Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/3/2020
06:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

APT Groups Get Innovative -- and More Dangerous -- in Q3

In "curious" trend, more threat actors diversified their tool sets in the third quarter than usual.

Even the most sophisticated advanced persistent threat groups (APT) tend to stick with old tactics, techniques, and procedures as long as they work. However, whenever needed, the groups can innovate in extremely dangerous ways.

A threat campaign last quarter — in which a so-far-unknown attacker modified platform-level firmware to plant exceptionally persistent and hard-to-remove malware on an organization's system — is a case in point.

Related Content:

APT Groups Set Sights on Linux Targets: Inside the Trend

The Changing Face of Threat Intelligence

New on The Edge: 9 Cyber Disaster-Recovery Planning Tips for a Disaster-Prone Time

It was one of several new and sophisticated attack tactics that security vendor Kaspersky observed in the third quarter of this year as APT groups diversified their tool sets in larger numbers than usual. In a report this week, Kaspersky described the activity as "curious" and an example of how APT threat actors reinvent themselves and their tool sets even as they rely on old tools and tactics when possible.

Mark Lechtik, senior security researcher at Kaspersky, says at least two organizations were infected with the malicious firmware implant. Both were diplomatic entities based in Asia.

He describes the attack as involving the introduction of rogue logic into existing Unified Extensible Firmware Interface (UEFI) firmware. UEFI is a specification for the interface between a computer's operating system and platform firmware. UEFI has mostly replaced the traditional BIOS in modern PCs.

The UEFI modification allowed the attacker to install malware that was so persistent it could survive operating system reinstallation and even replacement of the hard drive. "Such campaigns are not very common for several reasons," Lechtik says. "Most notably, introduction of rogue logic into an existing UEFI firmware is a complicated process that typically requires finding security soft spots in the targeted platform."

To install malware on a device via the UEFI firmware, an attacker would need to find a way to write to the SPI flash chip, determine if the firmware in question enforces digital signatures, and then find a way to bypass those mechanisms, he says.

In order to execute such an attack successfully, an attacker would likely need some kind of physical access to the target device and get it to boot from a USB with a utility that can overwrite the UEFI firmware with malicious code. At least one other entity, surveillance company the Hacking Team, used the same tactic to deploy a backdoor on systems. "It is plausible that in spite of the complexity of compromising UEFI firmware, there are more cases of infection in the wild that we are yet to discover," Lechtik says.

Another example of a threat actor that diversified its tool set in a unique manner last quarter was Ke3chan, an APT group believed to be based in China. Kaspersky researchers observed the threat actor using steganography to hide malware in a Windows Defender binary digitally signed with Microsoft's Authenticode code-signing technology.

Cracking the Code
"We see various sorts of steganography in use in different attacks by different APT actors," says Ariel Jungheit, senior security researcher at Kaspersky. What made this attack different was the manner in which an Authenticode-signed executable was abused, he says. "Ke3chang found a way to embed the payload without invalidating the Authenticode signature — something we haven't seen being used by a threat actor before."

More generally, APT groups targeted more platforms, developed new infection chains and leveraged legitimate services as part of their attack infrastructure, Kaspersky said in its report. As an example of the expanded use of legitimate services in attacks, Jungheit points to threat actors using Google Drive, OneDrive, Dropbox, and web application development platforms such as Firebase to geofence attacks.

Kaspersky also observed threat actors increasingly using lesser-known programming languages to develop their malware. "We've seen APT actors make use of tools and malware written in Go as well as Python scripts in their attacks," he says.

For organizations, the main takeaway from the APT activity last quarter is that they need to pay attention to finding malicious activity in new and likely legitimate environments. "While in the past it was easier to allow access and perhaps not monitor communications with popular cloud services, it's now less advised to do so."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Francisco Donoso
50%
50%
Francisco Donoso,
User Rank: Author
11/5/2020 | 4:17:44 PM
Curious to understand the ROI of UEFI exploits
Reading the Kaspersky report was interesting to me because I'm always curious what the return on investment would be for finding, understanding, and weaponizing vulnerabilities in things like UEFI. The value is obiously high (having some sort of persistent access to a system, even after a harddrive replacement or OS wipe) but how many organizations have security teams with the capabilties to even detect truly motivated and sophisticated attackers that can spend this amount of time, money, and effort?

Perhaps making sure their existing implant tooling is less detectable is a better use of time. Something like what the Equation Group's DanderSpritz platform did as an example.

 
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-19924
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
CVE-2020-20220
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
CVE-2020-20227
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
CVE-2020-20245
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
CVE-2020-20246
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.