CyberWire Daily - Use of legitimate tools possibly linked to Seedworm. [Research Saturday]
Episode Date: January 29, 2022Guest Sylvester Segura from the Symantec Threat Hunter Team joins Dave to discuss their team's work on "Espionage Campaign Targets Telecoms Organizations across Middle East and Asia." Attackers most l...ikely linked to Iran have attacked a string of telecoms operators in the Middle East and Asia over the past six months, in addition to a number of IT services organizations and a utility company. Organizations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos were targeted in the campaign, which appears to have made no use of custom malware and instead relied on a mixture of legitimate tools, publicly available malware, and living-off-the-land tactics. While the identity of the attackers remains unconfirmed, there is some evidence to suggest a link to the Iranian Seedworm (aka MuddyWater) group. The targeting and tactics are consistent with Iranian-sponsored actors. The research can be found here: Espionage Campaign Targets Telecoms Organizations across Middle East and Asia Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
So the set of activity that we're looking at here is from mid to late 2021. And it was a set of
attacks against various organizations, but they all seem to be focused on
the telecommunications sector. That's Sylvester Segura. He's a threat research analyst with
Symantec's Threat Hunter team. The research we're discussing today is titled,
Espionage Campaign Targets Telecoms Organizations Across Middle East and Asia.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security
tools expand your attack surface with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with
AI-powered automation, and detecting threats using AI to analyze over 500 billion daily
transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler
Zero Trust and AI. Learn more at zscaler.com slash security.
And the organizations were in the Middle East and also in Asia and Southeast Asia.
Well, let's walk through the structure of the attack here.
How did they go about doing it? So most of these attacks started with discovery commands.
That's sort of where we discovered the activity.
But in at least one case, we saw what looked like the initial infection vector.
So stepping back a bit.
So the initial set of suspicious activity was a ScreenConnect.
So this is a legitimate tool, ScreenConnect installer.
It's a remote control tool that had been zipped into an archive.
And then it was likely emailed to the target victims.
This is consistent with some public reporting of very similar activity.
After that, what we typically would see
was a set of discovery commands, just gathering basic information, looking for other devices on
the network, trying to find a path to privilege escalation. And all of that looked like it was
being carried out by some unknown script. The attacks proceeded into credential theft with
just various different methods,
hacking tools, and some legitimate tools were used to steal credentials.
They also deployed a keylogger.
They used a number of legitimate tools pretty heavily,
things like CertUtil, PowerShell, to download additional hacking tools,
proxy tools, tunneling tools, and additional scripts that they would run.
We think that based on the types of tools that they were downloading,
we think their primary objective is just stealing information.
What type of information, we're not really sure at this point.
Interesting.
And so at what point were the organizations who were targeted,
how did they detect that something was going on?
What triggered that detection?
Well, there are a number of things that would cue an organization that something fishy is going on.
One would definitely be the existence of these tunneling tools and proxy tools, especially if they're not expected on these particular machines.
especially if they're not expected on these particular machines.
Key loggers being detected and hacking tools being detected for credential theft would definitely be red flags.
Right. So who do we suppose is behind this? Any indications there?
So there are a number of aspects of the attacks that lead us to think that this may be an actor publicly reported as Muddy Water.
That's an actor that we call Seedworm.
And they're from where?
Seedworm is believed to be an Iran-based organization.
Now, there's another incident that you all are tracking here,
a bit of an outlier from a company in Laos.
Yeah, that one was a bit curious because it didn't seem to line up with the telecommunications targeting that we saw with the other attacks.
But when we drilled down into it and looked through the data, we found the evidence that these attackers were trying to connect to other organizations that were related to the telecommunications sector from this organization. So it looks like something of a supply chain attack,
where they use one organization and the access that that has to the other to pivot and jump
to their actual intended target. I see. Now, based on the tactics, techniques,
I see. Now, based on the tactics, techniques, and procedures that you all have observed here, do you have a sense for the sophistication of this adversary?
If this truly is Seedworm, we're looking at a relatively sophisticated adversary.
I mentioned that there were a number of aspects of the attacks that suggested that it could be Seedworm.
One of those was network infrastructure that had been reused.
That's something that's a little out of the ordinary for seedworm.
They tend to cycle through their infrastructure relatively quickly.
So that makes it harder to track this actor and harder to attribute to this actor.
And that's part of what makes them a little bit more sophisticated as far as APTs go. Another thing that we notice
as far as TTPs in these attacks, I mentioned the use of an unknown script. Now at the beginning of
these attacks, typically we would see the same set of discovery commands, almost like a recipe
or a playbook being run. It was the same set of commands over and over. But in at least one case,
we saw one program being issued a help command, suggesting that there's arbitrary access.
Essentially, there's hands-on keyboard at this point, and it's through the script.
Now, Seedworm is known to produce script-based backdoors. That's something that makes them a
little bit unusual and more sophisticated than, say,
your everyday cybercrime actor or even some APTs.
Now, this activity that we saw with the script
and the help command suggests also
that arbitrary access using scripts was used in this case.
That's one additional piece of evidence
that suggests that this is a seed worm. Where do we stand in terms of persistence?
You know, once these organizations found that they were being targeted and I assume went through
remediation efforts, has there been any sense that whoever this actor is has either managed to stay in their systems or attempted
to get back in? Well, we can definitely say based on the sets of tools that they were trying to
bring in, proxying tools, tunneling tools, that their intent is really to stay as long as possible.
And if they get kicked out, they're probably going to try and get back in. Given that these attacks are so highly focused on the
telecommunications sector, it's highly likely that we're looking at actors that are intent on
staying focused on this sector. And so they're likely going to come back and try and repeatedly
hit these targets of theirs. I see. So as you say, I mean, this is likely more on the espionage
side of things as opposed to someone trying to inject some ransomware or make some money off
of these organizations. Exactly. Espionage is definitely something that we believe is part
of the motive. Whether it's industrial espionage, so just gathering information
about the telecommunications sector technologies, or if it's something more like surveillance,
that is not really clear at this point. Now, the research that you all published
points out that these attackers make heavy use of legitimate tools as well as publicly available hacking tools.
Can you give us a little bit of an overview of the types of utilities that they're using here?
So they use a whole host of different tools that are all publicly available tools or they're open source tools.
Things like nSudo, which is used to escalate privileges, SharpHound,
which is used for discovery, surveying the network and looking for other devices,
ways to escalate privileges as well, hacking tools like Mimikatz, things like that,
all sorts of different various tools. And a lot of these tools are legitimate. So they could be used
different various tools and a lot of these tools are are legitimate so they could be used either for legitimate it purposes or they can be used for malicious purposes i see is it fair to say
that when they're making use of these legitimate tools that uh that makes it a little more unlikely
that they'd be detected because the tool isn't necessarily absolutely a bad one.
Exactly. That's why it makes it so hard to find these types of actors that use these dual-use tools,
especially in attacks like these where there's no custom malware to be found.
The organization really has to have a feel and an idea for what tools are being used in their environment and where.
So based on the information that you all have gathered here,
what are your recommendations for organizations
to best protect themselves against this sort of thing?
Well, as always, you want to have defense in depth.
So you want to have defenses that are at the network level
as well as the endpoint level and everything in between.
But again, you also want to make sure that you're monitoring the behavior, that you have
some sort of system or solution that you can use to monitor the behavior of your machines.
So, you know, reaching out to unusual IP addresses, unusual network infrastructure, things of
that nature.
So you can sort of catch these clues that you might have an actor already in your environment.
Our thanks to Sylvester Segura from Symantec's Threat Hunter team.
The research is titled,
Espionage Campaign Targets Telecoms Organizations Across Middle East and Asia. We'll have a link in
the show notes. And now a message from Black Cloak. Did you know the easiest way for cyber
criminals to bypass your company's defenses is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening. We'll see you back here next week.