CyberWire Daily - Leafminer espionage digs the Middle East. [Research Saturday]
Episode Date: September 8, 2018Researchers at Symantec recently published their findings on an active attack group named Leafminer that's targeting government organizations and businesses in the Middle East region. Vikram Thakur ...is a technical director at Symantec, and he joins us to share what they've found. The research can be found here: https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So the team that conducts a lot of research at Symantec was looking at some malware.
That's Vikram Thakur. He's a technical director at Symantec.
The research we're discussing today is titled Leaf Miner, New Espionage Campaigns Targeting Middle Eastern Regions.
And we spotted the malware, we found the distribution site,
and we started just following the rabbit trail, which led us to the group of the attackers
targeting a finite number of organizations in the Middle East. And when we started working
with some of those organizations, the discovery just kept growing. And we eventually landed up
in a position where we could understand the mandate of the group.
We could understand where they were most probably located.
And then we just decided to put out a blog after we had already shared some of this information with some of the targeted organizations.
Yeah, it's quite a story here.
So let's walk through it together.
Why don't you take us through step by step?
What was the first thing that caught your eye? So there was a piece of malware or a file,
which was not doing things that it actually claimed that it was, that was found on a Middle
Eastern organization's network. So when we looked at the file and we deemed it malicious,
When we looked at the file and we deemed it malicious, we wanted to follow up and see whether we could find the origination of the file itself.
So when we did that, we stumbled across a website which had housed the file at some point and our crawlers had sort of picked it up.
So we had the web location of where that file was hosted at one point in time.
When we went over there, we could find a whole bunch of other malicious files, which were all housed or they were all sitting on this web server. And the server itself actually belonged to
the president of Azerbaijan. At least that's the organization that it represented.
So we, at that point, determined that somebody
somewhere had hacked into the server and
decided to use it as a little staging server to place all
their tools and whichever one they acquired
or the attackers required, they would just take the tool and then go
and start targeting other entities.
So that's sort of how it started.
So we had a good understanding of the tools that were being used by the group that we now call Leafminer.
And when we used those tools and searched for those tools
on different organizational networks,
we started getting a bigger picture of who the targets were
and how Leafminer was going about targeting these
organizations. Till date, we don't know what exactly their success rate may have been or what
they were truly after. From a technical standpoint, we know that their tools were primarily geared towards stealing email copies.
So think about a situation where the attacker gets onto an organizational network
and then he tries to dump a particular user's complete mailbox or inbox into a file
and then take that file away and go through the contents of that email inbox at their own leisure.
So we see a lot of their tools were focused on doing that.
We do not know what it is that they were searching for within those emails themselves.
Take us through who were they specifically targeting?
As part of the research, we stumbled across a file which was written in Farsi.
the research, we stumbled across a file which was written in Farsi. And the file itself included a list of organizations that were being targeted. The list was approximately 700 organizations long,
spread across multiple countries in the Middle East. And the targets were in aerospace,
And the targets were in aerospace, public sector, manufacturing, finance, pretty much every single organization that you can think of in any geography.
But we think that the focus was on the public sector side of the house.
So ministries, agencies, departments of government, that sort.
And targeting geographically the Middle East?
Yes. I mean, the list actually showed us that the targeting was primarily in the Middle East. In fact, the list only focused on entities which were based in one of seven or eight different
countries, I forget right now. But through the grapevine, we have heard of organizations outside of these seven or eight
countries attempting to follow up on leaf miner, which makes us think that the targeting may have
been beyond just the Middle East too, but we don't have firsthand evidence of that part.
Now, there were three main techniques that you all observed and documented in this blog post,
the ways that they intruded into other people's systems. Can you take us through those? Yeah, yeah, sure. So
one of the methods which was quite novel back when these attacks were happening, I mean,
they were not very widely used, was combining what we call watering holes with a technique for SMB.
But essentially what really happens is the attacker tries to
understand what kind of websites their intended targets normally visit. So if the attackers
wanted to compromise intelligence officials of a certain country, they realize that those
intelligence officials are more likely to visit the government's intelligence website within that country.
So they isolated these websites that they thought provided the traffic or the visitors that they intended to compromise.
And then they hacked into these websites and planted a piece of code in addition to what the website was offering as information anyway.
So these websites now became compromised.
They had some attacker code on them.
So every time somebody visited these websites,
that malicious code which is on the website,
that sent a beacon or sent a little piece of information over to the attackers.
The attackers tried to use that information
to guess the passwords which were used
by these individuals who were attempting
to visit the website.
It's a bit of a technical jumble out here,
but at the end of the day,
the attackers really used watering holes
in order to gain credentials
or gain access to the accounts
of those who are visiting websites.
Once they did, then they use those credentials or they use those usernames and passwords
to go and legitimately access the targeted person's corporate network.
And in some cases, they found themselves lucky and they were able to get in.
And once they did, they kind of
steered their way towards email mailboxes and trying to gather information from there.
Now they also use some vulnerability scanning tools.
Yeah. So those are the other techniques that they used. They used a lot of off the shelf
public information trying to break into their target networks. So they picked up things
like some old framework tools, which have been publicly documented over the past couple of years.
They just took them and tried to use them as tools against target networks. So in those networks,
if those servers or those machines were not updated with
the latest security patches and security solutions, they would have found themselves
vulnerable to these attacks by Leafminer. But in a lot of cases, we know for a fact that
the success rate by Leafminer using these methods was very low. It just translates to
most organizations have already patched or updated their computers
against these known vulnerabilities.
We see Leafminer doing this more and more,
which is they're relying upon publicly documented tools
or publicly available tools
to conduct a lot of their attacks.
And this is usually reflective of one of two things in every attack group which does this.
On one side, attackers are less dependent on their own technical skills to be able to conduct attacks
when they're just picking up somebody else's work and launching it against their own target.
else's work and launching it against their own target. But on the other side, it allows the attackers to stay under the radar for a longer period of time. So since these tools are publicly
available, a lot of organizations always think that they are unlikely to be used against them.
So when an attacker actually does use it, it turns out to their own advantage and organizations realize a little bit too late.
And does it make it harder to tag a specific organization if they're using something that may be being used by other organizations as well?
Yes, it actually becomes a little bit difficult for organizations to track publicly available tools, because in some cases, organizations and
their legitimate IT team uses these tools for things like internal testing of their own security
defenses, or maybe in some cases using these tools to actually manage computers which might not be in
the same physical location as themselves. So when the attacker uses these exact
same IT used tools, it becomes very difficult for that information security professional sitting in
the middle to be able to distinguish between the legitimate intended use of these tools versus
the unauthorized use of these tools by attackers. Now, they also used some pretty straightforward
things like dictionary attacks, but then additionally, they had some custom malware
that they spun up as well. Yeah, I mean, we see these usage of custom malware going down or
really decreasing in the past few years. And we actually think that that trend is going to continue for a long period of time.
In this case, they did use a couple of custom malwares
which have been seen by us in the past as well.
So that kind of gave it away
in terms of who these people might be
and where they might be sitting
because we've seen previous attacks
use these same custom tools.
We're actually pretty certain
that these tools will no longer be used just because usage of these tools will allow attribution a lot easier to a
certain group or certain entity. But in those cases, unfortunately, we're not able to find
the original emails or the original method by which these tools were delivered to the intended victims.
Now, take us through what they were doing in terms of spreading out throughout a network,
the lateral movement, and then getting the data out, the exfiltration.
So in the case over here, once the leaf miner group was able to get into a particular network, their first and foremost job was to
steal an email from the server that they were on. So they would use some publicly available tools
to dump someone's email inbox into a local file and then send that file away to their own servers,
which were external to the organization. But at the same time, they were using these dictionary attacks
or brute force attacks, which essentially just means
I'm going to try to log on as different users on the network
using a predetermined set of passwords, which I save in a text file.
So these are commonly used passwords.
Think of like password, password
123 or QWERTY. These are just very simple passwords, but there's a long, long, long
list of these, which the attacker was trying to use to break into somebody else's account.
And every time they were able to, they would use that same account, dump the email, and then continue in a very iterative manner.
At the same time, the Leafminer attack group was using publicly available any network assets that they could, including searching for wireless networks, looking for SQL backup tools or SQL backup servers.
And in one case, at least, they were able to find the backup server, and they targeted stealing the backup from one of those backup servers.
So think about the backup of the backup itself, which was trying to be stolen. So one of the things that you point out in your
research is that you have some indications that perhaps these folks aren't very experienced.
Yeah, we don't think this group falls under even the average sophistication category. We think that they're on both sides,
whether the technical as well as operational security side, they fall way short, showing us
that they're relatively inexperienced attackers themselves. And I'll break that down. On the
technical side, the fact that they were relying so much upon publicly available tools in a very haphazard manner,
where they were trying one tool and with that fail, they just went online and picked up another tool.
And their lack of sophistication or technical knowledge to be able to tweak certain publicly available tools in order to gain what they intended to do with the tools shows that they
were not very technically capable. Even the malware itself that they were using is sort of
middle of the road in terms of coding techniques and sophistication for that matter. And on the
other side, when I talk about operational security, I'm really referencing the security that they employed
themselves in these operations. So normally we would associate high profile attacks, the ones
where the attacker was able to victimize someone and the victim was not able to know that they were
actually compromised for a longer period of time. In this case, the fact that the Leafminer gang was
very noisy in environments, they were actually probing so many machines. Once they got onto a
network, they were downloading publicly available tools onto these machines, onto these compromised
computers, and then using them in a very ad hoc manner made them very visible to networks where
their presence was and it allowed us the opportunity also to go and find their staging
server in literally no time we found their server and kept track of it for months until we even
published the blog and on the exact same, their server was still being used.
It just kind of goes to show that these people are not very careful
in hiding their own footsteps.
So overall, we placed them in an inexperienced bucket of attackers.
Now, to that point, were defensive tools detecting what they were up to?
Yes. You know, for most part, the public tools were all already detected by multiple vendors,
including ourselves. In some cases where they did use some of these custom tools,
they did have a degree of success where in some cases they were able to get onto a network,
but just as they got onto the network,
they got detected out there. So we don't think that their success rate was very high overall.
So what are the take-homes for you? What do you walk away with this one from?
How does it inform what you all do in the future?
Well, a couple of things. I mean, one, we tell other organizations not to minimize the potential of publicly available tools against their organizations. We tell defenders that, listen, here's case in point of attack groups who are determined to get onto your network and they're just using what is already available out there.
So please, please, please make sure that you apply the security updates which are available from vendors.
You update your security solutions and you only expose the network assets.
So you only expose servers which are actually meant to be exposed by a business.
There's no point in making an internal server of yours accessible to the Internet if you don't have a business reason for it.
So we're kind of taking this to defenders as a learning opportunity where they can realize the worth of just simply applying these security updates and reducing the risk that their own surface area provides.
from an attacker standpoint what this tells us about attackers in different places including Iran out here is there's a new breed or there are a whole bunch of people with very little
experience are now getting into the offensive game these attackers that we believe operating
out of Iran are exactly a poster representation of that message where the bar is very, very, very low.
And people with just enough motivation, whether it's financial or geopolitical or whatever that
might be, are getting into this action. And the number of attacks that we're seeing are just
going to keep increasing using these living off the land tools. Do you have any sense for where a group
like this would fit into the marketplace in a place like Iran? I guess what I'm trying to get
at is, do these folks represent the level of talent that Iran possesses right now? Or are they
an unskilled group who's just trying to get their way into the group?
And Iran has an A-team and these folks are not that A-team.
Do you get where I'm going with that?
Yeah, I see where you're going.
I mean, whether it's Iran or any other country for that matter,
the odds of us finding offensive attackers are right across the whole spectrum.
Yes, we will find people who are taking a class in cybersecurity
and they decide that they want to go out and attack other entities. But on the other end
of the spectrum, we'll also find highly skilled individuals who are working under governments,
well-funded, with clear mandates in order to create the tools and sustain attack campaigns
for a very long time. Now, we don't know whether Leafminer was working at the behest of any
government or these were just some enthusiasts who decided to go off on their own with the aim
of getting data and proving themselves to somebody else. But we definitely think that they represent the lower end of that
spectrum. And we see these kind of attacks from other places as well in other countries as well.
And it's kind of hard to say whether the country as a whole only possesses attackers with low
skill but high volume. I think that would be a naive thing for us to think about.
scale but high volume, I think that would be a naive thing for us to think about.
Our thanks to Vikram Thakur for joining us. The research is titled Leaf Miner, new espionage campaigns targeting Middle Eastern regions. You can find it on the Symantec website. Thank you. I approach can keep your company safe and compliant. Thanks for listening. Thank you.