threat actors 2023 edition

threat_landscape

In recent years, the cybersecurity landscape has shifted dramatically, with nation-states and cybercriminals emerging as the dominant threat actors. This first blog post tries to dissect some of the motivations and technical abilities of those two and in the second part I will provide some insights on how defensive measures can help to mitigate most of the attack vectors.

politically motivated or nation states

nation_states

Nation-state actors possess advanced skills, but their focus is limited to a specific group of targets. The majority of companies are not considered attractive targets for nation-state hacking. There is certainly a information gap when it comes to the extent of nation-state attacks, as they usually operate very stealthy leading to limited information being made public, either because attacks did not get detected or for other operational or (geo)-political security reasons.

State-sponsored hacking groups from various nations have been linked to numerous notable cyberattacks, such as interference in elections, attacks on government and corporate entities, data breaches of both government and private organizations for the purpose of leaking or selling stolen information, conducting propaganda or disinformation campaigns, and extensive global cyber espionage operations. Nation-state threat actors have a strong advantage in terms of technical abilities, due to a combination of factors that allow them to develop their skills. These include access to funding and resources, the ability to attract and retain top talent, a focus on long-term goals and projects and collaborations with other nations and organizations. Members of nation states have a distinct advantage as they are able to conduct their operations within the bounds of their own legal system, which means that they do not have to worry about any unexpected raids from law enforcement agencies. This provides them with a greater level of safety and freedom to carry out their activities without fear of repercussions. The result of all these factors combined is that nation state threat actors are often at the forefront of technological advancements and are highly capable in executing sophisticated high-profile cyberattacks. Their missions are usually very different from ransomware cybercriminals, so they operate much more stealthier and many times use advanced social-engineering tactics and combined attack-chains to achieve their objectives. Despite having highly skilled members, they still employ the same tactics, techniques, and procedures (TTPs) as other hacking groups.

cybercriminals and ransomware groups

nation_states

There is certainly a high degree of unreported industry espionage incidents attributed to nation-states, still the biggest threat for the vast majority of companies is the opportunistic ransomware attack.
From my research on the topic ransomware groups and similar extorting cybercriminals oftentimes tend to have much more limited technical abilities than nation states and more often than not resort to basic tools and tactics in their attacks. This especially applies to the recently developments in ransomware-as-a-service (RaaS) type of attacks. For instance, the recent Conti Leaks and their playbook revealed their use of off-the-shelf tools and easily detectable methods to compromise networks. I also experienced those types of unskilled attackers in my (limited) time in incident response projects. I’m pretty sure there are other groups that operate at a much higher level but there is a good chance you’ll get attacked by one of the less skilled, script-kiddie type of gang.

Following the playbook in the literal sense, copying and pasting commands are more common than expected. We have observed cases where operators kept entering misspelled commands taken from documentation. https://thedfirreport.com/2022/03/07/2021-year-in-review/

Ransomware operators heavily invested in advanced offensive tools such as Cobalt Strike, and developers of the actual malware have been known to acquire expensive endpoint detection and response (EDR) systems to study how they can be evaded. More than likely they will however raise significant alerts once they gained administrative access in their victim’s network. Usually the final encrypting payloads are executed late at night, so even if some monitoring software will detect their IOCs, it is already way to late to start investigations or react adequately. Smash and grab seems to be the name of the game, where initial access and enumeration of the network are the only operations done quietly and with high precision. RDPing and PSExecing through the network, dumping LSASS left and right and exfiltrating large quantity of data over insecure channels is common practice. Such activities should be prevented by the most basic of configuration of any security solution, but it seems that the victims either do not own such products, have misconfigured them or silenced the alerts to such an extent that operators can pound through the network until their mission is complete. To be fair once full admin level access is gained it’s pretty much game over as even the fastest detection and best blue team will have a hard time operating in an environment where the adversary has full control over the entire network and one machine after the other gets encrypted in front of their eyes.

motivations and targets

Both nation-states and ransomware gangs are highly advanced and successful cybercrime organizations that operate with a strong focus on operational security. The groups have been observed using some of the same tooling they have used in the past, with continuous updates over time. They made big investments in anti-analysis techniques and operational security to maintain their effectiveness.

As already mentioned, state-sponsored groups are much more selective with their victims, as they mostly have a specific mission other than profit. Ransomware groups on the other hand pretty much attack everything they think they can extort money out of. However, there have been instances where ransomware attacks have been attributed to state-sponsored groups, indicating a political agenda. But in general many ransomware attacks are conducted by criminal organizations seeking financial gain, and their motivations are primarily driven by profit rather than politics.

Common sectors that are targeted by current threat-actors include:

  1. Defense and military: threat actors may target military organizations and defense contractors to gain access to classified information and intellectual property.
  2. Finance and banking: financial institutions are high value targets for both types of groups as they could gain access to sensitive information, steal money, and disrupt financial systems.
  3. Energy and utilities: Both groups are known to attack critical infrastructure and control systems, but for different reasons. While nation-states usually want to disrupt services and cause chaos, ransomware groups usually extort huge sums of money to restore operations
  4. Technology and telecommunications: Same as in energy sector. The goals are different. Access sensitive information and intellectual property, as well disrupt communication systems for nation-states, large profit for ransomware.
  5. Healthcare: Health information is valuable target for both threat-actors. Disrupting healthcare systems or encrypting health records can cause massive damage and huge leverage when it comes to negotiating ransoms.
  6. Government and political organizations: Nation state actors target government and political organizations to gain access to classified information and influence political decisions. Ransomware groups usually stay away of political organizations as they are known to rarely actually pay the ransom, but there are exceptions.

Some of the nation-state threat actors that are often considered to be the most infamous include:

  • APT10 (MenuPass, Stone Pandad): A Chinese state-sponsored hacking group that has been active since at least 2009 and is known for targeting organizations in various industries, including government, military, telecommunications, and technology. Among many others, they allegedly were involved in hacks on NASA and IBM
  • Lazarus : A North Korean state-sponsored hacking group that has been active since at least 2009 and is responsible for some of the largest and most damaging cyberattacks in recent years, including Sony, Bangladesh Bank, and the WannaCry ransomware attack in May 2017.
  • APT28 (Fancy Bear): A Russian state-sponsored hacking group that has been active since at least 2007 and is known for its involvement in a number of high-profile cyber-espionage campaigns, including the 2016 US and 2017 French Presidential Election and the highly malicious Ukraine power-grid hack.
  • APT33 (Elfin): An Iranian state-sponsored hacking group that has been active since at least 2013 and is known for its focus on organizations in the oil and gas industry, as well as military and government targets.

By definition the groups in the following listing are ransomware software variants, but are also commonly interchangeably associated with a group of the same name:

  • REvil (Sodinokibi): One of the many ransomware-as -a-service (RaaS) groups. They are known for their aggressive tactics, such as threatening to publish stolen data if the ransom is not paid, aka double extortion, and is believed to be operating out of Russia. Some of the members were arrested in early 2022 but I doubt it’s the end of it as a variant of the ransomware code has re-appeared in connection with newly identified operations as of April 2022. It’s been known for one of the biggest supply-chain attacks in recent years, as well as being involved in one of the highest known ransom demand attacking Acer.
  • Ryuk (Wizard Spider): Ryuk, believed to originate in Russia, is considered to be one of the most dangerous and effective types of ransomware, with its operators using a sophisticated and targeted approach to infect their victims’ networks and demand high ransom payments. They were in involved in some high-profile attacks on government agencies like the City of New Orleans hack and in the healthcare sector on UHS.
  • Maze (ChaCha): This ransomware group is known for its use of double extortion, where the attackers not only encrypt the victim’s files but also steal sensitive data and threaten to publish it if the ransom is not paid. Some of the most notable incidents in which Maze has been involved include the LG hack, IT service provider Cognizant and insurance giant Chubb.
  • Egregor: This ransomware group emerged in late 2020 and is known for its use of a custom loader that allows it to evade security solutions. The group is also known for its use of fast and efficient encryption and its willingness to target high-profile organizations like Crytek sector and Barnes&Noble.
  • Conti: This ransomware group emerged in 2020 and is known for its use of a highly sophisticated infrastructure and its focus on large organizations in the health and banking sector, for example Irelands HSE and Indonesia Central Bank.

Some honorable mentions include Lockbit, Doppelpaymer and Netwalker.

common tactics, techniques and procedures (TTPs)

Most of the technical reports I came across are not very detailed on how exactly the whole operation was conducted. In the majority of commercial incident reports the actual malware is dissected and analyzed, only to get hit with colorful marketing about their newest AV product. Another reason for the lack of technical insights could be either due to missing evidence, sloppy incident response, operational security reasons or a combination of all those factors. Anyways I am going to outline a short summary on my findings on this topic. I provide some exemplary links to some of the reports on those incidents, but you may want to research the specifics on your own.

Reports have shown that especially nation state actors are putting enormous effort into social engineering. This is still to this date the most common initial access vector. Needless to mention it is also the hardest to defend against, as the human element plays a huge factor in those types of attacks. On the other hand, if a malicious actor can compromise an entire internal network by phishing the HR department you have bad security. Lazarus and APT 28 make their campaigns very believable as they build an often week or month-long trust relationship. Both groups support their efforts with legitimate but compromised websites or other social media accounts like LinkedIn. After they established a firm trust with their contacts in the target company they usually will lure their victim to open malicious documents or other executables that will run malicious code. Oftentimes they know exactly which vulnerable software of the target system to exploit as they meticulously collect the necessary information in advance, either through social engineering or other open-source intelligence (OSINT) methods.

Patient 0 incident reports have shown - among others - various customized Adobe Flash, Java Runtime, Silverlight, PDF Readers of all kinds, and outdated web browser exploits. And of course the infamous malicous Macro style approach or recently waeponized OneNote and .lnk file attack-chain vector. To bypass the recent restrictions by Microsoft regarding the handling of Office macros, reports have shown that they will coerce their victims to open ISO and ZIP files, to bypass those restrictions and eecute their initial payload on an internal Windows system.

Another common tactic for intitial access is to redirect a victim to an otherwise legitimate website, they previously compromised and infected with JavaScript Malware to download malicous files onto the victims computer. These so called drive-by downloads combined with social engineering are very effective. In rare cases zero-days are used but the commmon practice is to exploit unpatched systems affected by already published vulnerabilities.

Initial footholds through compromised external web, mail, application servers, including perimeter devices are old-school but still a lot of companies are not patching their external systems fast enough or lack sufficient application security in their proprietary web applications. Additionally some threat actors intensified their efforts of coding working exploits for already released vulnerabilities. Sometimes multiple vulnerabilities are chained together to build weaponized exploits to attack high-value targets in the wild. It is estimated that the average time for threat actors to develop a working exploit is around 14 days after public release of the vulnerability.

Abusing stolen or leaked credentials, aka. credential stuffing, in combination with wide open RDP servers or other unsecured remote access devices are another quite common entry point. RDP brute forcing and variants is one of the favorite initial access vector for Lockbit and friends. Humans will re-use their passwords for private stuff on the internet, it is inevitable. MFA was introduced because of the inherent insecurities that come with trusting users with managing their credentials. It is widely known that implementing MFA, although no silver bullet, will actually stop most of those credential stuffing attacks. Not to mention having RDP servers exposed to the internet is general bad practice and should be avoided.

Supply chain attacks are seeing one of the biggest uptrends in the last couple of years. Recent examples include Slack, Okta, LastPass, Rackspace and of course Solarwinds, just to mention a few. The problem with supply chain attacks is that the there is a considerable risk that the incident will affect other companies not involved in the actual hack down the line. Imagine source code stolen from private Github repositories and exploited in the wild will affect each and everyone who uses that software. Same goes for compromised hosting providers or even worse cloud-based password managers. The effects of the actual attack trickle down to the customers of that vendor or provider. Breaches will lead to more breaches. When outsourcing services to third party providers these risks need to be taken into account and modeled into a security management process.

After established initial access the attackers will usually use custom binaries, as well as abusing legitimate Windows and Unix tools (Living Off the Land). Generally the usage of malware is trending down, and blending in with “normal” user traffic and behavior by using standard office or administrative tools is on the rise. Credential dumping aka. credential shuffling is still very often mentioned in most reports for lateral movement. To take the example with HR again, if your standard Windows client PC can be credential dumped and an attacker can use those logins anywhere else, you have bad security. As already mentioned the reports are mostly not very specific and do not provide much details about the privilege escalation and subsequent malicious movements inside the network, but obtaining credentials from unsecured SMB shares, off of filesystems, via DNS fallback attacks or kerberos misconfigurations are certainly the main attack vectors. If those open attack paths are not handled properly by adequate operational security management processes they can be a big problem real quick. I’ll not go into detail about the malware or C2 frameworks used in those attacks, as this could easily be enough material to cover for another blog post. Just my 2 cents: if a threat actor can install malware with admin rights on your workstations, you have bad security.

conclusion

Although both nation state and ransomware attacks seem to be highly technical and sophisticated, it is still very much possible for all companies to implement effective security measures that can help manage the risk and actually actively defend against these types of threats.

I’ll end this here with some encouraging words. Internal networks can be secured and defended even against technical advanced threat actors. In most cases of an active exploitation, basic security, like patching software, was simply neglected, security management processes were not implemented or regularly checked and privileged (administrative) access not sufficiently isolated, restricted and monitored. Designing and executing operational security processes will cost time, money and nerves. A good baseline security to protect against the majority of opportunistic attacks is very much achievable. Improvements will come with knowledge - and continued external verification - and will protect your company from most attacks in nowadays threat landscape.

Get in contact if you agree or more importantly if not, I want to hear why. Thanks for reading and see you in the next one.