Search This Blog

Showing posts with label APT attacks. Show all posts

Mobile Malware: The next biggest security threat around the world


BlackBerry reveals Advance Persistence Threats and players targeting several enterprises. This entire time, the world had no clue about how widespread and common mobile malware is, and how it is being used for constant monitoring and reconnaissance. In truth, there are several hot actors and high-level safety threat that we didn't know until now. An advanced persistent threat (APT) is a long-time and pointed cyber invasion in which an invader gets entrance to a system and stays anonymous for a while.


The purpose of an APT intervention is usually to spy mobile actions and unlawfully take data instead of causing any harm to the company or the network. "It is Fertile, Prevalent and Multi-Platform," concludes Blackberry in a report titled 'Mobile Malware and APT Espionage.' The analysts recognized three superior harmful attacks, dawning essentially in countries like China, North Korea, Vietnam, and Iran, which further strengthens mobile malware, along with computer malware. The final aim is cyber spying and info retrieving, principally for business and administrative purposes. 

Opening up is a new harmful threat that Blackberry proclaims as BBCY-TA2. PWNDROID3, an earlier obscure android malware class, is being used for distributing a counterfeit bitcoin application. Following it is BBCY-TA3, a mobile malware that aims for westward and South Asian economic ventures in the telecommunications business. It also picks out almost all chemical production corporations across the globe, except for China. BlackBerry states it is yielding its relapse support with BBCY-TA2. Another Advance Persistence Threat is a class known as OCEANLOTUS, which uses a unique Android malware species PWNDROID1, via three spam mobile applications.

The whole show is that it makes BlackBerry Cylance CTO Eric Cornelius to the understanding that phone invasions are more conspicuous pervading of a danger than what people assumed. “This would come as a blow to the people when they discover how connected, and long-termed the attacks picking up mobile users are, as they have been simple prey for Advance Persistent Threat organizations. The reason being is the traditional lack of efficient safety resolutions for identifying and stopping mobile malware.”

Buckeye APT hackers stole the NSA hacking tools before Shadow Brokers leaked these tools




Buckeye APT hackers, a Chinese State sponsored group employed the tools of Equation Group which were leaked by the Shadow Brokers in 2017, a year earlier than the leaks.

Shadow Brokers is a mysterious assemblage of hackers who stole malware, hacking tools and zero-day exploits from the Equation group which is a branch under the NSA and is one of the most advanced and futuristic cyber attack groups across the world.

Conducting operations since 2009, Buckeye group, also known by the name of APT3, exploited these tools earlier for carrying out multiple attacks on to a number of organizations on their list, they did so in order to gain unauthorized access to these organizations mainly based in the United States.

Besides being responsible for exploiting zero-day vulnerabilities in 2014, the Buckeye group, a couple of years later, used 'Trojan.Bemstour', a custom exploit tool in order to reach the targets.

With the intent to attain remote kernel code execution on victims' computer systems, Bemstour exploited the following zero-day vulnerabilities on Windows – (CVE-2019-0703),(CVE-2017-0143). These were later employed by EternalRomance and EternalSynergy, two NSA owned exploit tools,

Referenced from the findings of Symantec report, “Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor. DoublePulsar is then used to inject a secondary payload, which runs in memory only. The secondary payload enables the attackers to access the affected computer even after DoublePulsar is removed. “

“The variant of DoublePulsar used in the first attacks performed by Buckeye was different to that leaked by the Shadow Brokers. It appears to contain code to target newer versions of Windows (Windows 8.1 and Windows Server 2012 R2), indicating that it is a newer version of the malware.”






Zero-day vulnerability in Internet Explorer discovered

According to security researchers at Chinese web giant Quihoo 360, hackers are using a zero-day vulnerability in Internet Explorer kernel code to infect Windows computers with malware.

The researchers say that an advanced persistent threat (APT) group is using the vulnerability to infect victims on a global scale by sending malicious Office documents to selected targets.


These documents are loaded with what they call a "double-kill" vulnerability, which affects the latest versions of Internet Explorer and any other applications that use IE kernel. When victims open the office document, the bug launches a malicious webpage in the background to deliver malware from a remote server.

"After the target opens the document, all exploit code and malicious payloads are loaded from a remote server," the researchers wrote in a blog post on the Chinese platform Weibo.

The researchers said that the attack involves the use of a public User Account Control (UAC) bypass, reflective DLL loading, fileless execution, and steganography; they also provided a diagram that roughly outlines the attack, with Chinese annotations.


The company says that it has reported the vulnerability to Microsoft and will be giving them appropriate time to find a patch before it reveals more details about the bug.

Microsoft has neither confirmed nor denied the attacks, but has given the following statement:

Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.

State-sponsored hackers spread backdoors in Middle East

Symantec's threat report revealed that two hacking groups of state-sponsored threats have been using backdoors to spy on targets in Iran and other nations in the Middle East.

The two groups are known as ‘Cadelle’ and ‘Chafer’ and each of them uses their custom-developed backdoors. While Cadelle with its five member team uses backdoor ‘Cadelle’, Chafer’s backdoors are known as ‘Remexi’ and ‘Remexi B’ developed by its ten member team.

Both backdoors are capable enough to open connections and help attackers steal data from infected systems.

Reports by Symantec are of the view that the two groups which are targeting political dissidents from Iran and airports and telecommunications companies from other Middle East countries may be doing so with the intention to keep an eye on the movements of their targets.

Chafer has been using SQL injection attack to compromise servers and drop Backdoor, Remexi  to infect its targets but the technique of Cadelle is not known yet.

After infecting targets, the backdoors can harm hugely. They can be used to gather and steal passwords, intercept document print commands, record audio via infected devices, take screengrabs, record webcam feeds, log keystrokes, log opened applications, and gather system and clipboard information.

First attackers using these backdoors were spotted in 2014 but the clues from each group’s code reveal that they might have used it in 2011.

Chinese Cybercriminal gang uses Dropbox to Target Media outlets

A Chinese Advanced Persistent Threat (APT) gang which had been allegedly responsible for attacks against foreign governments and ministries has shifted its focus on Hong Kong based media companies by using Dropbox for communicating malware.

The group identified as ‘admin@338’ has been active since 2008 and uses publicly available Trojans like ‘Poison Ivy’ to attack organizations in the financial services, telecoms, government, and defense sectors.
The group is also known to use some non-public backdoors.

But this is the first instance where the group has used phishing lures in Chinese against targets. Each phishing email containing of three attachments included exploits for a patched Microsoft Office vulnerability, CVE-2012, 0158, a buffer overflow in the Windows Common Control Library patched in early 2012.

On execution, the exploit triggers a backdoor dubbed ‘Lowball’ which connects to an external location on finding it. After this, Lowball syncs with the legitimate Dropbox account which is controlled by the remote attackers.

In the first stage, the attack runs many commands on the infected computer and sends the output to the Dropbox account for C&C communications. The attackers then retrieve the information analyse it and if the target is worthy, a second stage backdoor is delivered called ‘Bubblewrap’ which is used for remote control and stealing data.

This research was found out by network security company, FireEye.

This group was also suspected of launching phishing campaign in August against media organizations in Hong Kong. Last year in March, this group had leveraged the disappearance of Malaysia Airlines Flight, MH370 to target a government in the Asia-Pacific region and a US-based think tank.

This isn’t the first time China has targeted media outlets seeking out sources to stay ahead in news cycle.
In January 2013, hackers, allegedly connected to the Chinese government, were blamed by Mandiant for a breach at the New York Times. The group broke into the email accounts of investigative journalists for seeking information on the corruption scandal which involved then-Chinese premier, Wen Jiabao.


Russian APT attackers control the Hacked Machines using Twitter, Github




Russian APT attackers have used an advanced type of backdoor which tries to avoid detection by adding layers of obfuscation and mimicking the behavior of legitimate users. 

The attackers used popular legitimate websites such as Twitter, Github and other compromised web servers to send instructions and steal data from the compromised machines, according to a APT report published by the security firm FireEye.


The group is known as APT29, which creates an algorithm that generates daily Twitter handles and embedding pictures with commands. 

The attackers post instructions for their backdoors in a tweet, which contains a URL and a hashtag.  The malware will download contents hosted in the specific URL including all images in the page. 

They hide the data and other instructions within an Image file using a technology called Steganography. 

The Hashtag contains a number representing a location within the image file and a few characters that should be appended to the decryption key.  The key will be used for retrieving the data stored in the  image.


The instructions also contains where to upload the stolen data - It uploads to a specific account on a cloud storage service using the login credentials.

APT 29 is suspected to be in Russia since it is active during normal working hours in Moscow.

DDOS, APT attacks on Corporate and Banks


With spate of Distributed denial of service attacks and APT attacks on Banks and corporates, Anti DDOS mitigation vendors and ISP are joining together to fight the menace of DDOS attacks.

A few vendors work with ISP to mitigate the threat, working on putting up monitoring agents on every ISP(hardware box) which is connected to mitigation cloud.
A Bank official told on conditions of anonymity "ISP quickly responds to DDOS attack and mitigates for the customer. But comes to them with a Fat Proposal. Customers need to pay a standard amount ever year to get a protection.  In addition to this amount, they have to pay extra money every time they get hit.  The billing can run into lakhs for banks/corporate who take DDOS mitigation."
Another bank official confided that they have asked for a standard quote per year(ISPs are yet to respond).

Smaller vendors cannot tackle DDOS attacks. It has to be anti ddos companies with ISP which can handle this.

Some corporate and Banks are going in for a solution - They place their main websites and Mobile portal behind a Cloud Based WAF/Anti DDOS mitigation service. At the corporate end, they have a firewall and IPS making sure that no direct connection from the Internet is possible to their ISP Pipe. Does this solve the problem is yet to be seen.

"Advanced Persistent threat are followed by DDOS attacks, this is done to to erase any tracks of compromise on firewall, router, Intrusion Prevention Systems" says J Prasanna, Director, Cyber Security & Privacy Foundation Pte Ltd, a singapore based Cyber security certification organization.

The corporate/Banks are seeing only the DDOS and putting DDOS mitigation in place. It has to be checked to see if there is any compromise on data, criminal compromise from banks/corporate. The criminals could have gained access to the data or network and remain stealth for a long time", says Mr. Sreeram, Director, AVS Labs Pte Ltd, Singapore(organization which does consulting and services on cyber security).

The main problem for organizations is there are many vulnerabilities on systems which are undetected for a long period of time. The vulnerabilities could remain on the application software code written by software programmers or it could be in operating system, networks and other critical system level application. The black hat hackers(APT attackers) could exploits these vulnerabilities generally called 0-day vulnerability which could be used to enter into the systems.

Most of these organization need a "0-Day Vulnerability Assessment & Penetration Testing" and "APT Analysis" to find any Security breach". Normally not every one can do this because you need the best talents on board like "bounty hunters" who do vulnerability finding for fortune 500 companies. But that is no it - " Most bug bounty hunters cant find beyond web vulnerabilities", These auditors/assessors need the 0 day exploits and also knowledge of how APT attacks work. Most organization which perform regular Vulnerability Assessment and Penetration testing and even who do ISO 270001 certification implementation don't have capability to handle Zero-day or APT assessments.

Is a corporate with ISO 270001 standard implementation safe? A quite survey taken for 25 organizations show that almost all had standards implemented and they all experienced data theft. Some of corporate CISOs don't want to accept APT attacks, most of this information of compromise never reaches the management.

All the attacks happened at technical level, because of poor technical controls or products like antivirus/firewall/intrusion prevention not doing what they said they will do.

Do we still trust the ISO270001 implemented in corporate or the products they are using inside to save our data!