Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:25 PM
Connect Directly

APT Groups Get Innovative -- and More Dangerous -- in Q3

In "curious" trend, more threat actors diversified their tool sets in the third quarter than usual.

Even the most sophisticated advanced persistent threat groups (APT) tend to stick with old tactics, techniques, and procedures as long as they work. However, whenever needed, the groups can innovate in extremely dangerous ways.

A threat campaign last quarter — in which a so-far-unknown attacker modified platform-level firmware to plant exceptionally persistent and hard-to-remove malware on an organization's system — is a case in point.

Related Content:

APT Groups Set Sights on Linux Targets: Inside the Trend

The Changing Face of Threat Intelligence

New on The Edge: 9 Cyber Disaster-Recovery Planning Tips for a Disaster-Prone Time

It was one of several new and sophisticated attack tactics that security vendor Kaspersky observed in the third quarter of this year as APT groups diversified their tool sets in larger numbers than usual. In a report this week, Kaspersky described the activity as "curious" and an example of how APT threat actors reinvent themselves and their tool sets even as they rely on old tools and tactics when possible.

Mark Lechtik, senior security researcher at Kaspersky, says at least two organizations were infected with the malicious firmware implant. Both were diplomatic entities based in Asia.

He describes the attack as involving the introduction of rogue logic into existing Unified Extensible Firmware Interface (UEFI) firmware. UEFI is a specification for the interface between a computer's operating system and platform firmware. UEFI has mostly replaced the traditional BIOS in modern PCs.

The UEFI modification allowed the attacker to install malware that was so persistent it could survive operating system reinstallation and even replacement of the hard drive. "Such campaigns are not very common for several reasons," Lechtik says. "Most notably, introduction of rogue logic into an existing UEFI firmware is a complicated process that typically requires finding security soft spots in the targeted platform."

To install malware on a device via the UEFI firmware, an attacker would need to find a way to write to the SPI flash chip, determine if the firmware in question enforces digital signatures, and then find a way to bypass those mechanisms, he says.

In order to execute such an attack successfully, an attacker would likely need some kind of physical access to the target device and get it to boot from a USB with a utility that can overwrite the UEFI firmware with malicious code. At least one other entity, surveillance company the Hacking Team, used the same tactic to deploy a backdoor on systems. "It is plausible that in spite of the complexity of compromising UEFI firmware, there are more cases of infection in the wild that we are yet to discover," Lechtik says.

Another example of a threat actor that diversified its tool set in a unique manner last quarter was Ke3chan, an APT group believed to be based in China. Kaspersky researchers observed the threat actor using steganography to hide malware in a Windows Defender binary digitally signed with Microsoft's Authenticode code-signing technology.

Cracking the Code
"We see various sorts of steganography in use in different attacks by different APT actors," says Ariel Jungheit, senior security researcher at Kaspersky. What made this attack different was the manner in which an Authenticode-signed executable was abused, he says. "Ke3chang found a way to embed the payload without invalidating the Authenticode signature — something we haven't seen being used by a threat actor before."

More generally, APT groups targeted more platforms, developed new infection chains and leveraged legitimate services as part of their attack infrastructure, Kaspersky said in its report. As an example of the expanded use of legitimate services in attacks, Jungheit points to threat actors using Google Drive, OneDrive, Dropbox, and web application development platforms such as Firebase to geofence attacks.

Kaspersky also observed threat actors increasingly using lesser-known programming languages to develop their malware. "We've seen APT actors make use of tools and malware written in Go as well as Python scripts in their attacks," he says.

For organizations, the main takeaway from the APT activity last quarter is that they need to pay attention to finding malicious activity in new and likely legitimate environments. "While in the past it was easier to allow access and perhaps not monitor communications with popular cloud services, it's now less advised to do so."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Francisco Donoso
Francisco Donoso,
User Rank: Author
11/5/2020 | 4:17:44 PM
Curious to understand the ROI of UEFI exploits
Reading the Kaspersky report was interesting to me because I'm always curious what the return on investment would be for finding, understanding, and weaponizing vulnerabilities in things like UEFI. The value is obiously high (having some sort of persistent access to a system, even after a harddrive replacement or OS wipe) but how many organizations have security teams with the capabilties to even detect truly motivated and sophisticated attackers that can spend this amount of time, money, and effort?

Perhaps making sure their existing implant tooling is less detectable is a better use of time. Something like what the Equation Group's DanderSpritz platform did as an example.

Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.