Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:25 PM
Connect Directly

APT Groups Get Innovative -- and More Dangerous -- in Q3

In "curious" trend, more threat actors diversified their tool sets in the third quarter than usual.

Even the most sophisticated advanced persistent threat groups (APT) tend to stick with old tactics, techniques, and procedures as long as they work. However, whenever needed, the groups can innovate in extremely dangerous ways.

A threat campaign last quarter — in which a so-far-unknown attacker modified platform-level firmware to plant exceptionally persistent and hard-to-remove malware on an organization's system — is a case in point.

Related Content:

APT Groups Set Sights on Linux Targets: Inside the Trend

The Changing Face of Threat Intelligence

New on The Edge: 9 Cyber Disaster-Recovery Planning Tips for a Disaster-Prone Time

It was one of several new and sophisticated attack tactics that security vendor Kaspersky observed in the third quarter of this year as APT groups diversified their tool sets in larger numbers than usual. In a report this week, Kaspersky described the activity as "curious" and an example of how APT threat actors reinvent themselves and their tool sets even as they rely on old tools and tactics when possible.

Mark Lechtik, senior security researcher at Kaspersky, says at least two organizations were infected with the malicious firmware implant. Both were diplomatic entities based in Asia.

He describes the attack as involving the introduction of rogue logic into existing Unified Extensible Firmware Interface (UEFI) firmware. UEFI is a specification for the interface between a computer's operating system and platform firmware. UEFI has mostly replaced the traditional BIOS in modern PCs.

The UEFI modification allowed the attacker to install malware that was so persistent it could survive operating system reinstallation and even replacement of the hard drive. "Such campaigns are not very common for several reasons," Lechtik says. "Most notably, introduction of rogue logic into an existing UEFI firmware is a complicated process that typically requires finding security soft spots in the targeted platform."

To install malware on a device via the UEFI firmware, an attacker would need to find a way to write to the SPI flash chip, determine if the firmware in question enforces digital signatures, and then find a way to bypass those mechanisms, he says.

In order to execute such an attack successfully, an attacker would likely need some kind of physical access to the target device and get it to boot from a USB with a utility that can overwrite the UEFI firmware with malicious code. At least one other entity, surveillance company the Hacking Team, used the same tactic to deploy a backdoor on systems. "It is plausible that in spite of the complexity of compromising UEFI firmware, there are more cases of infection in the wild that we are yet to discover," Lechtik says.

Another example of a threat actor that diversified its tool set in a unique manner last quarter was Ke3chan, an APT group believed to be based in China. Kaspersky researchers observed the threat actor using steganography to hide malware in a Windows Defender binary digitally signed with Microsoft's Authenticode code-signing technology.

Cracking the Code
"We see various sorts of steganography in use in different attacks by different APT actors," says Ariel Jungheit, senior security researcher at Kaspersky. What made this attack different was the manner in which an Authenticode-signed executable was abused, he says. "Ke3chang found a way to embed the payload without invalidating the Authenticode signature — something we haven't seen being used by a threat actor before."

More generally, APT groups targeted more platforms, developed new infection chains and leveraged legitimate services as part of their attack infrastructure, Kaspersky said in its report. As an example of the expanded use of legitimate services in attacks, Jungheit points to threat actors using Google Drive, OneDrive, Dropbox, and web application development platforms such as Firebase to geofence attacks.

Kaspersky also observed threat actors increasingly using lesser-known programming languages to develop their malware. "We've seen APT actors make use of tools and malware written in Go as well as Python scripts in their attacks," he says.

For organizations, the main takeaway from the APT activity last quarter is that they need to pay attention to finding malicious activity in new and likely legitimate environments. "While in the past it was easier to allow access and perhaps not monitor communications with popular cloud services, it's now less advised to do so."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Francisco Donoso
Francisco Donoso,
User Rank: Author
11/5/2020 | 4:17:44 PM
Curious to understand the ROI of UEFI exploits
Reading the Kaspersky report was interesting to me because I'm always curious what the return on investment would be for finding, understanding, and weaponizing vulnerabilities in things like UEFI. The value is obiously high (having some sort of persistent access to a system, even after a harddrive replacement or OS wipe) but how many organizations have security teams with the capabilties to even detect truly motivated and sophisticated attackers that can spend this amount of time, money, and effort?

Perhaps making sure their existing implant tooling is less detectable is a better use of time. Something like what the Equation Group's DanderSpritz platform did as an example.

More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-18
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php p...
PUBLISHED: 2021-01-18
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.
PUBLISHED: 2021-01-18
All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
PUBLISHED: 2021-01-18
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...