Q2 APT Trends: Zero Days Come to Life

Monday, August 14, 2017 @ 02:08 PM gHale


Advanced persistent threat (APT) attackers are leveraging Zero Days and adopted new exploits during the second quarter this year, researchers said in a new report.

Sofacy and Turla attackers used Zero Day exploits targeting Microsoft’s Office and Windows products, according to Kaspersky Lab’s APT Trends report Q2 2017.

RELATED STORIES
USB Even Less Secure Than Thought
Manufacturing Attacks Continue to Rise
Malicious Content on Rise: Research
Insiders a Cause for System Harm

The BlackOasis group, too, was associated with a Zero Day that adopted by OilRig, while the Lazarus sub-group BlueNoroff adopted the National Security Agency-associated EternalBlue exploit, according to the report.

In March and April, researchers discovered three Zero Days the Sofacy and Turla Russian-speaking attackers had been using in live attacks.

Sofacy leveraged two vulnerabilities targeting Microsoft Office’s Encapsulated PostScript and a Microsoft Windows Local Privilege Escalation, while Turla targeted a different Office Encapsulated PostScript bug.

Sofacy was also experimenting with two new macro techniques, one leveraging the built-in ‘certutil’ utility in Microsoft Windows to extract a hardcoded payload within a macro, while the other was based on embedding Base64-encoded payloads within the EXIF metadata of malicious documents.

Turla used fake Adobe Flash installers for malware delivery, researchers said.

In June, the BlackEnergy Russian-speaking attacker launched NotPetya, which targeted organizations relying on the MEDoc software. Other than its main focus, which was Ukraine, the attack travelled through 65 countries worldwide, including Belgium, Brazil, France, Germany, India, Russia, and the United States.

The second quarter of the year also brought to the spotlight the activity of a cyber-espionage group called Longhorn, the researchers said. The group had been tracked by Kaspersky since 2014. The firm discovered at least three families of tools associated with the actor, and calls them Gray Lambert, Red Lambert, and Brown Lambert.

The malware can “orchestrate multiple sniffer victims on a network via broadcast, multicast, and unicast commands, allowing the operators to employ surgical precision in networks with many infected machines. The sniffers double as next-stage payload delivery mechanisms for an infected network. A feature of the Lambert campaigns is the level of precision with which targets are chosen; Gray Lambert’s victimology is primarily focused on strategic verticals in Asia and Middle East,” Kaspersky said.

The global malware attack that caught the industry’s eye in May was WannaCry, and security researchers eventually linked the attack to North Korea-tied Lazarus group.

WannaCry was leveraging the EternalBlue exploit that ShadowBrokers made public in April (after Microsoft patched it in March) and which was supposedly stolen from the NSA-linked Equation group. WannaCry was accidentally stopped by a British researcher currently under arrest in the U.S. for his alleged involvement in the development and distribution of Kronos banking Trojan.

Kaspersky listed six trends it sees coming in the third quarter:
1. Misinformation campaigns will remain a threat to countries with upcoming elections, specifically Germany and Norway, as they have been previous targets for Eastern European based actors.
2. ‘Lawful Surveillance’ tools will continue to be utilized by governments that don’t have well-established cyber operations capabilities, mainly based out of the Middle East. Companies such as Gamma Group, Hacking Team, and NSO will continue to offer new Zero Day exploits to those customers. As prices increase and exchanges thrive, new organizations and marketplaces will continue popping up.
3. Destructive malware disguised as ransomware will continue to be a problem. In the last quarter, we’ve seen two instances of this, and with the continued release of tools / exploits from dumps like Vault7 and ShadowBrokers, this is going to be a new alarming trend to deal with.
4. In China, the past months have been marked by the dwindling economic growth, rising tensions with North Korea and the US, and increased exchanges between South Korean/Japanese/American organizations. In addition to these, the 19th Party Congress is set to be held in the fall of 2017 and according to multiple public predictions, it is likely that some major changes will happen in the leadership. It’s possible that these events will have wide regional influences that could affect the way that threat actors operate in Asia, both in terms of targeting and TTPs.
5. Targeting energy-related companies and organizations will be on the rise. Countries such as Norway may be a top target moving forward given their control on oil and gas in the region in the buildup to an election. Saudi Arabia will also top the charts for potential targeting as they have in years past.
6. Lower-tier threat actors continue to increase cyber-espionage efforts and capabilities both in complexity and size. Expect more activity with varied technical capabilities coming from lesser known or previously unseen actors.



Leave a Reply

You must be logged in to post a comment.