International. Kaspersky's global research and analysis team has shared an annual review of the most interesting trends and developments of the past 12 months.
Private sector providers play an important role in the threat landscape
Arguably the most important story of 2021, an investigation by The Guardian and 16 other media organisations, published in July, suggested that more than 30,000 human rights activists, journalists and lawyers around the world may have been targeted with Pegasus.
The report, called the Pegasus Project, alleged that the software uses a variety of exploits, including several zero-day zero-click iOS. Based on forensic analysis of numerous mobile devices, Amnesty International's Security Lab found that the software was repeatedly abused for surveillance. The target list includes 14 world leaders. Later that month, representatives of the Israeli government visited NSO offices as part of an investigation into the allegations. And in October, India's Supreme Court tasked a technical committee with investigating whether the government had used Pegasus to spy on its citizens. In November, Apple announced it would take legal action against NSO Group for developing software that targets its users with "malicious malware and spyware."
Detecting traces of Pegasus infection and other advanced mobile malware is very complicated by the security features of modern operating systems like iOS and Android. According to our observations, this is further complicated by the implementation of non-persistent malware, which leaves almost no traces after the reboot. Since many forensic frameworks require a jailbreak device, this results in malware being removed from memory during reboot. Currently, various methods can be used for the detection of Pegasus and other mobile malware. Amnesty International's MVT (Mobile Verification Toolkit) is free, open source and allows technologists and researchers to inspect mobile phones for signs of infection. MVT is bolstered by a list of IoCs (indicators of compromise) collected from high-profile cases and made available by Amnesty International.
Supply chain attacks
There have been a number of high-profile attacks on the supply chain over the past 12 months. Last December, it was reported that SolarWinds, a well-known IT managed services provider, had fallen victim to a sophisticated supply chain attack. The company's Orion IT, a solution for monitoring and managing customers' IT infrastructure, was compromised. This resulted in the deployment of a custom backdoor called Sunburst on the networks of more than 18,000 SolarWinds customers, including many large corporations and government agencies, in North America, Europe, the Middle East and Asia.
Not all supply chain attacks have been so sophisticated. Earlier this year, an APT group we tracked down as BountyGlad compromised a certificate authority in Mongolia and replaced the digital certificate management client's software with a malicious downloader. Related infrastructure was identified and used in many other incidents: this included server-side attacks on WebSphere and WebLogic services in Hong Kong, and Flash Player installers with client-side Trojans.
While investigating the artifacts of a supply chain attack on the website of an Asian government certification authority, we discovered a trojanized package dating back to June 2020. Untangling that thread, we identified a number of post-compromise tools in the form of plugins that were implemented using the PhantomNet malware, which in turn was delivered using the aforementioned trojanized packages. Our analysis of these add-ons revealed similarities to the CoughingDown malware analyzed above.
In April 2021, Codecov, a provider of code coverage solutions, publicly revealed that its Bash Uploader script had been compromised and was distributed to users between January 31 and April 1. Codecov publicly distributes the Bash Uploader script and aims to gather information about the user's execution environments, collect code coverage reports, and send the results to the Codecov infrastructure. This scripting compromise effectively constitutes an attack on the supply chain.
Earlier this year, we discovered Lazarus group campaigns using an updated DeathNote cluster. Our investigation revealed indications that Lazarus is developing supply chain attack capabilities. In one case, we found that the infection chain came from legitimate South Korean security software running a malicious payload; and in the second case, the target was a company developing asset monitoring solutions, an atypical victim for Lazarus. As part of the infection chain, Lazarus used a downloader called Racket, which they signed with a stolen certificate. The actor compromised the vulnerable web servers and loaded several scripts to filter and control the malicious implants on the victim machines successfully.
Exploitation of vulnerabilities
On March 2, Microsoft reported on a new APT actor called HAFNIUM, which exploits four zero days on Exchange Server in what they called "limited, targeted attacks." At the time, Microsoft claimed that in addition to HAFNIUM, several other actors were also exploiting them. In parallel, Volexity also reported that the same Exchange zero days were in use in early 2021. According to Volexity telemetry, some of the exploits in use are shared between various actors, in addition to the one Microsoft designates as HAFNIUM. Kaspersky's telemetry revealed an increase in attempts to exploit these vulnerabilities following public disclosure and microsoft's patch. During the first week of March, we identified approximately 1,400 unique servers that had been attacked, on which one or more of these vulnerabilities were used to gain initial access. According to our telemetry, most exploitation attempts were observed for servers in Europe and the United States.
We also discovered an active campaign since mid-March targeting government entities in Europe and Asia using the same Exchange zero-day exploits. This campaign used a previously unknown malware family that we call FourteenHi. Further investigation revealed traces of activity related to variants of this malware dating back a year. We also found some overlaps in these sets of activities with HAFNIUM in terms of infrastructure and TTP, as well as the use of ShadowPad malware during the same time period.
On January 25, Google's Threat Analysis Group (TAG) announced that a state-sponsored threat actor had targeted security researchers. According to Google TAG's blog, this actor used highly sophisticated social engineering, approached security researchers via social media, and delivered a compromised Visual Studio project file or lured them to his blog where a Chrome exploit was waiting for them. On March 31, Google TAG released an update on this activity showing another wave of fake social media profiles and a company the actor created in mid-March.
From April 14 to 15, Kaspersky technologies detected a wave of highly targeted attacks against several companies. Further analysis revealed that all of these attacks exploited a string of zero-day exploits from Google Chrome and Microsoft Windows. While we were unable to recover the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an EoP exploit used to escape the sandbox and gain system privileges. The EoP exploit was adjusted to work against the latest and most prominent windows 10 builds (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2) and exploited two distinct vulnerabilities in the kernel of the Microsoft Windows operating system.
We reported these vulnerabilities to Microsoft and they mapped CVE-2021-31955 to the Information Disclosure Vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8 as part of June Patch Tuesday. The exploit chain attempts to install malware on the system via a dropper.
Finally, later this year, we detected a wave of attacks using an elevation of privilege exploit affecting server variants of the Windows operating system. Upon further analysis, it turned out to be a free-to-use after-zero vulnerability in Win32k.sys which we reported to Microsoft and was consequently fixed as CVE-2021-40449. We analyzed the associated malware, named the associated cluster MysterySnail, and found infrastructure overlays linking it to IronHusky APT.
Firmware vulnerabilities
In September, we provided an overview of the FinSpy PC implant, covering not only the Windows version, but also the Linux and macOS versions. FinSpy is an infamous set of trade surveillance tools that is used for "legal surveillance" purposes. Historically, several NGOs have repeatedly reported that it is used against journalists, political dissidents and human rights activists. Historically, your Windows implant was represented by a single-stage spyware installer; and this version was detected and investigated several times until 2018. Since then, we've seen a decreasing detection rate for FinSpy for Windows. While the nature of this anomaly remained unknown, we began to spot some suspicious installer packages with backdoors with Metasploit stagers. We couldn't attribute these packages to any threat actors until mid-2019 when we found a host that served these installers among the Implants of FinSpy Mobile for Android.
Over the course of our research, we found that backdoor installers are nothing more than first-stage implants that are used to download and deploy additional payloads before the actual FinSpy Trojan. In addition to trojanized installers, we also observe infections related to the use of a UEFI or MBR boot kit. While the MBR infection has been known since at least 2014, details about the UEFI starter kit were first publicly revealed in our report.
Towards the end of the third quarter, we identified a previously unknown payload with advanced capabilities, delivered via two chains of infection to various government organizations and telecommunications companies in the Middle East. The payload makes use of a Windows kernel-mode rootkit to facilitate some of its activities and is capable of being deployed persistently via an MBR or UEFI bootkit. Interestingly, some of the components observed in this attack have previously been stored in memory by the Slingshot agent on multiple occasions, so Slingshot is a post-exploitation framework that we covered in several cases in the past (not to be confused with Slingshot APT).
It is primarily known for being a proprietary commercial penetration testing toolkit officially designed for red team engagements. However, it is not the first time that attackers seem to have taken advantage of it. One of our previous 2019 reports covering FruityArmor's activity showed that the threat group used the framework to target organizations across multiple industries in the Middle East, possibly taking advantage of an unknown exploit in a messaging app as an infection vector.
In a recent private intelligence report, we provided a detailed analysis of the newly discovered set of malicious tools we observed along with Slingshot and how it was leveraged in activity pools in the wild. In particular, we describe some of the advanced features that are evident in malware, as well as its use in a particular long-standing activity against a high-profile diplomatic target in the Middle East.
Source: https://securelist.com/apt-annual-review-2021/105127/
Leave your comment