CyberWire Daily - Hunting the Sowbug. [Research Saturday]
Episode Date: December 30, 2017Alan Neville is a senior threat intelligence analyst at Symantec located in Dublin. He is responsible for leading and documenting investigations into high priority attacks. He recently published rese...arch on the Sowbug cyber espionage group targeting South American and Southeast Asian governments. https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now a message from our sponsor Zscaler, the leader in cloud security. Enterprises have spent
billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Thank you. specific apps, not the entire network. Continuously verifying every request based on identity and
context. Simplifying security management with AI-powered automation. And detecting threats
using AI to analyze over 500 billion daily transactions. Hackers can't attack what they
can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
I'm actually part of a group called the Attack Investigations Team. One of the main kind of
objectives of our team is trying to identify and track apt type groups that's alan neville
he's a senior threat intelligence analyst at semantec located in dublin he's responsible
for leading and documenting investigations into high priority attacks the research he's talking
about covers the sobug cyber espionage group so and what we actually do is try and leverage a lot of the telemetry that we receive in Symantec to be able to do that.
So we look, basically hunt for new attacks, so unknown attacks.
And as part of that kind of initiative to look for new attacks, this is where we first came across Sobug.
Initially, we actually had a piece of malware submitted to us by a customer, and they had detected some kind of unusual activity on our network, and they had submitted it for kind of deeper analysis.
And when we had the sample submitted to us, we had realized that it hadn't been known before, so it was something new.
And this was around kind of early March.
So we started taking a look, and we realized kind of quickly that
one, this is something we haven't seen before.
Two, when we kind of cross-referenced this against Telemetry
to see where else we've seen this tool in our customer base,
we've seen that it had a relatively kind of low profile.
So it only had popped up in kind of a small number of victims.
But we've seen that those number of victims
have stretched back a large period of time.
And that kind of piqued our interest,
particularly for our group.
So we knew this is something that
this seems like super targeted.
It's only hitting a subset of our customers.
It's not something that's hitting consumers.
It seems to be only targeting a specific industry.
And these are all kind of indicators for us
that this is something that we need to look into further.
So that's what we did. So who are we targeting here? Is this an
espionage situation? So initially, when we started, when we opened up this investigation,
we had this piece of this backdoor, this malware. We knew that it was only hitting a very small
number of our customers. When we start looking at more data surrounding that activity, we realised very
quickly it seemed to be only targeting Ministry of Foreign Affairs in various countries.
And this was a big kind of thing for us. So we know that it's kind of exclusively hitting
government and that's a big red flag. So that's something that we want to make sure that we know
as much about as possible. We want to be able to kind of get protection in place
for our customers and kind of figure out
the big picture as such.
So what additional tools that may be related
to this backdoor, what activities the attackers are doing,
and kind of building up a timeline of kind of,
or a sequence of events of what the attackers do
once they manage to install this backdoor.
And this is the first port of call for us.
And this is where we were able to identify some of the motives behind the attackers.
So, for example, there was one particular case in South America
where we've seen a particular government get impacted.
And this kind of gave us the most insight into the attackers
and what they were actually after.
And we've seen that they had installed the backdoor
and they spent a little bit of time kind of poking around the network and kind of figuring out if,
I suppose, the victim that they managed to get the backdoor on was of value. If they were able to
identify some of those machines and kind of the high value target machines. So either servers
that were hosting valuable information or confidential documents
and they kind of moved through the network so they began by like dumping credentials
installing key loggers and kind of using that information to pivot through the network until
they basically um found themselves on file servers and they then began to um collect documents so we
could see them specifically executing commands
through their back door, which was searching file servers of two departments that they
seemed to be particularly interested in.
And what they were doing was looking for any type of office document that was created or
modified within specific time ranges.
And we could even see at a second stage, they had retrieved those documents.
They had added them to an archive. They had moved them off to attacker control infrastructure. specific time ranges. And we could even see at a second stage, they had retrieved those documents,
they had added them to an archive, they had moved them off to an attacker-controlled infrastructure.
They obviously took a little bit of time sifting through that information, and either they came across something that they wanted to find more about, or they didn't find really what they were
looking for, and they returned again, and they start issuing similar commands to then collect
documents from a little bit further back again. The departments that they were actually kind of looking for information from,
the first one was basically a department which is responsible
for handling relationships between that specific country
and international organizations.
They were also super interested in collecting documents
from a department which is responsible for handling relationships with other countries, specifically in Asia and Oceania regions.
So does that point in a particular direction when it comes to attribution?
Were you able to make any conclusions there?
So it doesn't really.
So far, all we really know is that we have this group.
They're specifically targeting government. So basically
organizations that are responsible for foreign policy. We know that the targets or these victims
are in these regions. So we see a lot of victims in Latin America or South America and we see them
in Southeast Asia as well. From our analysis, we were able to kind of like pull apart the malware. We had looked for any kind of technical indicators or even operational indicators that would kind of
suggest origin, but we weren't able to identify kind of any substantial or kind of evidence that
would suggest where this is actually coming from. Let's dig into some of the technical details here.
How does it work? So what we actually found was in a lot of
victims, we basically see this backdoor being installed. We were unable to identify the vector,
so we don't really know how they're getting onto these machines in the first place.
When we start digging through the data a little bit further, we found in some cases,
they were using this additional tool, which we dubbed Starloader. This tool is essentially used to open up a file on the infected machine.
It decrypts that file and it loads and tries to execute the code that's stored in that file.
And we could see that tool, Starloader, being used to install some additional tools.
So we had key loggers, for example, being installed. We had credential dumping tools.
But we've also seen them deploy this backdoor,
the Felismus tool as well.
We think that Starloader is likely the first stage that they use.
So they may try to get onto these machines to install Starloader
and then they use Starloader to kind of identify high value targets.
So basically trying to determine, is this victim of interest to us?
Do we have the ability to move or find the machines that contain the information that we're interested in?
And once they do that, they deploy Backdoor.Felizmus, which gives them kind of a lot more flexibility in being able to like execute commands, upload or download files and things like that.
And while they're doing this, they managed to keep a pretty low profile.
Yeah, so we were able to, for example, kind of have a look at when they were active within their victims.
So any activity, so any commands that were being issued through these backdoors.
What we actually seen was they specifically were only active on these networks
outside of standard working hours for these victim countries.
So we could see like after about like 6 or 7 p.m. in the evening, usually when people are kind of finished up, gone home, you see them becoming a little bit active.
So issuing a couple of commands, kind of figuring out where they are.
And then you'll see activity ramp up until like around midnight or one, two, three in the morning.
And that's kind of peak iter activity.
From then on, it kind of drops.
And then we see that they leave the network alone, basically not to tip off anyone that
they've been active on the machines.
And the fact that they've been active and around for so long.
So like these guys have been targeting these type of institutions since I think the earliest
activity we found was around mid to early 2015. And it's
likely they've been even active before this. And they're also being clever with the way that
they're naming some of their files to try to keep them below the radar. Yes. Correct. Yeah. So in a
lot of cases when they're installing Felizmas, this backdoor tool onto victim machines, they're
essentially masquerading or impersonating
legitimate software to do so. So for example, they might pretend to be Adobe Reader, in which case
they'll install their backdoor into a file path, which looks like legitimate Adobe Reader, but it's
actually just like one directory or one level, kind of above where you'd find the real file.
So for all intents and purposes, when people are going through their machines
or looking at active processes,
they'll just see what looks to be
a legitimate piece of software running,
which essentially is kind of to help them
kind of remain or keep that low profile.
So in terms of people detecting this
and protecting themselves against it,
what are your recommendations?
For protection or kind of mitigation even,
my advice would be, first of all, is update any AV clients that you have. AV clients and network
clients are going to be the ones that are going to have all the protection in place.
We as a team, we share all this information, not only with other security researchers
and internal teams within Symantec, but we also share it with the likes of other certs and impacted victims.
And we kind of give them the information and the kind of ability
and detection guidance that they need to be able to write signatures.
So it's not just for our own customers, it's for everyone out there.
And that's one of the reasons why we publish this type of information.
We provide these indicators of compromise freely as part of our blog publications
so that it's not just
semantic customers that can protect themselves. Others can take this information and implement
it within their products to protect their own customer base as well.
It's interesting just how targeted this attack is. This is not widespread. This is not hitting
consumers. These folks seem to know exactly who they're after.
Yeah, and it's likely that they're using this two-stage approach, so like installing Starloader
and then later installing Felizmus,
basically to not deploy kind of their good tools.
So they're targeting these institutions
or these organizations,
and they're only using kind of a first-stage
kind of throwaway tool as such,
some simplistic tool that's just used
to load some shell code
or kind of malicious code
to be able to install some tools.
And then it seems like they'll
take their time in profiling these
networks or profiling these machines they can get onto
to ensure that they're actually
on the correct networks or have access
to these victims that they're targeting.
It's only at that point you'll see them kind of
deploy this backdoor
tool. So they're very careful in making sure they're in the correct places or have the correct victims.
From your point of view, can you take us through the process, I guess sort of the strategy of allowing someone like this to make their way through a system so that you can see what they're up to, you know, rather than immediately booting them out of the network?
then see what they're up to, you know, rather than immediately booting them out of the network.
So for the likes of our specific investigation, a lot of this information we were actually able to pull was from historic activities.
So we have the ability to kind of go back in time to our telemetry and we're able to piece together a timeline of activity.
And this is kind of after the fact.
So this is how we were able to see that we had victims back from kind of early 2015,
where we seen that first activity.
And we were able to build kind of an idea or that timeline and kind of add pieces to it
as we see what type of activities they've performed
across those different victims.
And from the point when we actually identify the backdoor,
we add protection in at that point in time.
And then we inform customers who have been either compromised
or still have active infections of wasps we know at that point in time.
It's only after we build up this big picture that we can share more information.
And once we have all the pieces or as much pieces that we can gather,
we publish that information.
So even though we were able to publish a lot of information about the group,
there is some elements that we still don't know.
So like I mentioned before,
we still don't really know the vector,
so how they're actually getting onto these machines.
And that's something that we opened up
to the wider community.
So other research,
so if they see kind of other elements
or other parts of that,
that they can help us fill those gaps,
we totally invite them to do that.
So looking at the research,
what are some of the key takeaways for you?
Yeah, so some of the key takeaways for us is that Sobhag was essentially an unknown
group that was conducting highly targeted cyber attacks against organizations in South
America and Southeast Asia.
We know that the group themselves have been heavily focusing on foreign policy institutions and diplomatic targets.
So a lot of Ministry of Foreign Affairs in this case.
And we know from some of the activities we were responsible for handling relationships with other countries,
specifically in Asia and Oceania regions.
We know that they've been very good at keeping a low profile.
So the group have been around for a long time.
We were able to find that they indicated that they were active since at least 2015.
And it's likely they've been active before this as well.
But unfortunately, we're still not really sure of who the group are,
so where they're originating from.
And it's something that we're still looking at
in terms of keeping that investigation open
and trying to identify any additional kind of indicators
that can help us do that.
We've also published this blog,
kind of sharing some of the indicators about it.
So some of the hashes that we've seen
for the tools that they use
and kind of details of the attacker's activities.
In the blog, we kind of discuss as much as we can,
the bits and pieces that we're able to put together
to kind of fill in that big picture.
But there obviously are some gaps there.
So we have like no idea, for example,
how they're initially getting onto these machines, even though we know some of the initial tools that they do use.
And we would hope that other security researchers would be able to assist us in that and filling those gaps.
If they were able to use those IOCs or any of the information we're able to share
to be able to cross-reference against their own systems,
and they can provide additional information, we completely invite that in.
It's something that we greatly appreciate and love working with other people
to be able to fill those kind of gaps and kind of get that additional perspective or insight.
Our thanks to Alan Neville from Symantec for joining us.
You can find the complete report on the SoBug cyber espionage group on the Symantec website. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
The CyberWire Research Saturday
is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.