While continuing to deploy their usual set of hacking tools onto compromised systems, advanced persistent threat (APT) actors were observed using leveraging zero-day vulnerabilities and quickly adopting new exploits during the second quarter of 2017, Kaspersky Lab reports.
According to the security company’s APT Trends report Q2 2017, threat actors such as Sofacy and Turla were observed using zero-day exploits targeting Microsoft’s Office and Windows products. The BlackOasis group too was associated with a zero-day that was quickly adopted by OilRig, while the Lazarus sub-group BlueNoroff adopted the National Security Agency-associated EternalBlue exploit.
In March and April, security researchers discovered three zero-day flaws the Sofacy and Turla Russian-speaking threat actors had been using in live attacks. Sofacy was associated with two vulnerabilities targeting Microsoft Office’s Encapsulated PostScript (CVE-2017-0262) and a Microsoft Windows Local Privilege Escalation (CVE-2017-0263), while Turla was targeting a different Office Encapsulated PostScript bug (CVE-2017-0261).
Both actors were observed dropping their usual payloads, namely GAMEFISH (Sofacy) and ICEDCOFFEE, also known as Shirime (Turla). The actors continued to target foreign ministries, governments, and other government-affiliated organizations in their attacks, Kaspersky reveals.
Sofacy was also seen experimenting with two new macro techniques, one leveraging the built-in ‘certutil’ utility in Microsoft Windows to extract a hardcoded payload within a macro, while the other was based on embedding Base64-encoded payloads within the EXIF metadata of malicious documents. Turla was observed using fake Adobe Flash installers for malware delivery.
In June, the BlackEnergy Russian-speaking actor launched the destructive NotPetya attack targeting organizations relying on the MEDoc software. Focused mainly on companies in Ukraine, the attack eventually hit around 65 countries worldwide, including Belgium, Brazil, France, Germany, India, Russia, and the United States.
The second quarter of the year also brought to the spotlight the activity of a cyber-espionage group called Longhorn. Revealed via Vault 7 files published by WikiLeaks, the group had been tracked by Kaspersky since 2014. The firm discovered at least three families of tools associated with the actor, and calls them Gray Lambert, Red Lambert, and Brown Lambert.
The malware can “orchestrate multiple sniffer victims on a network via broadcast, multicast, and unicast commands, allowing the operators to employ surgical precision in networks with many infected machines. The sniffers double as next-stage payload delivery mechanisms for an infected network. A notable feature of the Lambert campaigns is the level of precision with which targets are chosen; Gray Lambert’s victimology is primarily focused on strategic verticals in Asia and Middle East,” Kaspersky says.
A global malware attack that caught everyone’s attention in May was WannaCry, and security researchers eventually linked the attack to North Korea-tied Lazarus group (specifically, the sub-group called BlueNoroff, which is currently using the Manuscrypt backdoor to target financial organizations).
WannaCry was leveraging the EternalBlue exploit that ShadowBrokers made public in April (after Microsoft patched it in March) and which was supposedly stolen from the NSA-linked Equation group. WannaCry was accidentally stopped by a British researcher currently under arrest in the U.S. for his alleged involvement in the development and distribution of Kronos banking Trojan.
Another zero-day exploit (CVE-2017-0199) discovered in the second quarter of the year had been actively used by BlackOasis, a Middle Eastern actor observed using other zero-days in the past as well, and associated with the ‘lawful surveillance’ kit FinSpy. Soon after CVE-2017-0199 became public, another Middle Eastern actor adopted it, namely OilRig, which has been targeting organizations in Israel.
Other actors have been active during the second quarter of the year as well, including Chinese-speaking threat groups, but they continued to use their known tools in previously established manners. However, a new piece of MacOS malware called Demsty and targeting University researchers in Hong Kong, among others, did emerge in the timeframe (but Kaspersky isn’t yet certain that a Chinese-speaking actor is behind it).
Kaspersky also mentions the ShadowBrokers group in their APT report, referring to their activity of “dumping multiple tools and documentation allegedly stolen from Equation Group.” In April, the group leaked information suggesting that the NSAs had penetrated the SWIFT banking network to monitor the activity of various Middle East banks.