CyberWire Daily - Seedworm digs Middle East intelligence. [Research Saturday]
Episode Date: February 16, 2019Researchers at Symantec have been tracking Seedworm, a cyber espionage group targeting the Middle East as well as Europe and North America. The threat group targets government agencies, oil & gas faci...lities, NGOs, telecoms and IT firms. Al Cooley is director of product management at Symantec, and he joins us to share their findings. The original research can be found here: https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs
invisible, eliminating lateral movement, connecting users only to specific apps, not the entire
network, continuously verifying every request based on identity and context, simplifying security Thank you. your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Seedworm is a organization or a group that we have been following since 2017.
That's Al Cooley. He's director of product management at Symantec.
The research we're discussing today is titled Seedworm.
Group compromises government agencies, oil and gas, NGOs, telecoms, and IT firms.
We have a regular list of cyber adversaries that as a intelligence organization, we track and monitor
and Seedworm is amongst them. And I suspect, I don't recall back early 2007, how we first started
on the tracking of Seedworm. But typically, we have proactive threat hunting activities that we undertake as
an intelligence organization, where we go out and both look to update the profiles of cyber actors
we follow, as well as discover new ones. And I suspect that's how they came on our radar through
one of our regular hunting activities. Yeah, well, let's dig into some of the specifics here about
seed worm and the specific things that you all outline in this publication here. In this particular
case, how did they catch your attention? This is kind of interesting. They actually caught our
attention as part of one of the activities I just talked about, which is regularly updating our
profile of APT28, which is a group that is of high interest to many of
our customers. So we routinely seek out changes in their activity. And so that's what we were
doing. We're actually looking for APT28 activity, which we did indeed find. We were looking at a
system in the embassy of Mid-ideastern entity, and there was indeed
APT28 activity there.
But as we investigated, we uncovered evidence of seedworm activity based upon our previous
knowledge of that group.
So this obviously is of interest to us as an intelligence organization. So we did some digging and
investigation and we uncovered evidence of activity that was not previously known. We were not only
able to see the initial entry point, but we're able to track subsequent activities after the entry
and see their lateral movement activity. Is the conclusion then that seedworm has some sort of relationship with
APT28? No, we don't think that's the case. You know, certainly that's something you go and
investigate because as you know, there have been cases in the past where what was thought as two
independent activities have turned out to be somewhat related. That wasn't the case here.
We continue to track these as two separate activities. It just happens to be somewhat related. That wasn't the case here. We continue to track
these as two separate activities. It just happens to be that they were on the same system,
obviously a system which was thought to have interesting data since they were both there.
I see. So let's dig into some of the details about Seedworm itself. Can you take us through
how does it work? How does it get in and what does it do once it's there?
itself. Can you take us through how does it work? How does it get in? And what does it do once it's there? Sure, sure. Always interesting and kind of the heart of what we're trying to communicate to
your audience so that they can better prepare themselves. So in a typical seedworm compromise,
the compromise is initiated via an email, which would contain a malicious macro-enabled Microsoft Word document.
And that, of course, delivers the custom malware that they're known for using.
Once the victim opens the Lure PowerMUD document, PowerMUD is the name of the malware that they
use, the custom malware.
So once they open that Lure document and enable macros, then the malicious code executes. Now, obviously,
they do some social engineering and do some preparation of the email and the document to
make it look attractive. So once the malicious code executes, it gathers system configuration
information, and that might be IP information, OS, username, and so forth, and registers that
with the CNC infrastructure. And then it goes on to retrieve additional commands.
One of the interesting things we saw is that a seedworm attempts to hide their own CNC
infrastructure behind a proxy network of compromised web servers.
So they are trying to be somewhat discreet in that respect.
The folks who spin up Seedworm, what sort of tools are they using?
Is it off-the-shelf stuff?
Are they customizing their own tools?
What's the breakdown there?
Yeah, it's actually a combination.
So they do have their own malware. There was the,
or is the PowerMUD backdoor, which is a custom tool created by or on the behest of that group.
And a new tool we discovered in this publication, which we call PowerMUDdy. So two backdoors that
are custom to them, and those perform relatively similar functions.
The new variant, HowMuddy, that is a code rewrite.
The older HowMuddy backdoor that had been enhanced and evolved over a period of time,
likely for the purpose of ensuring it remains able to avoid detection or trying to avoid detection. So the backdoors are a custom
tool that they've developed. And then they also use either off the shelf or customized versions
of some open source tools. So these would be things like Lasagna for finding passwords and
harvesting passwords, CrackMap Exec, which would help
them with lateral movement. So those types of tools are either used as is or with customization.
And then interestingly, we found that they were using a GitHub repository too. That's kind of
interesting. When we looked in there, we found custom PowerShell scripts that mapped to activities we had seen in compromised sites, as well as customization around some of those off-the-shelf tools that we had seen in victims. So a combination of custom and off-the-shelf tools.
Now, you also discovered a Twitter account that you think might be associated
with the group? Yes, yes. And so, you know, this is the case where once you discover something like
the GitHub account, we look for similarities in other media to the profile of the account we
discovered at GitHub. And we found a profile at Twitter that aligned pretty closely to the
account in GitHub. And then when we went and looked at the activities of that Twitter account,
we could see that the individual who set up that account was following researchers that
wrote on Seedworm. We also discovered that they were following people who did enhancements to the tools they use.
So that confirmed our thought that these two accounts are associated with the Seedworm group.
Yeah, interesting as you pull that thread. Let's walk through some of who they're targeting and
how they're going about doing it in terms of the victims that they're going after here.
What were you seeing there? Yeah, it's interesting. From a victimology perspective,
we did an in-depth dive into roughly a two-month period. So from late September to mid-November of
last year, we found 131 unique victims compromised over that rough two-month period. And we're pretty lucky because
we have a large repository of sensor information that we as a large cybersecurity company have
available to us. So we're able to see a lot of activities that were difficult for many people
to find. So yeah, so we found 131 unique victims that are compromised
over that two-month period. Most of them were located in the Mideast. So that would be places
like Pakistan, Turkey, Saudi Arabia, and places like that. But there were some that were in both
the European Union and North America. But when we did a little bit of poking into those victims, we found many links from those victims back to the Mideast.
So the Mideast seems to be the common thread that we see amongst a lot of the victims.
You can also look at the victims from an industry perspective because that gives you some different insights into what they might be after. And they included government agencies, oil and gas production
companies, and some non-governmental agencies, which tends to point you in the direction of
cyber espionage. We also saw a reasonable number of victims in the service industries,
IT and telecom services. So those aren't typically thought to be victims themselves, but more as a vehicle towards
getting further information on the end victims, because they're likely to be providing services
to those victims. Now, in terms of what they're after, do you have any visibility there? What do
you suppose their goal is here? Yeah, typically a cyber espionage
group is tasked by their sponsors to getting information, actionable information on issues
that are important to the sponsor at that point in time. So that can be information on organizations
involved in discussions that are going on that are important to them,
individuals who may be driving actions in either geographies or topics of interest to them.
So that's typically what they're tasked with getting.
I see. Now, in terms of folks protecting themselves against these specific attacks,
what are your recommendations?
There's a variety of things that people can do. Certainly, you want to make sure you have
in place both network and endpoint protections because there are detections available for
the malware that they're using. And in fact, when we looked at the victims that we studied, we did feel that those protections were firing. So certainly put those in place. Other things you can do is the monitoring of administrative tools. Those should be monitored and you should not see anybody using administrative tools that's not an administrator in your organization. So if an end user is using an administrative tool, that is something you should definitely take a look at.
Other things you can do are the basic things around end user education. Don't download
documents you are not familiar with. Don't open them. Don't enable macros, all those
basic housekeeping. Organizations can also monitor or block access to the network
locations that we've outlined in our publication. So the command and control infrastructure,
you can be monitoring connections to there. And you can also do searches for the
hashes that we provided for the files. So there's quite a range of things that
people can do to protect themselves. So what's your estimation of the level of sophistication
of this group? This group has been quite active, as we saw from the number of victims. They appear
to be successful, as we saw from the number of victims. But I would not put them on the sophisticated end of the
spectrum. They seem to be focused on speed, agility, and getting the information they want
rather than stealth and caution. So I would not put them on the sophisticated end of the spectrum,
but I would say they are obviously being affected with the tools they're using.
And how about persistence? When you've discovered them and alerted organizations to their presence
and taken action to get them out of the system, what's that process been like? Do they come back
and try to get back in? Or what do you see there? No, I think it appears that they're targeting changes over time. So it doesn't
appear that targets of interest on day X are necessarily targets of interest on day Y.
There may be some exceptions to that, but that's a judgment based upon the analysis we've done.
Are there any sort of overarching take-homes? When you look at the big picture of
what a group like this represents in the larger ecosystem, if you will, of the folks that we're
defending against, any thoughts on where they sit in that ranking? Yeah, I would say these are
not folks that I would put at the high end of the importance list to our customers.
Certainly, they are being successful at getting information that is relevant to their sponsors,
but they don't have the large impact and footprint that would put them at the high end of our customers' concern list.
They're certainly active and need to be paid attention to, but I wouldn would put them at the high end of our customers' concern list,
they're certainly active and need to be paid attention to.
But I wouldn't put them at the high end of that list.
Our thanks to Al Cooley from Symantec for joining us. The research is titled Seedworm.
Group compromises government agencies, oil and gas, NGOs, telecoms, and IT firms.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios
of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening.