Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/27/2019
04:45 PM
Robert Lemos
Robert Lemos
News
50%
50%

Persistent Attackers Rarely Use Bespoke Malware

Study of the Bronze Union group-also known as APT27 or Emissary Panda-underscores how most advanced persistent threat (APT) groups now use administrative tools or slight variants of well-known tools.

State-sponsored attackers continued to be extremely active in 2018 with major groups from at least a dozen countries involved in operations targeting government, business, and civilian targets throughout the year, according to analyses by two security firms.

While advanced persistent threat (APT) groups have, in the past, often used custom frameworks to help compromise systems and exfiltrate data, current groups are just as likely to use open-source malware and legitimate administration tools as a way to avoid detection and attribution. In a report released this week, managed security service provider Secureworks highlighted one group—Bronze Union (aka APT27 and Emissary Panda)—as a good example of these tactics becoming more common among APT groups. 

The group typically uses two open-source malware frameworks: ZxShell, a remote access trojan (RAT) released to the public in 2007, and Gh0st RAT, another popular framework used by criminal groups as well as espionage groups. The quality of readily-available malware is high enough that nation-state groups have no problem incorporating it into their toolset, says Matt Webster, senior security researcher with Secureworks.

"There are other circumstances where the group may pull out the more advanced tools, but there are other situations where they are making decisions based on the environment they are in, so they often use tools that are less sophisticated," he says. 

Bronze Union, which is likely based in China, has focused on attacking defense-technology firms and their suppliers, as well as civilian groups that have a role in politics, Secureworks stated in its analysis. 

"The past couple of years have really solidified that they have two broad camps of intent," Webster says. "One side seems to be more technology-focused, aiming toward defense technologies and their supply chains, and the secondary camp is more toward targeting organizations that would hold data that are relevant to civilians and civilian groups."

The analysis of the Bronze Union APT group comes as other security firms companies continue to see widespread activity by state-sponsored intelligence groups. Cybersecurity services firm CrowdStrike tracks 81 named state-sponsored actors, with at least 28 conducting active operations in 2018, according to the company's 2019 Global Threat Report.

China accounted for more than a quarter of all sophisticated attacks attributed by CrowdStrike to nation-states, while North Korea (DPRK), Iran, and Russia rounded out the top four actors, accounting for a total of 75% of attributed attacks.

"The activities … have been assessed as likely state-sponsored operations supporting intelligence collection, military requirements and—in the case of certain DPRK operations—currency generation," the firm stated in the report.

Secureworks tracks more than 100 different groups, many likely connected to nation-state actors. 

Commodity malware is not just used by nation-state attackers, of course. Opportunistic attackers often use commodity remote access trojans (RATs) and other software to gain access to vulnerable networks and then sell that access to other groups, such as state-sponsored attackers, according to CrowdStrike.

"You can't let your guard down — access gained with commodity malware is increasingly sold to other bad actors, who then use it to deploy ransomware, steal intellectual property, or engage in cryptomining, fraud and extortion,"  CrowdStrike said in its 2018 Cyber Intrusion Services Casebook. "An organization’s susceptibility to commodity malware is also an indicator of the effectiveness of their entire security strategy."

P for Persistent

Secureworks found that Bronze Union occasionally did use a custom solution, usually to help the group maintain a presence inside a compromised network. While such tools are less likely to be detected by security products that focus on known malicious tools, the attackers appear to only use them when such a capability is truly needed, the company said.

For example, Secureworks found that for specific targets, the Bronze Union group would come back every few months to reestablish contact, Webster says.

"They will take time, effort, and resources, and expose themselves to some level of risk on a certain cadence, usually about three months," he says. "The challenge with many organizations with this group is how do you detect the group when they have access to accounts? How do you spot that needle in the haystack?"

Often such tactics make the attackers and their tools much harder to detect. Groups that use compromised account credentials and then "live off the land" by using administration tools already present on the network to compromise other systems are extremely hard to detect. 

For that reason, companies need to make sure that they have a baseline of activity and can see anomalous activity, says Webster.

"It doesn't really matter what tool they are going to use," he says. "From our point of view, it is about getting visibility of your endpoints and your systems."

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/28/2019 | 7:39:01 AM
Interesting article
No surprise that actors would use generally available tools and software for attacks instead of self-creation.  Saves enormous time and guarantees a better infiltration point.  Nation-state have resources far beyond the stand-alone in the garage hacker too.  Hey, anything is possible with an endless human work chain.  And the more file-less it can be, the better.  Use a existing windows process and you are guaranteed a mask of some proportion.  So warnings here for all to read and listen.  They are are not coming - they ARE here and getting better at hiding all of the time
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.