CyberWire Daily - Creating PANDA-monium. [Research Saturday]
Episode Date: July 8, 2023Thomas Etheridge from CrowdStrike sits down to discuss their work on "Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft" In May of 2023, industry and govern...ment sources detailed China-nexus activity where they found the threat actor dubbed Volt Typhoon targeted U.S. based critical infrastructure entities. CrowdStrike's Intelligence team tracked this actor as VANGUARD PANDA. With CISA’s advisory on VANGUARD PANDA and its link to Chinese adversaries who are increasingly targeting US businesses and critical infrastructure, CrowdStrike’s blog dives deeper into the risks of VANGUARD PANDA. The research says "One specific VANGUARD PANDA incident stands out to review in detail. Falcon Complete responded to a detection that was triggered by suspicious reconnaissance commands executed under an Apache Tomcat web server running ManageEngine ADSelfService Plus." The research can be found here: Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
It all started with deployment of our technology at a net new customer opportunity.
So in the process of deploying the technology, our threat hunters uncovered some hands-on keyboard activity that we soon attributed to Vanguard Panda.
that we soon attributed to Vanguard Panda.
That's Thomas Etheridge.
He's Chief Global Professional Services Officer at CrowdStrike.
The research we're discussing today is titled Business as Usual,
Falcon Complete MDR thwarts novel Vanguard Panda tradecraft. And who is Vanguard Panda, we suppose?
Vanguard Panda is a threat actor that we have been tracking since the mid-2020s.
We believe them to be of China nexus, and they are focused primarily on targeting multiple sectors,
including aviation technology and the defense sectors. CISA recently reported on this threat
actor in May of 2023 as targeting critical infrastructure organizations across multiple
industry verticals throughout the U.S. and its territories.
Well, let's walk through this together. It's an interesting one. Can we go through it step
by step here? I mean, what was the first indication to your team that something was amiss?
As I mentioned earlier, our threat hunting team uncovered some hands-on keyboard activity that we knew to be malicious activity. We notified
the managed detection and response team who took some quick remediation steps by quarantining,
network quarantining the machine that the threat actor was leveraging to carry out some of its tradecraft.
One of the things that we noticed in doing some of our investigation is that the threat
actor was moving very, very quickly in the environment and had what appeared to be a
very good understanding of the customer's infrastructure in order to carry out the commands
and the tradecraft of being able to traverse through the customer's environment.
So they were clear to us that they had been in the environment for a while,
had established some persistence mechanisms,
and had good familiarity with the overall infrastructure of the customer's environment.
Now, when you say hands-on keyboard activity, what exactly does that entail?
It's typically picked up, Dave, when we see a threat actor using commands or running tools
on an environment that we either know those commands or tools to be malicious in nature
or the combination of commands and actions that a threat actor performs in an environment.
The combination of those tools at the same time or in near proximity to one another
typically is an indicator that the user that's performing those actions is not a legitimate user. And that's when
we would typically send a notification or if we're providing a managed service like our MDR,
take corrective action to try to quarantine or stop that threat actor from being able to easily
traverse through the environment. So Tom, without getting too much in the weeds with some of the
technical things here, can you kind of take us through an overview of the kinds of tools that
you all are seeing them use here, the tradecraft that you all witnessed? Sure, Dave. We reported
in our blog that the malicious activity was involving listing processes, doing network connectivity testing, gathering some user
and group information, mounting network shares, and then enumerating domain trust over WMI and
listing DNS zones over WMI. So the threat actor was doing this pretty quickly, which was also an indication of
the familiarity that they had with the environment. Now in the blog, you draw particular attention to
JSP compilation. You highlight that as being a bit of a giveaway here. Are there any specific
elements that are worth highlighting with that? I think the importance of that in the blog
is that this threat actor was doing a lot of
cleanup after their actions. They were moving
evidence of their activity. They were deleting
logs and evidence of their activity. One of their slip-ups
was missing that particular
log source, and that is what the investigators uncovered to tip them off to the threat actor
also operating extensively in the environment.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024,
these traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, simplifying security
management with AI-powered automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Can we talk a little bit at a high level here?
I mean, as you describe this, you engage with a client and they deploy your specific technology, and this is discovered.
I assume that this client wasn't running completely unguarded before. Is it a
typical thing? I guess, how often does this happen where a company will try a different technology or
switch vendors and discover that someone's been camping out in their system for quite a while?
Someone's been camping out in their system for quite a while.
This happens quite frequently, Dave, with the deployment of some of the advanced EDR technologies that exist in the market today. Picking up novel and previously undetected threats is something that's quite commonplace.
that's quite commonplace. But CrowdStrike has a common theme. We communicate to victims that the threat actors aren't breaking into your environment. They're logging into your environment.
So one of the pieces of tradecraft related to Vanguard Panda is that they heavily leverage
stolen credentials to gain initial access to their targets.
And that was the case here as well.
The threat actor was able to gain access to the infrastructure using credentials
that were probably procured through the access broker markets
and was using those credentials to carry out their tradecraft
and had gone undetected,
if not for the advanced EDR technology and the threat hunting capabilities of our Falcon Overwatch team.
And when we talk about advanced capabilities here, are we looking at behavioral things in addition to signatures?
I mean, my understanding is that it's quite a cocktail of capabilities that come into play here.
Absolutely.
I think first and foremost, it's understanding through rich intelligence gathering and integration capabilities,
the tradecraft that threat actors are carrying out. So what are the things that threat hunters and
investigators and security professionals need to understand about how the threat actor could be
using specific tools or trade crap to operate within their environment. The second piece of
this is on the identity side of the house, understanding credentialing, privileged access, systems
that are critical to protect, and honestly, having capabilities like multi-factor authentication and
implementing zero-trust capabilities to help thwart threat actors from simply being able to
steal credentials or procure credentials, and then be able to use those credentials to go navigate through the environment without being challenged.
Those are some big things that we talk to victims and organizations about from a security posture perspective.
And what about the incident response in a case like this,
where you know that you have someone who's had some persistence for a while?
What are the sorts of things that an organization goes through to make sure that they truly have cleaned out these bad guys?
First is just getting that rich visibility across the environment.
So deploying advanced EDR tools to gain that
visibility and being able to threat hunt using those rich intelligence indicators, understand
whether or not some activity being performed in the environment is legitimate or illegitimate.
So being able to do that around the clock, I think, is very important. Threat
actors don't just operate Monday morning at nine o'clock to Friday at five o'clock. They're
typically operating off hours. So being able to hunt continuously against the infrastructure,
I think, is really important. The second piece is, I mentioned earlier, understanding identities,
credentialing in the environment, and critical assets that may require additional levels of protection, where we may want to challenge a user with a second factor of authentication in order to validate that they are who they claim to be. I think that's really important. And then the last thing, which I think is a key focus for managed detection and response type capabilities, it's being able to take that
corrective action very, very quickly. We reported in our annual threat report this past year that
breakout time had dropped to about 84 minutes. so just under two hours from the time a threat
actor gains access to the environment until the time they can move laterally towards a target.
Being able to take that corrective action within that 84-minute window is something that
will help deter threat actors from being able to carry out their tradecraft.
threat actors from being able to carry out their tradecraft.
You know, Tom, you mentioned your global threat report, and I know one of the things you highlighted in there was activity that you all are seeing from China. And with the supposition that Vanguard
Panda is indeed a Chinese threat actor, it sort of keys right into the recommendations you had in that report.
Absolutely.
We introduced over 33 new adversaries last year, tracking from an intel perspective,
raising our total to over 200. So it just demonstrates the pervasiveness and opportunity for threat actors to carry
out their missions.
China in particular was one of the most aggressive in 2022.
We observed them targeting nearly all 39 global industry sectors
and 20 geographic regions across the globe.
So pretty prolific in 2020.
Our thanks to Thomas Etheridge from CrowdStrike for joining us.
The research is titled Business as Usual,
Falcon Complete MDR Thwarts Novel Vanguard Panda Tradecraft.
We'll have a link in the show notes. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. production of N2K Networks, proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is
Elliot Peltzman. Our executive editor is Peter Kilpie, and I'm Dave Bittner. Thanks for listening.