2021 - II Quarterly Bulletin

NC3 TOP – Threat Observatory Platform

Threat Agent activities

Behind every cyber-attack there is an actor with a specific intent. However, for many events, the identity and general motivation are unknown. On the other hand, some groups have been well known for years and their criminal activities and techniques are documented and monitored. Typically, they conduct targeted attacks against specific organisations, using relatively sophisticated tools and attack procedures.

Some of them are considered as State-sponsored, but the actual link with various countries stays often subject of controversies and should be considered with prudence.

During the second quarter of 2021 has been observed a decrease of identifiable threat groups’ activity. Comparing the 1st quarter of 2021 with second, the decrease can be estimate around - 59 %.

As during previous quarters, the attribution rate of events is very low. This means that most of the ongoing attacks are not attributable.

According to the attribution found in the MISP records, the following groups were particularly active during this quarter:

• APT29 is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia; it primarily targets Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors;

• Lazarus group is a North Korean state-sponsored cyber threat group; it uses a wide range of methods depending on the characteristics of the campaigns carried out and the objectives pursued. It mainly aimed at manipulating employees of strategically important companies such as those involved in the military or aerospace industry;

• BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names, BlackTech’s campaigns are likely designed to steal their target’s technology;

• Gamaredon Group has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government;

• Hotarus Corp is primarily a ransomware operator that has hacked Ecuador's largest private bank, Banco Pichincha, and the country's Ministry of Finance;

• Indrik Spider is a Russia-based cybercriminal group, financially motivated, which has been active since at least 2014. It initially started with the banking Trojan, and then by 2017 they began running ransomware operations;

• OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical and telecommunications;

• SharpPanda is a chinese APT group targeting the Southeast Asian government. The attackers use spear-phishing to gain initial access and exploit old Microsoft Office vulnerabilities along with the in-memory loader chain to attempt to install a backdoor on victims' machines.

• Threat Group-3390 is a Chinese threat group that has been active since at least 2010. It has extensively used strategic web compromises to target victims. It has targeted organisations in the aerospace, government, defence, technology, energy and manufacturing sectors;

• Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defence, and research organizations in India and Afghanistan.

External transfer pathway and infrastructures

The transfer of the malicious artefacts or payloads is done through a number of different types of technical procedures and infrastructures.

Also, during the second quarter of 2021, it is confirmed that the most frequently used strategy is associated with scams that use email or similar approaches to reach potential victims.

Phishing is the most common strategy, but there has also been a significant increase in DNS Hijacking, i.e., the manipulation of the process of managing domain name and IP addresses.

The attribution rates are significantly better than for threat actors, even if still fairly low. Attribution means that it was possible to identify the external transfer pathway for a given event.

Infrastructures represent the type of systems being used for supporting attacks. Some are meant to compromise or help compromise, the targeted system, others are more focused on helping to maintain the foothold in it. Indeed, once access to a system device has been gained, a communication channel is maintained through the use of command and control (C2) infrastructures. The specific mechanisms vary greatly between attacks, but C2 generally consists of one or more covert communication channels between devices in a victim organization and a platform that the attacker controls. These communication channels are supporting the malicious activities. They are used to issue instructions to the compromised devices, download additional malicious payloads, and pipe stolen data back to the cyber-actor.

During this period there was a significant increase in events using C2 infrastructures.

Tool

The monitoring system showed a substantial prevalence of the use of Malware especially associated with IoT systems.

During this period, events were observed that used DGA (Domain Generation Algorithm), i.e., a technique used to generate new domain names and IP addresses for malware command and control servers.

Monitoring systems have also recorded an increase in the use of Trojans.

Points of access

The most common access point reported by MISPPRIV users is e-mail, which isn’t too surprising as it’s an effective ingress vector for several types of attacks. It’s often exploiting users’ weaknesses, be they voluntary (negligence) or involuntary (lack of knowledge about a specific threat.

With regard to component and system vulnerabilities, the monitoring system identified the following:

• Pulse Connect Secure has vulnerable to an authentication process and to execute arbitrary code;

• Number of vulnerabilities associated to Microsoft Exchange;

• Router Tenda AC11 vulnerability allows to execute arbitrary code;

• A vulnerability of Micro Focus Operation Bridge Reporter (OBR) product, allows Remote Code Execution;

• A vulnerability in the Firewall SonicWall Email Security vulnerability allows to create an administrative account and to upload an arbitrary file;

• Several Windows vulnerabilities (Win32k Elevation of Privilege Vulnerability);

IT Target

Information on the attacked IT target is not sufficiently described by the analysed events.

It should be noted that there is still some residual evidence of the attack campaign conducted in the previous quarter by HAFNIUM, which led to the exploitation of a number of vulnerabilities in the Microsoft Exchange Server system.

These vulnerabilities allow a malicious user to effectively inject code into resources used in the Exchange Offline Address Book (OAB) service. After gaining initial access, actors implemented web shells on the compromised server. After successfully deploying a web shell, the actors would maintain access to take further actions, including downloading additional malware, stealing data, and moving into the victim's network.

Type of Impact

The information detected by the monitoring system regarding the type of consequences for the victim is mainly related to ransom demands.

Type of Victim

There has been a continuation of attacks on airlines, although a decrease compared to previous quarters.

Attacks on banking systems are still in evidence and there has been an increase in attacks on public and private institutions.