CyberWire Daily - Strategic titles point to something more than a commodity campaign. [Research Saturday]
Episode Date: April 10, 2021Guests Gage Mele, Winston Marydasan, and Yury Polozov from Anomali join Dave to discuss their research into Static Kitten targeting government agencies in the UAE and Kuwait. Anomali Threat Research u...ncovered malicious activity very likely attributed to the Iran-nexus cyberespionage group, Static Kitten (Seedworm, MERCURY, Temp.Zagros, POWERSTATS, NTSTATS, MuddyWater), which is known to target numerous sectors primarily located in the Middle East This new campaign, which uses tactics, techniques, and procedures (TTPs) consistent with previous Static Kitten activity, uses ScreenConnect launch parameters designed to target any MOFA with mfa[.]gov as part of the custom field. Anomali's team found samples specifically masquerading as the Kuwaiti government and the UAE National Council respectively, based on references in the malicious samples. The research can be found here: Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So we were doing some routine intelligence collections,
and it turned out that Winston and I were looking at the same sample, but we didn't realize it.
We had a pretty good laugh, and then we realized, hey, this is something that is worth our time to see what else is unfolding.
Joining us this week are three researchers from security firm Anomaly, Gage Mealy,
Winston Meridison, and Yuri Palazon. The research we're discussing today is titled
Probable Iranian Cyber Actors, Static Kitten, Conducting
Cyber Espionage Campaign Targeting UAE and Kuwait Government Agencies.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI
stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral
movement, connecting users only to specific apps, not the entire network.
Continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
The name of the samples were intriguing, right?
Analysis and study of normalization of relations.
That's Gage Mealy.
Strategic titles. Like, okay, this is interesting. This doesn't seem like your typical commodity campaign.
So based on that, I would go and add some geopolitical context and see what's going on in the world as to why an actor would use a topic like this.
and see what's going on in the world as to why an actor would use a topic like this.
And then once I realized some of that stuff, then I would touch base with Winston regarding the technical capabilities of this campaign.
Well, let's go through it sort of step by step here.
I mean, the first way that someone would find this in front of them is these zip files that you identified.
These were used by Static Kitten.
What was going on with these? Yeah, good question. Winston, do you want to talk about the zips?
Yep, yep. Winston Meridison. As Gage told, the analysis and study of the normalization of
relations between Arab countries and Israel, that was a name of that particular zip file.
So on further analysis, we found that the zip file contained an executable with the same
name. On closer look, it turned out to be a ScreenConnect client executable, which is a
non-remote desktop software owned by ConnectWise. And now it's called ConnectWise Control right now.
So it's basically an executable, which is kind of used by multiple MSBs and remote support team across the globe.
But then if you look across the internet, we could understand there are numerous variants of this software executables as indicators out there.
And it's a pretty tedious job to pinpoint which one of them are really been associated with
a particular threat actor. However, while analyzing this particular sample we found that it creates a
new service in the vector machine. So here's the catch. While the service is being initiated,
the screen connect software in our context, which is an executable
from that zip file,
passes launch parameters
so that it can reliably connect back
to the remote screen connect server
controlled by the attacker.
So it's a client and server relationship
there going on.
It's a direct impact there.
And the connected victim details
would be populated
in the server console at the
attacker side that's a little more scary at that point so because historically muddy water also
known as static kitten what they preferably do is kind of stay in low profile they won't leave much
of the forensics footprints in the victim machine. So that's what's happening here as well.
Since this is a non-software and then they are dealing with this kind of approach, how
we identify the difference between a normal screen connect software running out there
in the public or in any machine comparatively to this is how it connects back to the remote server. The offender decided
to keep the launch parameters hard-coded with custom properties along with the remote domain
pods and the key. This custom property parameter, which passes the letter C,
contained the targeted entity's domain. In our case, it was the Ministry of Foreign Affairs of Kuwait and the PC.
So, also, an important aspect is we found another similar executable,
which creates the service at the victim machine and launches the same parameters,
launch parameters, in a way.
And this time, the custom properties the off offenders deserted to keep is kind of a generic
one it is a mfa.gov that means uh it it looks to be kind of targeting generally across the
ministry of foreign affairs it could be singapore it could be anything else but we don't have enough
data to prove that uh but that's what we found actually and help me help me understand here just
so i'm clear so it was the it was these
ministries of foreign affairs that were hard-coded in exactly yes it was uh the website i mean the
domain name mofa.govern.kw is the minister of foreign affairs uh in kuwait and if you see
mfa.govern in another executable it's a ministry of foreign affairs govern dot anything
so the attacker will be able to understand okay this a particular agent installed in a machine
in a victim machine is talking back to me and when i see the custom properties it is telling me
okay hey this is uh from m mofa.govern.kw this is from mofa.govern.kw. This is from mofa.govern.
So that the attacker can understand,
okay, this is from the victim
which I was targeting too,
which is good.
Right.
From the attacker's point of view,
it's good.
What happens next?
I mean, they get this indication
that they've successfully infiltrated
one of their target victims.
Where does it go from there?
Okay, so let's think from the beginning.
So there should be a spear phishing campaign happened,
and then the victim got an email,
and then there was a document, a doc file.
In the doc file, there was a link.
That link took the user to download a zip file
and the zip file contained executable
which kind of attracted the
user to double-click because of the name,
obviously. Since it is targeted
to government, it will be a little bit
focused on double-clicking
that. That's the weakness of
the user. And once he clicks that one,
when it gets executed,
that agent will try to communicate back
to the server right since that already we explained but then once that communication happens right
that's where the the next steps goes in as of now we do not have that particular information that
what the attacker is going to do but once attacker connection back, he can do anything at the victim machine.
Since he got the control of the machine, he can send maybe another ransomware, another worm,
et cetera, et cetera. So he can do anything at the victim machine. I see. So it's really, it's the
installation of this Screen Connect software, which I suppose we should mention is a legitimate piece of software
that people use for everyday normal uses, right?
Exactly, exactly.
It has been widely used, to be frank,
by multiple MSPs and the customer support teams,
et cetera, to control the machine
and then send the files
and help troubleshoot the victim machines, et cetera.
So, yeah. Yeah, and this is the victim machines, etc. So, yeah.
Yeah, and this is the danger of HACCUS using it.
We saw it in the past years.
That's Yuri Palazan.
When, for example, there were several high-profile hacks
of IT outsourcing companies,
such as Cognizant four years ago.
First, the Cognizant were hacked,
and once the hackers had access to their screen connector,
they were able to attack their clients.
For example, Maritz Holdings
and still over $1 million worth of credit cards, of
gift cards.
And this is a type of hiding that APT groups are trying to exploit here.
So they put those zip files that we found on one hub and one hub could be used for different purposes.
And then they hide behind Screen Connect,
and this remote administration software,
it's often used for legitimate purposes.
So it's hard for defenders to find it.
The bad guys, if you use legit tools to do bad things, it's even
harder to track. So that's what they're
doing here. And then, per
Winston's point, static kitten likes to stay
hidden. So they'll use legit tools
to stay hidden, and then
compounded with what Yuri said, it's already
difficult to find.
So how do you find these malicious
connections from legitimate tools?
And in this case, as Winston said, it was the hard-coded launch parameters.
So it's interesting to see the legit tools,
because it makes it even more difficult to find and potentially worrisome.
Yeah, absolutely.
Well, part of your analysis here is you dive into some of the details of these lure documents,
some of the, I suppose, the social engineering aspect of this.
Is there anything that stands out with these, how they were able to be effective in getting people to click on things?
Yeah, a lot of APTs, for example, Mustang Panda, there are certain legitimate websites they go to to pull
just straight up copy-paste, you know, legitimate research or wordings. So sometimes groups will do
that. But in regards to these, it's really interesting to me is that they're talking about
Iran's actions in the LUR document when Static Kitten is an Iran nexus group.
So that's quite clever to try to lure people in concerned about Iran from an Iranian threat group.
So I think that's a good little trick they're trying to do there.
Right. That is kind of fascinating, isn't it?
I suppose they know what works. They know what's going to grab the attention of their adversaries.
Yes, exactly.
Yeah, they do and they don't.
They try different things.
So in this report we analyzed two malicious zip files,
and one was more direct, talking about Israel and politics,
And one was more direct, talking about Israel and politics, but another was a little bit more beating around the bush with more generic topic.
And if we go back to this APT group activity, Static Kitten, we will see that they try to modify from one campaign to another campaign.
So they will try to use something else.
In your estimation, how sophisticated are these threat actors?
How do you rate them that way?
Yeah, so if you see the muddy water historically, that in 2017, we saw them active or publicly announced by Palo Alto in the past.
And from there, the tactics and techniques being kind of changing over the time.
And if you can see the Jan 2018 fire, I told that, OK, there is a kind of updated tactics, techniques, and procedures
in spear phishing campaign.
And then it happened in 2018 multiple times.
And then 2020, we saw Clear Sky talking about Operation Cooksand and the operation against
Lebanon and the man, et cetera.
So when we see these kinds of activities happening, they specifically in a nutshell, they send
a spear phishing campaign
to kind of target the
sentiments of the targeted audience
or the victims,
to be frank. So the victims will
tend to, I mean, kind of
react to these
mails because it is kind of
utilizing the current situation
in the region.
So that is where the muddy water sophistication comes in. And then once it is there, they typically use a kind of a lolbins and olbaz.
So it's kind of living off the land binaries and scripts.
So what it does is it uses mostly, it tries to use the executables within native to the Windows machine,
for example, and for example, PowerShell, for example, other
RegSphere 32 for registering the DLLs, etc. So it kind of
leaves very less forensic footprint. It will be pretty much difficult
to identify what is going on sometimes with the normal traditional AVs
because it is kind of running under the hood into the machine
using the legitimate tools which is meant to be running in the machines.
So that is where the sophistication comes in a second stage.
So all this comes into picture when we think about muddy water.
And they typically target, we can see that mostly,
they target across the Middle East region as well.
So what are your recommendations here?
What are the best ways for people to protect themselves against this sort of thing?
Yeah, that's a good question.
You know, oftentimes the employees are the weakest link,
so it's those spear phishing, it's those custom things.
Oftentimes they rely on relatively simple means to get inside a network.
So it's really education against these spear phishing emails.
If everyone knows that Static Kitten and these other groups, this is how they do business all the time.
So look for these strange email topics.
Maybe they seem too relevant to exactly what you're working on, which could be tough because, of course, you're looking to exactly what you're working on which could be tough because
of course you're looking for things that you're working on um but yeah that initial infection
vector if you can cut that out that would be extremely useful and and and also uh one point
to add that we know that the mitre framework out there and then um it is always better to get into each of the tactics and techniques
there and see whether let's take a company and if they can if they can kind of see whether their
security controls will be able to identify when there is a real attack happens and one by one if
they can go through each tactics and see that, okay, this particular technique,
whether we can detect in our environment or not, right?
If you take muddy water, it has a kind of a TTPs.
And then if you focus on that particular TTPs
and find that their kind of controls
are being able to detect this,
that will be a really nice project for them internally
until they have a confidence, okay,
this particular TTP, even though it happens,
our team and our tool sets are good enough to detect this.
For example, supply chain compromise, whether we are able to detect that or not.
So that is one of the questions maybe CISOs needs to get in touch with
the teams and do this process.
And finally, so APT Group the teams and do this yes very good process yes and finally uh uh so uh apt group managed to use
legitimate remote administration tool to get into your network but then they they need to do some
other steps they would run some powershell commands they will run some searches, they will start some exfiltration process.
So have some data loss prevention in place,
maybe some canaries, some internal honeypots
to detect this kind of activity.
Yeah.
This is one of the important,
your question is very valid that
when I go and see the clients across the globe,
when it comes to the intelligence,
proactive intelligence,
that is very important.
So when we think about a priority
for a particular company,
think like that company is in Saudi,
is a bank,
and we define them,
okay, can you please prepare the par for uh for
your team for your company prioritize intelligence requirement whether the whether this muddy water
for example is one of the priority for you because you are in saudi and there are chances that these
attackers will be attacking you so that becomes a priority so based on priority we will help them to collect
the intelligence themselves we use a threshold platform actually for for the clients and then
we derive value out of it for the customer so that they can kind of track what's happening
in the region with the heartbeat of intelligence coming to the platform and then they can investigate
further themselves so that's where we're helping them that is one of the things the providing
intelligence might help the clients across the globe
to identify whether they are being targeted or not
from a particular threat actor.
Our thanks to Gage Mealy, Winston Meridison,
and Yuri Palazon from Anomaly for joining us.
The research is titled Probable Iranian Cyber Actors, Static Kitten, Conducting Cyber Espionage Campaign Targeting UAE and Kuwait Government Agencies.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io. The CyberWire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John
Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.