CyberWire Daily - No rest for the wicked HiatusRAT. [Research Saturday]
Episode Date: October 28, 2023Danny Adamitis from Lumen's Black Lotus Labs sits down to discuss their work on "No Rest For The Wicked: HiatusRAT Takes Little Time Off In A Return To Action." Last March Lumen's Black Lotus Lab rese...archers discovered a novel malware called HiatusRAT that targeted business-grade routers. The research states "In the latest campaign, we observed a shift in reconnaissance and targeting activity; in June we observed reconnaissance against a U.S. military procurement system, and targeting of Taiwan-based organizations." This shift in information gathering and targeting preference exhibited in the latest campaign is synonymous with the strategic interest of the People’s Republic of China according to the 2023 ODNI threat assessment. The research can be found here: No Rest For The Wicked: HiatusRAT Takes Little Time Off In A Return To Action Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So over the last several months, we've continued to pursue a number of different router-based intrusions,
as that's kind of that weird nebulous area that doesn't really get covered very well by firewalls or EDRs, but still poses a very significant threat to networks of our customers.
That's Danny Anamides. He's a principal information security engineer with Lumen's Black Lotus Labs.
The research we're discussing today is titled No Rest for the Wicked.
Hiatus Rat takes little time off in a return to action.
So as part of that, we kind of deployed these proactive hunting rules and we were able to actually come across a sample. I want to say it was actually in late 2022, early 2023 about the first hiatus wrap malware sample.
So before we dig into some of the details here, can we touch on your interest in routers here
and what makes them particularly noteworthy?
So I love router malware because I feel like it's one of those very kind of niche subjects
that is, in my mind, one of the most critical aspects of security, but doesn't typically get the coverage that I feel it
deserves. This was something that was actually even noted in the latest Mandiant report where
they talked about Chinese cyber espionage tactics. And they noted that a lot of these advanced threat
actors, such as those posed from China, they tend to live in these networking devices just because there really is no good EDR solution. There is not really a lot of logging. There's not
really a lot of monitoring. I would argue if you go into most small or medium-sized businesses and
ask them to point to the router, they wouldn't even know where exactly it is. But as we're going
to kind of talk about in this campaign, all of the traffic that comes outside of that network
traverses through that one device. So I kind of see that as this very critical choke point where if you're able
to actually get access to that router, it could give you access to everything that is occurring
behind that device and it can kind of provide that foothold that they need in order to kind of
perform the operations that they want to perform and get the information they need to get. Well, let's dig into the research here.
Start us off.
Who do we suppose this is and what are they targeting?
So we assess that this kind of aligns with the strategic interests
of the People's Republic of China.
We kind of talk about this, and this is going to kind of be a little bit of a longer talk
because our research actually started back in 2022.
is going to kind of be a little bit of a longer talk because our research actually started back in 2022. And then we saw from that timeframe that they were targeting a lot of, I want to say,
operational networks that we believe possess rich file-one access. So if I could quote from my
favorite Office of Director of National Intelligence Cyber Threat Assessment that came out in 2023,
they saw that China poses this really broad threat and the most active and persistent threat to U.S.-based government and private sector networks, and that they're going to target, quote, targets of rich fall-on opportunity.
We were seeing things like IT service providers.
We were seeing things like MSSPs.
These are the sorts of networks that if they were able to target one of those,
it could, in theory, actually give them access to a number of their downstream customer networks.
We also saw targeting of things that just kind of align more traditionally with Chinese espionage.
We saw some municipal-level government organizations.
We saw things like the pharmaceutical companies.
And we saw a little bit of oil and gas.
And these are just kind of things that typically align with their economic goals.
So this starts with a particular model of router, which you point out in the research here is end-of-life. These are DrayTek routers. Tell us about them.
Yes. So our initial campaign seemed to focus exclusively on these DrayTek Vigor routers.
These are the, I want to say, 2960s and the 3900s.
So these were something that have been end of life for a very long time, but they're still kind of existing on the internet. In fact, when we did our first report back in March, we saw that there was about 3,100 of these still existing on the internet based off of things like
showdance census. But based off our telemetry, we only observed targeting of around 100 of them,
which means that whoever was behind this campaign was really only targeting about 3%
of the eligible population. So again, that kind of led us to believe that whoever is behind
this campaign, they were kind of taking a more targeted approach and they weren't just going
after every single device that existed on the internet. Now, one kind of other note I'd like
to make is that while we originally only saw telemetry stemming from these Drytech Vigor
routers, we did actually find binaries that were compiled for things like MIPS, for ARM,
for some of these other, I want to say,
router-based architectures.
And then in the summer of 2023,
we actually saw them starting to shift
and targeted different types of devices,
such as Ruckus Wireless.
And again, with some of these other architectures,
we believe that, again,
this is just kind of where they chose to be.
I don't really think the limiting factor was
you had to have a dry tech. It was just you had to be of interest to this particular activity cluster.
Well, let's talk about the malware itself. I mean, you point out in the research here,
there are two primary things that they seem to be up to.
Correct. So we kind of broke down the targets. So there was two binaries, and we believe they
each kind of deserve an extinct purpose. One of the
binaries should be kind of common to
most of your listeners. It was just
a variant of TCP dump.
TCP dump is just basically a packet
capture binary that was compiled
for the ELF format. So this
would allow them to actually collect
packets as they were traversing outside of
that network to somewhere else on
the internet. We believe that in the initial stages, we saw a vast script that would actually highlight a couple of different ports.
There were things like port 21 for FTP, port 25 for SMTP.
They were also targeting things like POP3, IMAP, and they were really trying to get what we believe is more email-based traffic.
This would be what we think is deployed
on networks of interest. These are targets that we believe have some sort of strategic
intelligence to the threat actor, whereas the second binary that we are actually calling
hiatus rat was the custom actual Trojan. This was a little bit different and affording some
of the same functionalities that everyone knows and has come to love over time. You can upload files, you can download files, you can execute commands.
But the thing that really stuck out to me is that there was two embedded functions, one of which was called TCP forward, and the other was just called SOCKS5.
This is what we assessed was going to be deployed on targets of opportunity.
targets of opportunity.
So what we think is that they could be actually targeting networks,
I want to say,
within a certain geographical region,
and they might be looking for a vulnerable router
in that same geographical area.
They can then, I want to say,
deploy this highest retrosion
and potentially have a piece of malware
beacon out to the router,
employ something like the TCP forward function,
and then actually have that beacon
go back to a further upstream command
and control node that would allow them to
add another layer of obfuscation to their
work to kind of evade some of that geolocation
based blocking that may exist.
Transat presents a couple trying to beat
the winter blues. We could
try hot yoga. Too sweaty. We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year
increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops
attackers by hiding your attack
surface, making apps and IPs
invisible, eliminating lateral
movement, connecting users only
to specific apps, not the entire
network, continuously
verifying every request based on
identity and context,
simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Do you have a sense for how someone would find themselves infected with this?
So unfortunately, we were not able to recover the initial exploit. But as we kind of mentioned before, because these were end of life, there are vulnerabilities that exist on places like exploit DB and GitHub.
It's just really hard to kind of know because I must say they're just so darn old.
Our kind of advice is that if you find yourself in an enterprise environment
and your router is end of life,
it might be time to considering upgrading that to something that actually has that support. And once you actually have a router that supports, you know, patching,
we highly encourage people to do things like make sure they know what their router is,
have a routine patch schedule, institute some form of logging, and kind of check on it periodically
for abnormal files. You know, it's a really good insight there. I mean, it is that old saying,
if it ain't broke, don't fix it.
But that really doesn't apply when it comes to cybersecurity and some of these old hardware devices that can be sitting there doing their job for decades.
But over time, the vulnerabilities are revealed.
If anything, I want to say this is actually, you know, almost a nod to the Drytech folks that they've made these routers that seem to seamlessly work for years and years on end without any sort of, you know, updating or monitoring.
So again, this is not intended to be, you know, anything derogatory towards Drytech.
That was just kind of what the target, you know, took an interest in.
But these things just kind of keep on running.
So if it's, again, not broke, why would we try to fix it?
Yeah.
What about command and control here?
What did you all see when it comes to that?
So we observed initially two command and control nodes.
And they actually kind of did this interesting thing where they kind of siloed operations.
We had one command and control server that we called a heartbeat server.
operations. We had one command and control server that we called a heartbeat server,
and the malware itself would actually beacon to this heartbeat server every eight hours.
Again, in my mind, this is also kind of notable because when you look at most of these campaigns,
these like Cold Book Strike beacons or other malware beacons, they tend to be over the course of maybe a few hours or even a couple of minutes, to have something
only beacon every eight hours, it kind of really limits that detection opportunity if
you're doing this from a host-based network.
The second command and control server that we saw in the original campaign was called
the Upload server.
So as we kind of mentioned previously, they were doing things like collecting packet captures
of things like email-based traffic.
Well, once they actually had that traffic collected
and all those packets captured,
they still need to send it somewhere.
So this is kind of where we believe
that they would kind of just run a script.
They would collect X number of packets,
and we'll say 10,000 just for the sake of a number.
And then once it kind of hits that limit,
it would then upload all those packets to the actual server,
and then they would kind of delete themselves
because they do have limited storage capability
on these routers.
Because all this is happening at the router level,
what are the opportunities for defenders to detect this?
So that's a great question,
and it poses a bit of a problem, I think.
You would actually kind of have to start checking your router
for this works of attack.
So this is one of the other things I kind of want to highlight.
As I'm sure you and listeners know,
there's kind of been, I want to say, a bit of an onslaught
against email appliances over the past year or two,
where people have been targeting things like On-Prem, Zimbra,
even something that exists in Azure.
This would kind of allow them to collect that same sort of data
from the router layer without any sort of agent on that email server where you might actually be
able to have some sort of EDR-based pressings or locking there. Unfortunately, really the only way
you can actually tell if you were infected by this is to have your local sysadmin or network
engineer log in and check for some of these abnormal files.
We kind of highlight this in our report.
We noticed that they created this own kind of temp directory
called database.
So again, kind of looking at things like your temp files
for just directories that don't really belong there.
If you see something like database,
that could kind of be the tip off that,
hey, maybe this isn't supposed to happen
because no one really runs a database on a router.
But unfortunately, that's really it for the time being.
Yeah.
What is your sense of the sophistication
of the folks who are operating this campaign?
We assessed that they were highly sophisticated.
As we kind of mentioned before,
they were very intentional in these targeting.
Again, they were only really targeting
like 3% of the vulnerable applications. Another thing is we think that they kind of almost
intentionally chose these end-of-life products. Because if you're running a product that's been
end-of-life 10 years ago, the odds of people performing that, I want to say, cyber hygiene
or due diligence is probably very low. Right. They've already demonstrated their
lack of attention, right?
Yes.
So they've been kind of just able to continue to operate there.
But one of the other things that we kind of thought was a little bit unique with this threat actor is that even after we did our initial publication in March, they just kind
of continued on with operations as if nothing happened.
This was something that was a little bit brazen almost in my mind, where traditionally,
except Fun Cat and Mouse Game,
where threat hunters look for threats,
they publish a report,
the threat actor then responds,
they kind of configure C2 to be a little differently,
they might remodify some of their agents.
They actually kept the exact same command and control servers that they were using in March
all throughout the summertime.
And then if I can,
this is, I think, a good segue.
In the summertime, we actually started to see that kind of strategic shift in targeting, where I want to say when we were talking about the early 2023-2022 campaign,
they were kind of going after these traditional, I want to say, espionage targets. But starting in
the summer of 2023, they really doubled down and focused almost exclusively on Taiwan and U.S. military
procurement servers. So again, when we kind of start talking about things like, oh, we're seeing
an interest in economic espionage, sometimes it's easy to say, well, that's not really a national
security problem or that's not really something I need to be concerned about because I fit into
this other vertical. We then kind of saw them employ those exact same TTPs
to start going after these other organizations,
which I would argue are more high value.
Can you give us some insights on the type of visibility
that you and your colleagues there at Black Lotus Labs
have into this sort of thing?
I mean, the place that you all sit in the ecosystem
that provides you with this sort of visibility?
So we kind of have two different types of visibility.
We have obviously host and network-based.
So working at a US-based ISP, I obviously take a strong interest in routers
because we operate a large number of routers from different manufacturers.
They're located, I want to say, quite literally all around the world.
So we are able to get some of that host-based access that we sometimes use to try to look for these abnormalities.
The second thing that we have,
I want to say a little bit unique to Luma Technologies,
is we have that global internet backbone
where we collect,
and I think it's something like 200 billion net flow sessions a day
that allows us to kind of start parsing through this data
and looking for who exactly is being infected.
And the other nice thing is because we have some of these other assets, like the formal level 3 ASN,
3356, we can actually see some transit information. So our visibility isn't inherently limited to our
customers. It allows us to kind of get that global view that allows us to build those global heat
maps that actually show us that there might be targeting in Latin America or in Europe or wherever.
And we can kind of correlate
all of those logs together
to kind of get a better understanding
of what the threat actor is.
Lastly, we do have
some DNS visibility as well.
This is based off our resolvers.
I believe that they're posted online.
I encourage everyone to use them.
We can kind of do things
with our DNS-based visibility
to try to look for other indicators of compromise and kind of do things with our DNS-based visibility to try to
look for other indicators of compromise and kind of help piece all this stuff together by taking
some of those network-based indicators, enriching them a little bit with DNS, enriching them with
NetFlow. We feel that we're able to kind of give a more complete story than some other firms.
So, Danny, what are your recommendations here? I mean, based on the information you all have
gathered, what should people be doing out there? So, there should be are your recommendations here? I mean, based on the information you all have gathered,
what should people be doing out there?
So, there should be a couple things.
For this particular type of attack,
we believe that the threat actor was essentially exploiting the fact that some network-based data is still being transmitted unencrypted.
So, again, they were really taking advantage of things like SMTP.
We would encourage everyone to use secure SMTP.
And again, this is just like a small configuration change
that can be done by system admin
and can really have a bigger effect.
We encourage group policies that would use things like
secure POP3 or secure IMAP.
This is, again, a way to still be able to remotely access your email,
but would allow you to do it in a way that provides
an added layer of encryption.
And if you are working
at a small, medium,
or even larger business,
we would really encourage people
to just kind of know,
just think about the fact of
what is our routers?
Where are they located?
What is our pack cycle?
When have they ever been checked?
And just kind of be aware of the fact
that a lot of people
seem to think of the perimeter
as ending at the firewall.
And I would argue it actually goes one hop further. You need to know what is your actual
router that you're using. And I would encourage you to actually talk to your ISP as well to kind
of see what routers they are using. Because again, it's all interconnected. And then the last thing
is when you are looking for things like this, I would almost argue that you need to have some
sort of analytics in place to look for weird data transfers, I would almost argue that you need to have some sort of analytics in
place to look for weird data transfers, regardless of where they are. I know a lot of firms in the
past have done things like geo-blocking based off of country code or ASNs. But by using things like
hiatus rat, it would allow a threat actor to actually kind of tunnel all this traffic through
an IP address, potentially in the same city as where your organization or where your people are actually living.
And this just kind of breaks that traditional threat model.
So again, we just kind of need to have some form of logging in there and data loss protection
that could potentially even try to alert us before this turns into a monumental problem.
Our thanks to Danny Adamidis from Lumen's Black Lotus Labs for joining us.
The research is titled No Rest for the Wicked.
Hiatus Rat takes little time off in a return to action.
We'll have a link in the show notes. With TD Direct Investing, new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%!
Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31st, 2025. Visit td.com slash dioffer to learn more.
And now, a message from Black Cloak.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Thank you. Technologies. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman. Our executive editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening.