APT Chronicles_Vol. 11.2018

Originally published at www.peerlyst.com.

Kaspersky Lab’s Malware Map

I suspect there may be some interest in my initiating a monthly chronicle series involving recent developments in the Advanced Persistent Threat (APT) world. So here goes for the month of November 2018:

1. FireEye has published their “Facing Forward: Cyber Security in 2019 and Beyond report” (40 pgs) which details their predictions for future cyber threats (expect all of the threat Intelligence companies to do this if they haven’t already done so by now).

2. APT 29 (a.k.a. “Cozy Bear”) — Google’s parent company Alphabet which is based out of Ireland for U.S. tax evasion purposes, created a cybersecurity offshoot company called “Chronicle.” Chronicle used the VirusTotal file scanning service to discover that the Cozy Bear APT, which is believed to be linked to the Russian government Intelligence organization (GRU), is using a series of email phishing attacks that contain metadata that matches the 2016 DNC hacks. FireEye, Kaspersky Lab, and CrowdStrike all joined Chronicle in confirming the Cozy Bear connection with the phishing emails.

3. CSO published their “7 Security Trends to Watch in 2019” which predicts that Artificial Intelligence (AI) will be used by both the good guys (cybersecurity solutions) and the bad guys (APT malware). APTs will use AI to avoid anti-phishing sandbox traps by performing “advanced analytics.” Additionally, “a report from some 26 academics and business execs warned that AI could be used for everything from sophisticated social engineering attacks to weaponized “drone swarms.”

4. U.S. Cyber Command (USCYBERCOM) published notification that they will begin sharing unclassified malware samples to Google’s VirusTotal database and file scanning service. Their VirusTotal handle is: https://www.virustotal.com/en/user/CYBERCOM_Malware_Alert/

However, this then begs the question as to what types of malware USCYBERCOM is considering “classified” and why is that particular malware too sensitive to publish to further protect the rest of the world by uploading it to VirusTotal? This goes back to the practice of Intelligence Community (IC) agencies buying zero-day vulnerabilities and stockpiling them for future use against U.S. adversaries in Computer Network Espionage (CNE), Computer Network Attacks (CNA), or Computer Network Defense (CND) types of operations. The rest of the world suffers while governments pick and choose which vulnerabilities they want you to know about.

Screen capture of USCYBERCOM Malware Alert Twitter feed

5. @Cylance unveils a new Middle Eastern APT actor dubbed “The White Company.” Cylance believes the APT to be a “state-sponsored threat actor” was targeting the Pakistani Air Force during a campaign they named “Operation Shaheen.” This new APT has been very careful to evade attribution up until this point and attempts to erase its tracks as much as possible. Cylance has reason to suspect that “The White Company” APT is targeting the Pakistani Air Force for the nuclear and cybersecurity strategic information. The APT has shown indications that they are state-sponsored for the reasons that Cylance was able to get their hands on the threat group’s exploit kit consisting of over 30 unique exploits and thoroughly analyze it which concluded that the APT must have access to 0-day exploit developers which utilize a complex exploit system, they tailor their malware code on-the-fly to meet “mission-specific” requirements, and they possess the capacity to conduct advanced target reconnaissance. This APTs exploits have been successful in evading the “…Sophos, ESET, Kaspersky, BitDefender, Avira, Avast, and Quick Heal” AV products.

“Antivirus evasions are just one of a number of measures employed by The White Company to escape attribution. Other methods include:

  • Within the exploit: Four different ways to check whether the malware was on an analyst’s or investigator’s system; the capacity to clean up Word and launch a decoy document to reduce suspicion; and the ability to delete itself entirely from target system
  • Within the malware: Five different packing techniques that housed the ultimate payload in a series of nesting-doll layers; additional ways to check whether the malware was on an analyst’s or investigator’s system; anonymous, open-source payloads and obfuscation techniques; the use of compromised network infrastructure for command and control”

6. The U.S. “Virtual” Embassy Iran published a scathing report (specifically Chapter 5) in which it details some of the cyber threat activities Iranian APT groups are responsible for.

“Iran has increasingly conducted a series of cyber attacks involving surveillance and sabotage affecting critical infrastructure, financial and commercial entities, and educational institutions. It has also deployed its cyber capabilities to identify and silence critics domestically and spread its disinformation campaigns abroad.”

Like Russia and other nations, Iran uses proxy APT actors to wage cyber warfare globally in pursuit of national interests.

7. China is back to full-on cyber espionage again now that the political situation between the U.S. and China has flared up like a raging hemorrhoid with the current trade war and U.S. sanctions against the country. China apparently stole a page from Russia’s playbook and attempted to influence the 2018 U.S. midterm elections by subverting social media. China’s cyber espionage activity isn’t limited to the U.S., however, as a New Zealand professor living in Australia allegedly “had her car sabotaged in a potentially life-threatening manner” by Chinese hackers according to a credible report. The Chinese hackers were found to have been “hopping” from outsourced Cloud storage services used by Australian businesses and then hacking into internal networks from the Cloud. The Chinese have national goals of being the global technology leader by the year 2030 and they are trying to pillaging whatever Research and Development (R&D) and Intellectual Property (IP) they can to ensure their success.

That is quite a bit of APT activity for the month of November 2018, but I hope that you also realize that there is activity occurring that we may never learn of due to the covert nature of cyber warfare.