Mumbai: APT groups continue to update and modify their arsenal, according to Kaspersky’s report on the latest APT trends that the corporate sector should be aware of.
Kaspersky researchers have seen the continued development of APT (advanced persistent threat) arsenals on different fronts. From targeting new platforms and active vulnerability exploitation to shifting to new tools entirely. These and other APT trends from across the world are covered in Kaspersky’s latest quarterly threat intelligence summary.
Even amid the COVID-19 pandemic, cybercriminals and APT groups remain active in their dark mission and unlawful, criminal activities. They actively used the pandemic as bait for many campaigns – large and small, according to Kaspersky.
“The threat landscape isn’t always full of “groundbreaking” events, yet cybercriminal activity definitely has not been put on hold over the past few months,” said Vicente Diaz, Security Researcher – GRAT, Kaspersky.
“We see that the actors continue to invest in improvements to their toolsets, diversify attack vectors and even shift to new types of targets. For instance, the use of mobile implants is no longer a novelty,” added Diaz.
APT groups are classified as the highly sophisticated, complex and powerful cybercriminal units operating elusively from certain parts of the world. They are largely involved in carrying out targeted attacks for monetary gains against corporates, banks and financial organisations and nations.
“Another trend we see is the move towards financial gain by some APT groups, such as BlueNoroff and Lazarus. Yet, geopolitics remain an important motive for many threat actors too,” pointed out Diaz.
Security analysts and experts strongly believe APT attacks are highly target-specific lethal in nature. They can cripple operations of any organisation or critical assets and infrastructure of any country, leading to major disruption and financial losses.
“All these developments only highlight the importance of investing in threat landscape intelligence. Cybercriminals do not stop at what they have achieved already but continually develop new TTPs – and so should those who want to protect themselves and their organizations from attack,” informed Diaz.
These APT trends summary over the past 3 months are based on Kaspersky’s private threat intelligence research and other sources that cover the major developments. And Kaspersky’s researchers believe the corporate sector should be aware of these APT trends
In Q2 2020, Kaspersky researchers observed multiple developments in the TTPs ( Tactics, Techniques and Procedures) of APT groups across the world. The most significant changes were implemented by the following groups:
·The Lazarus APT group has been a major threat actor for several years. The group is infamous for carrying out attacks on banks and financial companies for monetary gains along with cyberespionage and cybersabotage. This quarter, Kaspersky researchers were also able to identify that Lazarus started operating ransomware – an atypical activity for an APT group – using a multi-platform framework called MATA to distribute the malware. WannaCry attack has been associated with the Lazarus group.
·CactusPete, a Chinese-speaking threat actor, now commonly uses ShadowPad – a complex, modular attack platform that features plugins and modules for diverse functionalities. ShadowPad has been previously deployed in a number of major cyberattacks, with a different subset of plugins used in different attack cases.
·The MuddyWater APT ground discovered in 2017, has been active in the Middle East over past years. MuddyWater activities target telecom companies and government agencies in the Middle East as Kaspersky researchers had reported in 2019. Kaspersky recently discovered that group using a new C++ toolchain in a new wave of attacks in which the actor leveraged an open-source utility called Secure Socket Funneling for lateral movement.
·The HoneyMyte APT group carried out a watering hole attack on a Southeast Asian government’s website. This watering hole, set up in March, seemed to leverage whitelisting and social engineering techniques to infect its targets. A simple ZIP achieve containing a ‘”readme” file used during the attack as payload to incite the victim to execute a Cobalt Strike implant. The mechanism used to execute Cobalt Strike was DLL side-loading, which decrypted and executed a Cobalt Strike stager shellcode.
·The OceanLotus ATP group devised the advanced PhantomLance mobile campaign. The group has been using new variants of its multi-stage loader since the second half of 2019. The new variants use target-specific information (username, hostname, etc.) of the targeted host that they obtained beforehand in order to ensure their final implant is deployed on the right victim. The group continues to deploy its backdoor implant, as well as Cobalt Strike Beacon, configuring them with updated infrastructure.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
- Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over more than 20 years. Free access to its curated features that allow users to check files, URLs, and IP addresses is available here.
- For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
- As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills – for example through the Kaspersky Automated Security Awareness Platform.
(Image source – Rawpixel)