive, OneDrive, Dropbox, and web application development platforms such as Firebase to geofence attacks.
Kaspersky also observed threat actors increasingly using lesser-known programming languages to develop their malware. "We've seen APT actors make use of tools and malware written in Go as well as Python scripts in their attacks," he says.
For organizations, the main takeaway from the APT activity last quarter is that they need to pay attention to finding malicious activity in new and likely legitimate environments. "While in the past it was easier to allow access and perhaps not monitor communications with popular cloud services, it's now less advised to do so."