CyberWire Daily - Running away from operation Tainted Love. [Research Saturday]
Episode Date: May 13, 2023Aleksandar Milenkoski and Juan Andres Guerrero-Saade from SentinelOne's SentinelLabs join Dave to discuss their research "Operation Tainted Love | Chinese APTs Target Telcos in New Attacks." Researche...rs found initial phases of attacks against telecommunication providers in the Middle East in Q1 in 2023. The research states "We assess that this activity represents an evolution of tooling associated with Operation Soft Cell." While the exact grouping is unclear, researchers think it is highly likely that the threat actor is a Chinese cyberespionage group in the nexus of Gallium and APT41. The research can be found here: Operation Tainted Love | Chinese APTs Target Telcos in New Attacks Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly
evolving cyberspace.
Thanks for joining us.
It all started when we at Sentinel Labs and Q-Group, that is a partner incident response
company in Germany, observed some malicious activities at Microsoft Exchange server sites.
Our guests this week are Alexander Milinkovsky and Juan Andres Quirozade
from Sentinel One's Sentinel Labs. We're discussing Operation Tainted Love,
Chinese APTs target telcos in new attacks.
attacks.
What this really turned out to be was the initial attack phases
that the threat actor was conducting.
So this involved mostly
reconnaissance and credential theft
activities. That's Alexander
Milankovsky. Some of the initial
TTPs that we observed were
mostly the use of the net Windows utility utility for reconnaissance, the PSXX Windows SysInternal tool for lateral movement, and of course, Mimikatz modifications for credential theft.
Before we dig into some of the technical elements here, what is your sense in terms of who they're targeting and who may be behind this?
Okay, so I will start and Jack, you can just add on it.
So regarding attributions, I think there are multiple components to this answer.
So first, targeting telcos in the Middle East aligns closely with the targeting strategy
of the operation soft-cell actors, which Microsoft tracks as Gallium.
So further, the TTPs that we observed closely match those documented
in previous reports on operation soft-cell and also related activity clusters.
And finally, the PDB part of the MIM221 tool,
which we focus on in our article,
overlaps with the PDB parts of tools used in operation soft-sell and also related activity
clusters. So basically, pivoting on this TTP part,
we observed or identified a previous version of MIM221,
which is signed using a code signing certificate,
which is known to be shared between APT41
and Gallium.
So basically, this led us to our assessment that we're dealing here with a threat actor somewhere in the nexus of APT41 and Gallium
with a possibility of a shared tooling vendor.
I think at that point, some of what you have to look at with these Chinese threat actors is
they really just get incredibly complicated to parse.
That's Juan Andres Guerozade. He goes by JAG.
If you notice, there's quite a bit of ambiguity or back and forth between different threat intel
providers when it comes to APT41, Barium, Lead, Gallium. And then obviously when you get into folks that are talking more about campaign names
like Operation Soft Cell and now how we try to cluster Tainted Love
as a sort of evolved campaign,
it's actually fairly complicated to sit down and then say this is particular to this cluster.
When you look at a set of tools like this,
as has happened with things like Shadowpad
or PlugX in the past, there's definitely the notion of a, you know, is it a contractor? Is it a
quartermaster? Is there just some sharing arrangement between certain state functions that might have
access to the same tools? And who are we looking at? In this case, you know, things pointed more
towards Gallium,
but you're always left with this slight sense of uncertainty
that you know the general sort of region
that this is coming from,
and you have some groups that are connected to it,
but it's not as clear-cut as dealing with
monolithic threat actors that have
closed-source tooling all on their own.
And in terms of the targeting here,
it seems they're going after the telecommunications sector?
Yeah, definitely.
As I said, as we identified initial attack phases,
we observed multiple exchange sites
affected at different telecommunication providers.
And just for background, I mean, why the telecommunications sector? What information
does that provide for folks like this? How does it suit their interests? The telecommunications
sector is particularly interesting to cyber espionage actors, as you can imagine. Obviously,
different threat actors have gone after different things, but it's such an enabler for future operations,
for tracking individuals, figuring out who's in touch with whom, who has service where.
And depending on the level of access that you get to a telco, you can even talk about how it'll
enable further downstream operations. So we actually see a lot of threat actors targeting telcos. And I think an increasing interest
from Chinese threat groups,
probably since 2017, 2016,
when I think there were some discussions
about early tooling for spying on SMS messages
in particular parts of Asia
during the riots in Hong Kong, for example, where you can
tell that it's a sort of obvious enabler of intelligence requirements, but how different
threat actors go about that, you get all kinds of flavors. Well, let's walk through the specifics
here. I mean, how does someone find themselves a target of here? How do they get their initial foothold?
And then what do they do once they're in? This particular activity cluster that
we analyzed, we basically observed
web shells at certain exchange sites, which were basically
modifications of China Chopper, that is a web shell that is commonly used
by Chinese trade actors. Forensic investigations are still ongoing for certain exchange sites where
we basically suspect that the threat actors may have exploited a vulnerability or vulnerabilities
in exchange deployments for ultimate command execution on those sites.
Yeah, I mean, since the Hafnium catastrophe or however you want to refer to it,
there really has been a massive increase
in the love of web shells as initial infection vectors.
And in some case, we might be able to talk about
novel exploits being used,
but there's still so many folks
with vulnerable exchange servers
that you're basically just asking for it at that point.
So what does this group do specifically here?
Where are they parking the files that they generate?
What sorts of tools are they using?
We observe the exfiltration to attacker-owned hosts,
but we don't have further intel on that one.
So we observe them using different utilities to exfiltrate tools,
which are mostly tools that are available in the public domain,
but we don't have further visibility in that direction.
Yeah, I think in many ways, a lot of what you end up seeing in these ops,
it's not the entirety of the actor's intent.
And that can make it a little bit difficult to understand what the full impetus of the operation is, right?
When you get initial access to a web shell, lateral movement, then deploying something like a modified version of Mimikatz,
you're trying to steal credentials, you're trying to understand the network that you're in. In some cases, it looks
like they already had an understanding of the network they were going after, which is why we
look at things like Gallium and having had previous access to that network or attempted to be in that
network before, and you start to kind of add to and to. But when you're going for credential theft and you're going for this sort of understanding,
in many ways, the fact that our product ends up killing some of the execution thread
leaves us in this very, I think this sort of like researcher's dilemma, right?
You're happy that your customer isn't popped, but we would have really liked to know what
exactly they would have done
if they'd had free reign.
But you could tell that they're at least
trying to grab enough to be able to continue
to not necessarily have a foothold,
but if you get kicked off,
if the DFIR comes through and cleans you out,
to hopefully be able to come right back in.
I think it's important to add here
that also what we mentioned in our report
that we observed only the initial attack phases, which involves mostly exfiltrating reconnaissance
information like network topography and additional host information, as well as credentials.
So as we documented in our report, we were able, basically the incident response team stopped
the attackers' activities in this phase. Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Thank you. Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
I'm curious how you would rate the sophistication of this organization.
And I guess part of my question is,
is sophistication required for this sort of thing?
If we had talked about this five to seven years ago, the discussion of really leveraging
access to a telco would have usually come coupled with discussions about extreme sophistication,
we would talk about things like Reagan or Plexiglas or some of these
really particular threat actors where you go in and you know these are like master of the universe,
sophisticated actors who are going to leverage that access as efficiently and innovatively as
possible. That's not what we see now. Telcos have become not just increasingly popular, but also
being leveraged by a variety of threat actors.
So something that Alex and I worked on, along with Amitai Ben-Shishan Erlich,
last year was our research into a threat actor we called Metador.
And what was very interesting about that research process
was not just seeing this novel threat actor in a telco,
process was not just seeing this novel threat actor in a telco, but that we found it, or particularly Amitai, had to disambiguate what was Metador's toolkit from among more than
10 threat actors that were attempting to reside within the same telco.
So it just goes to show that we're no longer talking about these rare targets and only specific threat actors might go after them. They're very popular, they're very valuable.
And you actually have, in this particular case, we had a dozen different APTs in there, and that's without even talking about getting your skitties in there, people who want to do phone activations, lapsus, etc.
So it's just a very populated threat landscape when it comes to that vertical.
Yeah, it's a really interesting insight. So based on the information you all have gathered here, what are your recommendations for folks to best protect themselves?
So it's actually, it's quite interesting to kind of discuss that in particular when it comes to a telco, you have such a varied set of systems and requirements.
In particular, I think having a good understanding that what a telco does by its very nature is something so desirable to multiple types of threat actors that this kind of access should not be an afterthought.
And I think it isn't to most ISPs and telcos in the US
and in parts of Western Europe,
but it's actually kind of a hard message to drive
to the variety of telcos out there.
Obviously, recommendations for us,
we don't get into sort of the sales side of the house,
but I can tell you from an investigations perspective,
we've actually had quite a few
setbacks and bumps in the road when it comes to disparate deployments. So for example,
we'll go into a telco, they have XDR rolled out in all their Windows machines, we can see everything
that's happening in those Windows machines, we find all these tools, then it's really quite evident that the
threat actor is subsequently moving into or communicating with the core infrastructure,
Linux servers, things that are actually managing a lot of the operational infrastructure inside of
a telco. And there's a tendency to not have any coverage on that side. So both on the DFIR perspective and for us as an endpoint vendor, it's actually a really frustrating situation because you can see whole portions of a narrative of what's going on.
And where a lot of the more interesting, more valuable stuff is happening, it's this complete darkness that comes with not having any telemetry, any logging, anything sort of producing
a kind of black box record of what happened. So in many ways, it's not just to know that you're
a target, but also to have a sort of evenness of coverage that's going to let you get on top of an
op and say, obviously, we're not going to reroll the entire core infrastructure of a telco.
We need to keep working.
But it would sure be nice to be able to say, well, we know exactly what they were after
and what they were doing and that we've gotten ahead of that threat once we became aware of it.
Why do you suppose we're seeing that gap with the telcos?
Is it awareness? Is it resources?
A mixture of all those things?
I'm sure it's a mixture of all those things.
I think there's also just different mentalities
when it comes to the administration of Linux systems,
when it comes to even endpoint agents
for Linux, Mac, just general Unix systems.
I think there's an outdated perspective among Linux sysadmins
that because they have so much, quote-unquote, control over what they've deployed,
that they have a greater sense of certainty and awareness of what's happening,
and they think that they know what's happening inside of those systems
to a degree that we tend to assume we don't know when it comes to consumer systems, when it comes
to Windows systems. And nothing could be further from the truth. I mean, we've been seeing threat
actors taking advantage of Linux malware that has lived for 10 years unchanged and continues to
compile for those newer Linux distributions. And at the end of the
day, the only defense is a password. A password that is even more vulnerable now because you're
in a network and there's all kinds of very weak practices that go into how passwords and hashes
are managed across a network. So there's a very kind of outdated mentality that goes into managing
those systems. And it tends to mean that folks who might really know to rely on a lot of security
telemetry generation on Windows and maybe Mac tend to just skip it when it comes to their Linux
servers. I can't tell you how disappointing it is, at least on our end, to not be able to see what's happening there.
How does this campaign track with what we expect to see from Chinese threat actors?
Is this a part of a continuum or where do we stand there? I think in a way it's part of a continuum of espionage activity that we've all grown very familiar with.
of espionage activity that we've all grown very familiar with, but it's also representative of how threat actors and threat clusters related to China have changed in ways that maybe we
haven't updated our concepts for. We're starting to discuss this internally as a sort of notion
between first generation of threat intel, second generation
of threat intel, the difficulty that we have now is we kind of have to wrestle with the old concepts
that we proliferated and popularized over the past 10 years or so, where a lot of these threat
actors have changed. Those organizations have reorged. Some APT front companies have gotten sanctioned. They've changed.
Some practices have just plain changed. They've been updated. Those organizations decided to
restructure how they work. You have different contractors in the middle. You have different
providers of tooling and so on. So I think a lot of the time we expect to see what we were used to
with the threat actors of 2015, 2016. And instead, what you see now is a variety of more nimble
threat clusters that are a little harder to categorize. You see tool sharing that, again,
makes it a lot harder to categorize who you may be dealing with. And there are certain segmentations
by functions and almost
ephemeral operations that take place when it comes to initial access on the Chinese side in particular
that a lot of us seem to be having a hard time tracking. And when we do get a sense of it,
having a hard time explaining properly to folks who are still latching on to the discussions of your old APT3, APT10,
just an older generation of exposed threat intel
that is no longer quite the case.
Our thanks to Alexander Milinkovsky and Juan Andres Gerozade from Sentinel-1 Sentinel Labs.
The research is titled Operation Tainted Love, Chinese APTs target telcos in new attacks.
We'll have a link in the show notes.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
The Cyber Wire Research Saturday podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. This episode was produced by Liz Ervin and senior producer
Jennifer Iben. Our mixer is Elliot Peltzman. Our executive editor is Peter Kilby, and I'm Dave
Bittner. Thanks for listening.