CyberWire Daily - Enter the RAT. [Research Saturday]
Episode Date: June 27, 2020A new report examines how five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and Android mobile devices while remai...ning undetected for nearly a decade. The report comes on the heels of the U.S. Department of Justice announcing several high-profile indictments from over 1,000 open FBI investigations into economic espionage as part of the DOJ’s China Initiative. Joining us in this week's Research Saturday to discuss the report is Eric Cornelius of Blackberry. The research can be found here: Decade of the RATs: Novel APT Attacks Targeting Linux, Windows and Android Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
As a cybersecurity firm, we have a continuously ongoing research effort into various campaigns that we see. We track threat actors across the board, and we're always just watching for trends that may be emerging within cybersecurity tactics, tools, and procedures.
That's Eric Cornelius. He's chief product architect at BlackBerry.
The research we're discussing today is titled Decade of the Rats,
novel APT attacks targeting Linux, Windows, and Android.
Can you give us some of the background here? I mean, when it comes to rats,
what's the underlying history? Well, remote access tools have a very long history.
Ever since computers started getting networked together, there has been this kind of underlying desire to maintain access to other people's networks that has existed within humanity.
And one of the key things is you don't want to be redoing work over and over again. So once you go to the effort to compromise a system, one of your first-line priority items is going to be to maintain persistence.
So enter the RAT, a tool that is able to be installed on a system to give you long-term persistent access to that machine.
Well, let's take a look at some of the research that you all presented here.
What are some of the specific areas you're exploring?
Yes, I think there's a few novel points to this.
So first, let me point out that the threat group we're looking at here is nowhere near new.
The Wynn NTI umbrella group, if you will, has been studied by numerous research organizations over the years.
But what's novel about our discovery is that we have identified a couple
areas that we as an industry just haven't been looking at seriously enough. This is specifically
focusing on compromise of Linux machines, servers, and also the mobile devices. BlackBerry published
a report back in September that was focused extensively on mobile malware. Again, just kind
of as a call to action to the security
industry where there seems to be this belief, if you will, that mobile malware, Linux mount,
it's not really a thing. It's not something we need to focus our time on. And we're suggesting
here that that's not true, right? And that as an industry, you're correct, we don't see a lot of
mobile malware, but our hypothesis is that's because we're not looking for it. So now that
we've started to look into some of these areas and shine the light, we're realizing that
there's a bit more activity there than any of us had realized. Yeah, and you spend quite a bit of
time in the report discussing the things that you've discovered when it comes to Linux machines.
Take me through, what are you researching here? Sure. I think, again, the key takeaway here is that the threat actor in question,
and this WinNTI group, we call them an umbrella group
because they're more of an organization than an individual actor or team
that has different individuals coming and going over time,
but they maintain a shared set of tools.
There are several groups.
We identify a new group who specializes in targeting Linux systems.
And again, this is germane for a number of reasons. One, why does it matter? Why is it interesting?
We call out in the report that something like 75% of the Internet's infrastructural backbone is running Linux, which is an interesting statistic.
But two, in most enterprises as we know them today, Linux tends to be running on the most critical
servers, those that demand the highest uptime, the most reliability.
So if you're an adversary and you're looking to maintain persistent access to a target
environment, targeting a machine that you have a relatively high assurance is going
to be online nearly all the time.
That just makes logical sense, right?
A lot of the more common TTPs for targeting individuals, you know, send a spear phishing email, somebody clicks it.
And now you're on John Q. Random's laptop who may or may not have it on or connected to the network when you want to execute some portion of your mission.
So targeting these Linux servers, it just makes sense.
Secondly, what we're trying to call out is that within enterprises, we tend to see less emphasis put on securing these Linux devices from enterprises writ large.
And this is it shows itself in a number of different ways.
One, because of just the overall market share of Linux, it's substantially smaller. There are naturally a smaller number of expert practitioners who have a real world practical skill set that can be applied to the
Linux devices. But there's, you know, also a representatively small amount of vendor available
tools for securing Linux. That's not to say there's none, there definitely are some. But the lion's
share of security resources, both provided by the vendor community and dollars spent by enterprises
tend to be focused on the Windows core of the network,
which makes sense proportionally given their numbers.
However, in terms of impact to the organization,
what we're suggesting here is that there are other avenues of attack
that have the same, if not higher, level of impact to the organization
that we're not putting enough resources on from a security perspective.
And what specifically are we talking about here? What are some of the things that you're seeing?
So from a little bit more technical perspective, again, we focused on this one particular threat group here.
And some of the novel approaches we saw, obviously, we're seeing kernel-side rootkit activity.
And that's notable for a number of reasons. One, it's relatively sophisticated to create a kernel-side rootkit activity, right? And that's notable from a number of reasons.
One, it's relatively sophisticated to create a kernel-side rootkit.
But two, it's also pretty unlikely for a security practitioner
to take remediation action against that if a particular module is suspected.
The reasons for that are, let's say, for example, you are a junior administrator, right?
In a lot of cases, you are not the active administrator day-to-day of a particular Linux
machine is not the individual who built and deployed that system originally.
You've inherited these machines as perhaps, you know, career changes occur, et cetera,
et cetera.
And so therefore, you're not maybe as intimately familiar with it.
And when you see a kernel module that may or may not be suspect, you are going to be
hesitant to unload that module because who wants to be the person who brought down a banking web server, for example, or a critical file share server within an organization for something you're not certain about?
Secondly, just given the lack of security tools, it's very difficult to identify these modules in the first place.
On the Windows side of things, some novel approaches we've seen that I think are really cool. And again, they show the sophistication of the threat actor
where this particular group originally gained notoriety because they were breaking into gaming
companies and stealing their private code signing certificates, signing their root kits with that.
They've gone one step further into a really interesting area, which is to do the same thing,
only now they're compromising adware companies and stealing their signing certificates to subsequently sign the
malicious rats. That's really interesting because in a time where you have things like next
generation antivirus that's going to scan these things and flag them as being blatantly malicious,
a lot of the technology out there, our technology, for example, doesn't matter who you signed your
code with. If it's bad, we're going to find it.
So the administrator now sees a flag on this rat.
The administrator goes and looks at it, and they go, oh, it's AdWare.
It's signed by an AdWare company.
Yes, it's bad, but in the grand scheme of things, your typical security administrator now sees how many gazillion alerts per day, right?
Something they see as AdWare, that's going to the bottom of the queue.
Not to say that they're never going to get to it,
just they're not going to get to it right now.
And that observation by this threat actor just shows their wit, right?
How adaptable they really are to understanding how we as an industry operate.
Therefore, when the assumption is,
ah, this is just AdWord, I'll get to it eventually,
we're extending the time that they have persistent access to our environments.
Yeah, that really is a fascinating insight, that way to buy time, to take advantage of, I guess, as you say, a security professional's perception of adware, how it's sort of ubiquitous and so doesn't really, you know, set off fireworks in
their mind. Precisely. Let's dig into some of the things you found when it came to some Android
malware. What can you share with us there? Yeah, the Android component is equally interesting.
And again, we drew some corollaries, right? We're not,
we didn't outright say, Hey, this is a duck, but we said, we've identified something that's got
webbed feet that are orange and a bill and makes these quacking noises. Right. And what I'm
alluding to there is there's a toolkit available. That's widely considered to be one of the most
effective exploitation frameworks out there. That is, I mean, dare I say, masquerading as a company that offers these wares for sale on the open market.
But as we started to look at the actual APK structure, what we saw was that the Android rootkit and this tool set that seems to be openly available are so structurally similar
that the likelihood of that accidentally happening, I mean, I didn't calculate it out
statistically, but I think I might get hit by lightning twice before I see APKs with this level
of similarity. The interesting bit being that the actual state-sponsored malware was stood up years before this company became
available. So what we're suggesting in the report is that there's obviously some relationship here,
right? Did the state-sponsored group start this company as a shell organization? Did they
otherwise license the code? We didn't go pulling that thread as deeply as we probably will over
time,
but it was enough that we decided that we wanted to call it out and make it publicly known.
Yeah. I mean, that timeline is fascinating. I mean, is it fair to say that that makes it so
that it's worth shining a brighter light or digging a little more closely into that commercially
available tool? Yeah. I mean, I think so. Again, the body of knowledge
that we as an industry have is being continually added to by various research organizations,
right? No individual company or research group has the amount of resources necessary to pull
all of the threads that are interesting in the cybercrime underworld, if you will, right?
And there's just so much activity going on across
the entire continuum of the hacker spectrum from low-level attackers all the way up to
nation-state sponsored activity that there's just no way we could be fully comprehensive.
And so naturally, the industry builds on work done by one another. And we're putting this out
there to the community to say, hey, we think this is interesting and hoping that someone else will kind of pick up that ball and run with it.
One of the things you point out is the likelihood that the groups who are doing this work could
very well likely be contractors who are working for the Chinese government.
Sure. So again, we're putting our caveats out there, but I'll tell you the
sort of observations we made that lead us to believe that these are not highly trained
government operatives. And what we see is a high level of skill, right? We do see a high level of
skill, a high level of adaptability, creativity, all of the things you expect to see in sophisticated
threat actor groups. However, what we also see is a more
substantial lack of operational security that we would not expect to see from a trained government
operative right and so you're talking about just there's too many fingerprints is effectively what
i'm saying right there's too much too many names in the paths too many easily traceable facts in the infrastructure that
they're using. There's just not enough credence given to secrecy for us to believe that this is
an actual government organization. However, they are clearly acting in the interests of the
government. Ergo, we conclude that this is probably a civilian contracting network that is paid to do this work, which provides plausible deniability on behalf of the actual government and say, no, this is just a rogue criminal group doing whatever it is they do.
of data we see being taken or at least facilitated the types of data across these tool infrastructures that we've identified and torn apart it's not immediately monetizable and so you have to beg
the question then if this really is some random threat actor group why are they targeting this
specific type of data right and how are they going to monetize it and if you look at whose interest
that's most likely to be there these are breadcrumbs in a larger campaign.
And we call it the most likely benefactor is the government in this case.
Yeah.
One of the other interesting things you point out here in the research is the shift in command and control infrastructure, the type of stuff that they're using there.
Can you give us some of the details when it comes to that? Yeah, in this particular case, there is nothing really novel,
just that what we're seeing is sort of an extensible framework, if you will. So think
about it this way. These adversaries who are doing this work, this is their actual day job,
right? And every company that they compromise, they have to keep track of that. They have to
keep track of their status on each project that they're working on. And in this particular case, the Linux
infrastructure, they actually had to recompile the toolkit for each specific version of the target,
right? Because, I mean, the Linux kernel is a fairly sophisticated thing. You don't know what
modules are going to be there. You don't know exactly what kernel version is going to be running
there. So when you approach the target, you can dynamically assert the or identify the infrastructure,
recompile appropriately, and then deploy. And so they just built this pretty nice automation
framework to help them keep track of all that stuff, do the compilation, deploy the package
to the target, and just kind of make that management easier to scale.
So what are your recommendations here? What are the take-homes from the report in terms of organizations better protecting themselves? Sure. So I think my main takeaway, and I spent a lot of
time in the field as a practitioner and spent a lot of time with organizations. And one of the
things I've always preached over time is that 95% of cybersecurity
is hygiene, right? It's just really staying on top of understanding your network baseline,
who's talking to who, monitoring data flows, right? A real obvious sign of compromise
is looking at the ratio of bytes out to bytes in, right? And this may not be true in particular,
obviously on like file servers, it's not going to be true, but for general civilian machines, a huge amount of data leaving typically doesn't occur,
right? You send a get request to the internet that says, give me a cat video. The internet
gives you a cat video. The data transfer is very asymmetric and focusing on these fundamental
tenants of how networks are organized will help organizations to identify new types of attacks
the second key takeaway here is that every asset has importance and while we focus on our
traditional user base because i mean imagine your sales force you've got all these people
getting on airplanes going to face-to-face meetings doing a lot of work at like the marriott bar
in places that are generally not renowned for their security.
So we focus a lot on them and maybe we don't look so much at the infrastructure that we believe to
be isolated, maybe within a DMZ or some other type of subnet infrastructure. We get this feeling that
there's more security there. And in this particular case, the threat actors have shown a high aptitude
for compromising these machines, even within buried network segments, and they're able to route the data out.
And so we really do need to give effort to every machine.
you say, that it's these critical infrastructure, if you will, these Linux machines that have,
I suppose, an outsized amount of vulnerability. Can you help me understand that? I guess it's surprising to me that that would be the case, that there wouldn't be more attention paid to
these particular machines when they're doing the important work they're doing.
Yeah, I wouldn't say that there's an outsized amount of vulnerability on the machines,
right? All code was written by people, ergo all code is fallible. So I think if you look at just
a number of vulnerabilities per lines of code, all things are basically equal, right? There's
tons of studies about open source, closed source, vendor produced, it doesn't matter. There's
vulnerabilities everywhere. What we are suggesting is that due to the criticality of these machines, a successful compromise of one has a substantially
higher impact to an organization than a successful compromise of John Q. Random's laptop. And that's
not to say that they don't get the correct John Q. Random and there's some crown jewel data on it.
I'm not suggesting that at all. Everybody gets lucky. But these machines,
we know, they tend to be clearing houses for data. They tend to have high uptime. They tend to have
vast amounts of access. They're high value targets, right? And we do, as an industry,
need to pay a little bit more attention. And I'm not trying to say that the industry is not
paying attention to Linux. That's not at all true. We definitely are.
But proportionally, and when you go, just go talk to your average security practitioner who's been out of college for, say, five to seven years, kind of the two standard deviations
of the workforce, the younger people, you're not going to find a lot of highly skilled
Linux practitioners out there.
So we just need to do a better job of training and building up these skill sets, particularly
as things like cloud take off.
You know, we're going to see a lot more influence from the Linux operating system over the next few years.
Yeah, that's fascinating. I mean, is it fair to say that the reliability, that the fact that these Linux machines run, you know, 24-7 without complaining kind of puts them a little bit out of sight, out of mind?
without complaining, kind of puts them a little bit out of sight, out of mind.
Oh, definitely.
And I know many Linux sysadmin who pride themselves on their uptime.
So they tend to run for a long time, which, again, when you've got a resident compromise,
that's a very good thing for a bad guy.
Our thanks to Eric Cornelius from BlackBerry for joining us.
The research is titled Decade of the Rats,
Novel APT Attacks Targeting Linux, Windows, and Android.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, And I'm Dave Bittner.
Thanks for listening.