New Cyberthreat Replaces Operating System with a “Fake”. Intro
Threat actors get full access to users’ data and unlimited rights for infected devices administration.
During cyber incidents forensics at various enterprises RMRF Tech’s analysts found similar patterns, which entitles us to speak that they are part of the same massive cyber attack. Here we talk about symptoms of the obtained activity.
Malicious activity description
In the first phase just after infection Windows security features are suppressed by applying fake updates. In the next phase Windows kernel has been totally replaced and the device connects to the hidden management network. As a result, threat actors totally replase operating system both on the users level and the whole infrastructures level. At the same time they get full access to their administration. In other words, unknown third parties manage infected devices and infrastructures continuously gathering data from them. However, users and admins of the devices don’t admit any suspicious activities. In some cases work of the systems becomes even more fast and stable due to updated drivers.
The threat features and path
The main feature is absence of visible malicious activities and suspicious features. The threat spreads extremely fast using new vulnerabilities. Therefore we assume automated infection mechanism. The main paths of infection are removable drives, network protocols, OS Windows services. It is wirth to remark that infection by sending files from infected devices occures not only through classic phishing or spam methods, but also in cases of routine files sending, e. g. business e-mailing. Similar infection procedures were recently described by Unit42 and Talos. The threat is extremely hard to reveal because of usage of the latest antiforensic techniques. One of such technics is placing the files of compromised Windows Defender to the hidden OS directory (shadow volume). That’s why we called it Shadow Threat. We notice some similarities in this malicious activity behavior and cryptomining networks, global APT’s or even new cyber weapon.
Main reasons of the threat
- Low digital culture of the users. As a result, using counterfeight compromised software, critical updates ignorance, attendance of unreliable websites and non-compliance with other basic security rules.
- Organizations didn’t learn the lessons from 2016–2017 massive cyberattacks. The most of Ukrainian companies still don’t use standard incident responce and security monitoring practices.
- Global cybersecurity problems: organized cybercrime groups, critical vulnerabilities in software and hardware, lack of high-qualified infosec professionals.
The ways of mitigation
The only possible way of the threat mitigation at the moment is full simultaneous operating system reinstallation on all the workstations and servers of the enterprise with additional procedures at the network level. Incident forensic in order to define infection paths and indicators is also needed. We strongly recommend monitoring teams of the telecom operators to pay attention at network traffic abnormalities.
Possible consequences
Consequences and objectives of the attack can be different: from cryptojacking botnets to massive ransomware attacks. Unfortunately, behavioral features of the threat suggest that its actors have serious objectives. So the worst scenario is getting control over critical infrastructure objects.
