CyberWire Daily - New targets, new tools, same threat. [Research Saturday]
Episode Date: October 19, 2024This week we are joined by Chester Wisniewski, Global Field CTO from Sophos X-Ops team, to discuss their work on "Crimson Palace returns: New Tools, Tactics, and Targets." Sophos X-Ops has observed a ...resurgence in cyberespionage activity, tracked as Operation Crimson Palace, targeting Southeast Asian government organizations. After a brief lull, Cluster Charlie resumed operations in September 2023, using new tactics such as web shells and open-source tools to bypass detection, re-establish access, and map target network infrastructure, demonstrating ongoing efforts to exfiltrate data and expand their foothold. The research can be found here: Crimson Palace returns: New Tools, Tactics, and Targets Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you i was concerned about my data being sold by data brokers so i decided to try delete me i have
to say delete me is a game changer within days of signing up they started removing my personal
information from hundreds of data brokers i finally have peace of mind knowing my data privacy
is protected delete me's team does all the work for you with detailed reports so you know exactly Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
We originally published some research back around the May 2024 timeframe called Operation Crimson
Palace about some China threat actor activity targeting a Southeast Asian government.
But it turns out right after we published the research, the threat actor came back and
resumed their activity with some new tools and tactics and even some new targets that
were involved.
And so this year, we just published a kind of a second part of that research continuing
on with what these China-based
threat actors were up to and some of their tooling and approaches to compromising victims.
That's Chester Wisniewski, Global Field CTO from Sophos' XOps team. We're discussing their work
Crimson Palace Returns, New Tools, Tactics, and Targets.
Well, before we dig into this current round of research that you published,
what background should our listeners have on Crimson Palace?
Well, in essence, we originally uncovered three different groups that appeared to be working in a coordinated fashion that we refer to as group Alpha, Bravo, and Charlie.
And there was a high degree of coordination in their activities where we literally would see
certain days of the week Alpha would be in there and then another day of the week Charlie would
be in there. Sometimes even within hours, one would leave and then the other would come in.
So it was quite clear that they had distinct tactics and tools they were using,
but there was a high degree of coordination.
So that kind of was where we had left off.
And at the end of that research, it was obvious that the group Charlie
was seeking information relating to conflicts in the South China Sea.
And that was kind of where we left at the end of the original research was with one victim, but clearly a coordinated activity that appeared to originate in China.
And so you saw this resurgence of Cluster Charlie.
This took place in August?
Yeah, that's right.
We started seeing activity after a couple weeks return in August of 2023.
And then we were able to observe their further activities all the way through the late spring and early summer of 2024.
through the late spring and early summer of 2024.
And so what are you seeing currently in terms of who they're going after and how they're doing it?
Well, we've observed that there's at least 11 other organizations within the region that they've managed to gain access to. Now, not all of those are Sophos customers.
So that means that we don't necessarily have an immediate ability to know how they were compromised or what they might be doing in those networks. But we can observe
activity from those networks to known command and control or known malware payloads and things like
that, that we are able to observe that they're likely breached by these same threat actors.
likely breached by these same threat actors.
We've also got a lot more experience observing their tooling and their ability
to evolve and evade detection
within the networks that we do have access to.
And a lot of that,
originally, Cluster Bravo,
we did not have a lot of information
about what they were up to.
And a lot of the new activity we observed appears that Cluster Bravo is compromising these other organizations in the region.
One of the things that caught my eye in your research was this idea that they were sort of testing your capabilities,
seeing to what degree could you and your Sophos colleagues track what they
were doing? Yeah, there's a couple levels of that that were going on that I found interesting. I
mean, one of them is, of course, we noticed them downloading trial versions of our software,
but instead of testing it on the computers where we believe the perpetrators are located,
they were actually intentionally using VPNs to obfuscate the location to appear to be in the United States or in Europe instead of
in Southeast Asia.
Fortunately, we were still able to quickly identify that it was the same threat actors
trying to test their malware out against our code.
And when we traced it back, noticed they were VPN endpoints in the US and
Europe. So they were likely just using that for some obfuscation. More concerningly to me, though,
is just the real, you know, we talk about advanced persistent threats ever since Mandiant coined that
term back with APT1. And just the level of persistence and the level of coordination,
And just the level of persistence and the level of coordination, we got a really front-row seat to observe it.
As you say, they were kind of obviously trying to evade our threat hunters in our software. But more than that, we could see how quickly they were able to, you know, they had some bespoke tooling for backdoors and command and control.
We were actively defeating it. So of course,
they stopped temporarily, but they don't stop the attack, right? They just shifted immediately into
using some open source tooling, some commonly available things that you can get on GitHub and
other places to continue to attempt to maintain access within these environments. And while we
were battling them and doing that, within 48 hours, they were
back with brand new bespoke tooling that we had never seen before. So it almost looks to be like,
you know, there's probably a software development team backing this group. And when their tool is
burned, they don't stop attacking. They start using some open source things to try to continue
their mission, if you will. But in the background, another team is on the fast track,
developing brand new bespoke tooling for them to use
in hopes of evading us once again.
And that all happened typically in a 24 or 48-hour window, right?
So we're talking very fast, rapid action on behalf of the attackers.
Wow.
Can we talk about some of the tools that they use in the research?
You specifically mentioned something that you all named Tattletail.
What does that do, and what are some of the other things that they have in their toolbox here?
Yeah, the Tattletail was the bespoke keylogger and information stealer that was used within these environments we had not observed previously.
At least to date, we had not observed previously. And at least to date,
we had not been able to find any other research on.
So we did name it Tattletail.
And I want to call out
because I know the kind of people
that listen to your podcast.
And this is one of the reasons
we're happy to be a part of it,
which is we really want this information
to get out there and find out
other networks that may have Tattletail on them, right?
This is a good bespoke indicator of these threat actors.
And so we're hoping other research teams can use some of the information that we've
published in this research to help us paint a more complete picture.
Because we know we've only got access to a certain percentage of victims that we were
able to gather this intelligence from.
And it's very unlikely that they're not compromising non-Sophos customers in the region as well, right? So we really see this as a key part of the
community coming together and hopefully sharing some more indicators where people can observe
what we've shared. What did you see in terms of command and control operations?
I think the most important piece, I mean, there's nothing particularly novel about it other than, again, the tooling moving from bespoke to open source and back to bespoke.
But what made it difficult to track in many cases is that they were using other similar victim organizations in the region to relay the traffic through for both hosting some of the malware and for command and control.
And that made it somewhat hard to spot, right?
Because you didn't have something unusual sticking out in that those networks were communicating together legitimately
in addition to the compromised C2 traffic and malware traffic, right?
in addition to the compromised C2 traffic and malware traffic, right?
So it wasn't enough simply to look for IPs you weren't used to seeing communication with.
You actually had to analyze what was in those packets
because those organizations were already regularly communicating,
for example, over HTTPS.
And so it was very obfuscated within expected traffic, which made it more difficult than usual.
You also mentioned that back in January of this year, you all observed them using what you describe as modified samples of real blinding EDR, which is a tool that is designed to circumvent EDR solutions. Is that right?
Yeah, this is a trend everywhere right now. Lots of EDR killing or EDR evading
tooling out there. There's a mixture of things that either are abusing drivers that are signed
by Microsoft by accident, where the criminals are, in this case, I guess, if they're nation states,
I don't know if we refer to them as criminals or threat actors, I guess is the correct term.
But let's say the adversary,
sometimes they're tricking Microsoft into signing drivers
that then allow them to evade and unload EDR products.
And I was just actually speaking with our researchers yesterday, and we're currently
observing a shift away from that tactic and back to abusing legitimate drivers that have
been signed by Microsoft that have a vulnerability that allows those to be utilized by these
types of tools to, again, unload the existing EDR software, whether that's from us or our
competitors or Microsoft or
whomever. Unfortunately,
all kernel drivers
are equal when it comes to Windows, meaning
any of them can be abused
to unload the others.
So everyone is vulnerable to these
tactics.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
You know, as I ran through the research, I mean, one of the things that really struck me was how,
and you've pointed this out, that it seems like this threat actor has practically an unlimited
bag of tricks, that they will just keep going to the well and trying different things,
and some of it's bespoke and some of it's open source.
Is it safe to say that for folks in your situation, it really does kind of keep you on your toes?
Absolutely.
I mean, this is one of the more advanced cases that we've dealt with within our MDR service. And obviously, our best people get fascinated by these kinds of threat hunts because you've got such a capable adversary that it really is mano a mano.
It's a battle of wits sometimes to see who's going to be able to get the upper hand.
And as you point out, they're very well resourced.
And I don't think this is different than any other government, let's be fair.
U.S. Cyber Command has some of the smartest and brightest,
hardest working people.
And they get up in the morning
and they've got a mission to accomplish.
And we shouldn't think any different of these adversaries.
They've been given a mission.
They're not going to give up on their mission.
They're trained to continue doing it
until they achieve whatever their target may be.
They work in highly talented teams of people
who are working closely together to accomplish that mission.
And I think that means on the defender side,
well, one, I mean, the defense is never done
because if you're successful
and hopefully continually defending your target,
there's an unending wave of them coming back at you again.
But more than that, I think it really demonstrates
how much our community has to
pull together and work together, both through information sharing across the private sector
and the public sector, if we really want to have a chance at this. I mean, if these guys have
Team Alpha out there gaining access and Team Charlie knowing what data needs to be stolen,
and potentially, whether it's Team Bravo or perhaps even Delta or Echo out there developing this bespoke software for them, if we want to have a chance at defending ourselves, we need to be sharing information and these tactics and working together as a team with equal cooperation and efficiency if we want to succeed.
You mentioned threat hunting, and it seems to me like this is a good example back on 24 by 7 active monitoring and threat hunting.
And our team actually presented some of this research at Black Hat back in August.
And that was one of the things that we talked about in the presentation was sort of the,
you know, we think they're going to come back tonight and we've set the trap with some new
telemetry gathering tools so we can observe them.
And then you're sitting there and you're sitting there and you're looking at the clock and it's 2 a.m. local time.
And you're like, damn it, I thought they were going to be here an hour ago.
Every night they've been here, right after midnight my time,
and they're still not here.
And just as you're about to give up at 3 o'clock in the morning,
boop, your alarm goes off, they're back.
And the adversary gets to know you and you get to know the adversary.
There's a real human element to this that it's not just bits and bytes and exploits
and memory corruption vulnerabilities. There's human beings and there's
psychology involved and the highs are
very high when you're winning and the lows are very low when you're defeated.
We have to remember
how important that human element is. We started off this conversation talking about how this
adversary went quiet for a little while. And I'm curious, as a researcher, when that happens,
to what degree in your mind are you thinking, okay, these folks have gone quiet, but is there still a corner of
your brain that's saying maybe they haven't gone quiet? We just can't see them right now.
That's exactly where my brain goes. I'm like, I mean, in this case, I think they actually had
gone quiet. We're not quite sure perhaps to regroup and decide on some new approaches and tactics,
but my mind is always, look, if we're in security,
we're naturally pessimists that anything can be safe or secured.
And if I'm not seeing it, maybe I'm just not looking in the right place.
And in particular, when you're assuming that this,
we don't know for sure that these Alpha Bravo and Charlie,
we don't know if they're directly people working for the Ministry of State Security in China
or if they're contractors or if they're freelancers. We don't identify them
ourselves. We were unable to definitively attribute them to their individual roles,
but we do know that they're working in coordination and appear to be achieving goals on behalf of
China one way or another. And once you know that that's the kind of adversary you're against,
of China one way or another.
And once you know that that's the kind of adversary you're against, and you talked about resources earlier,
the U.S. Cyber Command estimates that the MSS alone
probably has access to 100,000 people or more
working on these types of things.
So it's a vast amount of resource that you're facing,
which means you're expecting that they're never going to go away
unless you've truly failed and they've gotten whatever they're after. And when we're talking about intelligence
information and espionage, arguably that even if it's stolen, there's always more and newer
information that they're going to want to maintain access to continue to gather intelligence. So
really, it's no different than any other spying game.
It's just electronic, right?
Spying's always going to happen,
and we're always going to have to be vigilant.
So what are some of the lessons that organizations can learn
from this particular campaign?
If they're looking to strengthen their own defenses
against cyber espionage, what are the take-homes here?
Well, I think I look at this at two levels. I look at this at the vendor level,
and I look at this at the individual organization that may be compromised.
At the vendor level, I think we need to continue increasing
our information sharing and cooperation with one another because all of us
only have a sliver of the whole picture, and we need to make sure, in this case, we worked with a lot of other vendors.
I know we had done some information sharing with Elastic.
We had done some information sharing with Bitdefender on some of the malware.
There were quite a few different security companies that we had found evidence that
had published research that clearly some of it aligned with ours, right?
And we made sure that those communication channels were open for us to communicate.
That's one level I think the cooperation needs to be happening at. And then for the individual organizations, unless you have a very large, well-resourced SOC,
if you detect this type of activity, you do need a third party to come in and help you. And
obviously, we like it when people choose our service, but it doesn't matter whether it's us
or our competitors. You really have to have a crack team of people that are used to dealing with this type of threat actor
to be able to follow up on these 24-hour cycles of brand new bespoke tooling coming in and this type of thing.
It's top-level, grade-A game, and you really need to have help with that.
And more than that, also your government agencies in the region. So,
you know, most countries have some sort of a CERT, and that acronym has changed over the years in
different countries to mean different things. But whatever country you're in, you know, in the
United States, of course, most of us work with CISA. But, you know, in Australia, there's ACERT,
and, you know, in different countries, they all have some sort of a cert.
I think you need to make sure you're engaging at that level immediately because
the states themselves are sharing these IOCs about
their adversaries and they're going to have more information on
what to watch for and what types of behaviors. Because after a while,
you kind of get into, everybody builds habits, right?
And these attackers have habits too.
And if that information gets shared with you early,
you can kind of guess their next move on the chessboard
and perhaps be there waiting for them when they take their next move.
But to get that information is an international effort of governments,
the private security sector,
and the victims themselves all coming together for this.
Well, and as you rightly point out, you never know what piece of the puzzle you might be.
Oh, precisely. And even the biggest companies in our space, no one has a complete picture of the data.
And our governments don't either, right?
Like, perhaps through signals intelligence, our intelligence agencies may know some information
about say command and control
that the private sector may not know.
But ultimately only Sophos or Sentinel-1
or Microsoft is on the desktop
gathering intelligence directly about the malware
and the commands being run
and typed into the PowerShell
on the machine that's been compromised.
And to paint the complete picture,
we all have to work together as one team.
Our thanks to Chester Wisniewski from Sophos XOps for joining us.
The research is titled Crimson Palace Returns,
New Tools, Tactics,
and Targets. We'll have a link in the show notes. And that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver
the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and
review in your favorite podcast app. Please also fill out the survey in the show notes or send an
email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine
of the most influential leaders and operators in the public and private sector, from the Fortune
500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies
to optimize your biggest investment, your people.
We make you smarter about your teams
while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor
is Brandon Karf.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.