CyberWire Daily - Intentionally not drawing attention. [Research Saturday]
Episode Date: October 17, 2020Bitdefender researchers recently uncovered a sophisticated APT-style attack targeting an international architectural and video production company. The attack shows signs of industrial espionage, simil...ar to another of Bitdefender’s recent investigations of the StrongPity APT group. The real-estate industry is highly competitive, and information exfiltrated by APT mercenary group can give negotiation advantages to other players in high-profile real-estate contracts. While APT groups traditionally could only be afforded by governments or were financially motivated purely out of self-interest, they recently appear to have become a commodity. Joining us in this week's Research Saturday to discuss the research is Global Cybersecurity Researcher Liviu Arsene from Bitdefender. The research can be found here: APT Hackers for Hire Used for Industrial Espionage Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
Basically, the investigation pretty much started like any other investigation.
We were called in to figure out what happened in a company, to figure out what caused the
potential breach.
That's Liviu Arsene.
He's a senior cybersecurity analyst at Bitdefender.
The research we're discussing today is titled
APT Hackers for Hire Used for Industrial Espionage.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization
with Zscaler
Zero Trust and AI. Learn more at zscaler.com slash security.
We started doing the forensic analysis on some of the infected endpoints.
We started doing the forensic analysis on some of the infected endpoints.
We created a technical report based on our findings, and we presented it to the client, if you will, the customer.
However, when we took a step back after completing the report, we took it literally, we took a step back and took another look at some of the fine print of what we found. And it was really interesting because we found three very interesting aspects to the investigation, which pretty much led us in the direction of an APT-style attack.
And these three things basically were, the entire attack occurred because of a zero-day vulnerability that was being used by attackers. There were some custom tools that were apparently specifically created for this attack.
I mean, most of the time you see tools that are off the shelf when you see some sort of
traditional attack going after this type of company. And then there was the motivation angle.
If traditionally most of these companies that work in verticals that don't really or haven't really been touched by APT-style attacks,
the motivation is usually financial.
It's either ransomware demand or it's an extortion that the attacker is trying to achieve.
But in this case, it was simply information collection, information exfiltration.
So they had a very clear purpose in mind.
And that's pretty much what tipped us off
that something was going on that's beyond the obvious. And when we basically corroborated
that with some of our previous research, I remember us talking about last time, about a month ago,
about another APT group like Strong PD. And going back even further than that, earlier this year,
And going back even further than that, earlier this year, we found some remote desktop components that attacks where they could just offer their services to pretty much anybody interested in compromising a potential victim, a potential target or a potential competitor in this case.
Yeah, it's interesting stuff for sure. There are many elements about
this one that sort of caught my eye, beginning with the type of organization, as you say,
that was being targeted here. Who were they going after? Exactly. So this seems to be an organization
that does architectural design. So their background is actually design, architecture, but they also do
3D production. When you have a blueprint for a building or some sort of project, you usually
try to give your customer a 3D rendering of that project. So this is what they do. They work closely
with real estate, for example, and they have been actively been involved in billion-dollar projects.
And this is kind of weird because you don't see, or traditionally we haven't seen attacks on this type of vertical or this type of company profile, especially such sophisticated attacks.
And interesting to me is how they made their way in there.
I mean, they were, the payload came in as a plug-in
for some popular graphics software.
What was going on there?
So, yeah, that was an interesting one
because when we did the investigation,
we didn't know that that was actually a zero-day vulnerability.
So when we presented the report,
we gave them all our findings. We told
them that this is a malicious plugin that was pretty much tampering with the 3ds Max functionality.
And only a couple of days before us publishing the report, we found 3ds Max publishing the
vulnerability and the patch for it. So apparently these guys, whoever they were,
these APT hackers for hire,
they literally exploited a zero-day vulnerability
before the software actually figured out
that they have such a vulnerability.
So whoever has the skills to find a zero-day vulnerability
in 3ds Max definitely knew what they were doing.
Now, did you have any sense or were you able to determine
how this infected plugin got installed on the system?
How they got, I guess, tricked into using it?
Unfortunately, no, because the company didn't have any sort of CM or tools
meant for monitoring network traffic or monitoring
everything from a security perspective for a very long time. So we could only see what pretty much
what we were allowed to see, if you will. But as it is with most of these attacks, I think
it probably was some sort of spear phishing attack, or maybe as it was with AP, with the strong PD APT group, maybe some sort
of a water holding attack, you know, where the attackers know what the company profile is. They
know what type of software they use, and maybe they use that against them, either compromise the
popular plugin downloading website, or maybe trick them with some sort of a phony campaign of a new
and interesting plugin.
But unfortunately, that plugin was tainted. Well, let's walk through it together. I mean,
the way that this goes at the business that it does, the functionality, its capabilities.
Can you take us through what you learned? Absolutely. So basically, you have this first payload, if you will, which ends
up on the victim's computer by exploiting a vulnerability in this 3DS Max software, mostly
used for architectural design, 3D rendering. Afterwards, it brings with it a lot of other components, mostly used for crawling for specific files or specific file extensions,
and then an additional component that involves stealing information like passwords or credentials, authentication credentials for various services.
What was interesting about the crawler, for example, is that it seems to be custom built for this specific victim.
I mean, it specifically skips some extensions,
you know, like media files,
you know, both, for example, JPEG or MPEG files,
and it doesn't archive them.
It has the ability to just directly upload them
to the attacker control server,
the command and control server belonging to the attacker. It also has the ability to just directly upload them to the attacker control server, the command and control server belonging to the attacker.
It also has the ability to allow the attacker to simply browse through any other directory
or drive from the victim's computers, including network-attached drives, for example.
Yeah, so these were basically tools that we haven't seen actually in any of tech.
We have looked in our telemetry, and they were very scarce.
I mean, maybe they deployed them on other victims
just to test them, but it seems that they were really put
to good use in this particular case.
And it was capable of taking screenshots as well?
Exactly. So it had the ability to take screenshots. It had the ability to collect usernames, computer names, IP addresses.
It had the ability to, or it was specifically tied, if you will, to a user on a computer.
So you wouldn't find the same payload on two different usernames, two different computers.
So I guess that was mostly because whoever was behind it wanted to know exactly what victim they infected.
I mean, from whom inside the organization they were collecting that sort of telemetry.
It was interesting to me too in your research that you noted that this software seemed to be intentional and not drawing too much attention to itself.
Exactly. So another interesting aspect was that whenever it would find that task manager or some sort of performance monitoring app was running, it would automatically stop doing whatever it was doing to consume CPU power. We believe that maybe it's the type of behavior employed in order not to raise any alarm
bells to the victim. For example, if you're running 3ds Max and you're doing a lot of
processing and you notice that all of a sudden your CPU starts consuming more CPU cycles than
normally,
then you would naturally open Task Manager to see what processes and what services are running to see what's clogging up performance.
And maybe they just hid their processes, the malicious processes,
in order not to attract any attention whenever these high-performance activities
were going on on the victim's computer, just to fly below the radar.
Yeah, that's interesting.
It's been my experience that the folks who are doing these sorts of 3D rendering jobs,
they're looking to squeeze every bit of performance out of the machines as possible.
So it's just interesting that the bad guys were aware of that
and tried not to raise any flags there.
Exactly, so it's actually interesting because
it's a first to see that bad guys don't want to
interfere with your daily activities.
They just want to leave you do your stuff,
and while you're not using the computer,
they'll use it for you.
Now, what sort of information were you able to glean
in terms of the command and control server?
So, as it is with most APTs, it's difficult to say just who is behind them or where the cybercriminals are based.
But in this case, we know that the command and control infrastructure seems to be based in South Korea.
That doesn't necessarily mean that these hackers, these APT hackers for hire, are also based in South Korea. As we've seen with previous APT groups, they can be scattered across the world. So this just might be
maybe the first tier in their infrastructure or something that they've commissioned specifically
for a job. So in this case, this makes attribution a lot more difficult. And I think this is going to be the trend from
now on. If this whole thing turns into an APT as a service, if you will, it's going to make
attribution for security researchers a lot more difficult. Because if until now you've had
political motivations, like state-sponsored APT groups, or if you've had financial motivations,
take Carbon Act, for example.
We know that they targeted financial institutions.
Now, if you have APTs as a service, you may find yourself in a pickle
because attribution is going to be a lot more difficult,
and finding out the purpose, the reason, or the motivation behind an attack
is going to be a lot more difficult.
or the motivation behind an attack, it's going to be a lot more difficult.
Is it, I suppose, plausible that this could be some folks working for an APT group that are taking side jobs?
We were just asking ourselves that around the office
because there's not a lot of people that have the skills to do this.
I mean, to find a zero-day vulnerability and, you know, actually use it on,
let's say, a relatively low-profile victim. Plus, it's not uncommon or it's not unlikely, if you
will, that part of these APT groups, there could be members that either operated, used to operate,
or still operate for state-sponsored APT groups and that have simply banned with other skilled individuals
to make some money on the side.
If we're talking about as a service,
it's pretty much like software outsourcing.
You find a good developer, you try to co-opt him for a project,
and he's giving you his best, basically.
So it wouldn't surprise me if these guys were basically trained
and skilled by nation states or they've honed their skills in various other APT-style attacks and APT groups like Karmanek.
So this could also be a possibility, yeah.
And what was it that tipped the victim off that they had an issue here and made them bring you all in?
Basically, there were a couple of alarms and bells
from their network traffic analysis solution,
and they pretty much wanted to call us in and investigate
to see if there's something going on with their endpoints.
Have you had any indication that there are other organizations
that have fallen victim to a similar type of attack? As far as we know, no, because whenever
we looked at this infrastructure, this specific infrastructure used in this attack, there were
no signs that it was communicating to other victims or that it was receiving some sort of
telemetry from other victims. Even the payloads or the tools that we found in this particular example seem to be unique for this client. So
we haven't seen them, at least from our telemetry perspective, we haven't seen them anywhere.
And so what are your recommendations for organizations to protect themselves against
this sort of thing? Well, I think this kind of changes the whole threat landscape, if you will,
or the whole threat paradigm for small, medium-sized, or even large businesses.
Well, maybe not so much for large businesses,
but maybe for small and medium-sized businesses.
I say that because if, until now, APTs were mostly something
that large corporations, large organizations had to worry about, it was part of their threat model, if you will.
Now, with APTs as a service and pretty much being available to anyone who's willing to open up their pockets, could be a problem for small and medium-sized businesses.
Let's just take a scenario, for example.
Imagine you're a small, mid-sized business. Let's just take a scenario, for example. Imagine you're a small, mid-sized business.
Let's take this particular example.
You're a small, mid-sized business that works in architecture and design, for example.
And you know you want to bid for a contract in a multi-billion dollar real estate project.
But you're not alone bidding for that project.
There are other larger companies with bigger budgets that want the inside scoop.
What if those larger companies could turn to these APT hackers for hire to compromise you to see what kind of deals you're trying to strike with the contract?
Or they're trying to find out how you're planning your negotiations to get the contract.
And that means they could be turning against you.
They could be turning these APT hackers for hire against small or medium-sized businesses
just to gain the upper hand, to gain leverage.
If we're talking about large contracts, large projects, it would make sense for these kind
of APT hackers for hire to be used on SMBs.
Yeah, I have to say this was a bit of an eye-opener to me,
having throughout my career made use of various programs like this,
graphics programs, audio editing programs,
and so many of these software packages make use of plugins.
And they have third-party plugins.
They come from a variety of plugins. And they have third-party plugins. They come from a variety of sources.
And I think in my mind, a plugin for a package like this has always been something sort of benign
in my mind in terms of a security issue. I never really imagined that a plugin for a package like
this could bring with it security issues. And this sort of changes that game.
Exactly.
So you can look at plugins as any other application that you install.
It's code.
It's new code that's running on your machine,
either in an application or your operating system,
that could be doing wrong stuff, illegitimate stuff.
So this is something that you have to worry,
both as a large or mid-sized
organization. But the interesting thing is that this, again, this type of, if you will, service,
APT Hackers as a Service, is something that we kind of, if you look back, we were kind of
expecting this to happen. I mean, just look at malware, for example. For the past decade,
it has evolved from traditional malware, you know, some malware developer trying out code and then
infecting victims, to malware as a service, where malware developers no longer focused on
the infection part of the attack chain. They simply focused on developing the malware and
selling it. Look at ransomware. You had ransomware that was going after the average
user. So there was the ransomware developer and then going after the average user with ransomware
demands anywhere between $200 to $700. And then you had ransomware as a service when they, again,
focused more on the development part and the service part, offering ransomware to those who were
interested and then making a cut off each ransom demand. So I guess APTs, this evolution towards
APTs as a service, it shouldn't come as a shocker for everybody. So it's kind of like a natural
evolution. It also strikes me that this sort of highlights the importance of having that defense
in depth, of not only looking for things like signatures,
but as this case points out, looking for behaviors,
unusual activity on your network.
Exactly.
So this, again, if large companies usually have the budgets,
the manpower, or even the SOC teams that are capable of uncovering,
if you will, these types of attack tactics and techniques
that revolve around stealth or persistency.
It's the small and mid-sized businesses
that will have an issue when dealing with these APT-style attacks.
I mean, it's already bad enough that skill shortage is an issue,
is a thing.
There's also the issue of neurodiversity.
For example, when you want to build your own IT or security teams, you need to make sure that they
all have a diverse background, especially security background. And there's also the matter of budget.
Not any company can afford to have their in-house security teams. i think the security industry is going to adapt to these um to these
as well so if security or you can do so much from a security stack perspective you know endpoint
security network security edr security i think you can also manage the skill shortage security by you
know turning to for example mdr solutions manage detection and response solutions which basically
means you have your own swat team you can hire your own IT or security SWAT team to come in and investigate
whenever there's a problem. So I think the threat landscape shouldn't scare us so much because I
think there's always going to be the security counter perspective that addresses that problem.
Our thanks to Liviu Arsene from Bitdefender for joining us.
The research is titled APT Hackers for Hire Used for Industrial Espionage.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup
studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.