The quarter of patches: APT actors increasingly turn to exploits to launch attacks
April 2021 by Kaspersky
Over the past three months, the major waves of advanced persistent threat activity have been driven by supply chain attacks and zero day exploits. A compromise in SolarWind’s Orion IT software for monitoring IT infrastructures led to a custom backdoor being installed on more than 18,000 customer networks, while a vulnerability in Microsoft Exchange Server led to new attack campaigns in Europe, Russia, and the United States. These are among the most important findings from Kaspersky’s APT Q1 report.
Advanced threat actors are continuously changing their tactics, sharpening their toolsets, and launching new waves of activity. That’s why, to keep users and organizations informed about the threats they face, Kaspersky’s Global Research and Analysis (GReAT) team provides quarterly reports about the most important developments in the advanced persistent threat landscape. This past quarter, they took note of two major waves of activity.
The first was driven by the SolarWinds compromise, in which the IT managed services provider’s Orion IT software for monitoring IT infrastructures was compromised. This led to a custom backdoor known as Sunburst being installed on the networks of more than 18,000 customers. Many of these included large corporations and government bodies in North America, Europe, the Middle East and Asia.
Upon closer examination of the backdoor, Kaspersky researchers noted its similarities with the previously identified backdoor named Kazuar, first spotted in 2017 and tentatively linked to the infamous Turla APT group. This suggests the attackers behind Kazuar and Sunburst could be somehow linked. The second wave of activity was driven by now-patched zero day exploits in Microsoft Exchange Server. At the beginning of March, a new APT actor known as HAFNIUM was seen taking advantage of these exploits to launch a series of “limited and targeted attacks”. During the first week of March, approximately 1,400 unique servers were targeted for exploitation, with the majority in Europe and the United States. Given that some servers were targeted multiple times, it appears that multiple groups are now utilizing the vulnerabilities. In fact, in mid-March, we uncovered another campaign utilizing these same exploits targeting Russia. This campaign showed some ties to HAFNIUM, as well as to previously known clusters of activity Kaspersky has been investigating.
A new cluster of activity by the infamous APT group Lazarus was also reported—also utilizing zero-day exploits. This time, the group used social engineering to convince security researchers to download a compromised Visual Studio project file or lure the victims to their blog, after which a Chrome exploit was installed. The lures often revolved around zero-days and the attack appears to have been launched to steal vulnerability research. The first wave occurred in January and the second in March, which was coupled with a new wave of fake social media profiles and a fake company to effectively trick the intended victims. Upon closer examination, Kaspersky researchers noted that the malware used in the campaign matched ThreatNeedle, a backdoor developed by Lazarus and recently seen targeting the defense industry in mid-2020.
Another interesting zero-day exploit campaign—dubbed TurtlePower—was seen targeting government and telecom entities in Pakistan and China and is believed to be linked with the BitterAPT group. The origin of the now-patched vulnerability appears to be connected with “Moses”, a broker that has developed at least five exploits in the past two years, some of which have been utilized by both BitterAPT and DarkHotel.
“Perhaps the biggest takeaway from the past quarter is how destructive successful supply chain attacks can be. It will likely be several more months before the full scope of the SolarWinds attack is fully understood. The good news is that the entire security community is now talking about these types of attacks—and what we can do about them. The first three months have also reminded us about the importance of patching devices as soon as possible. Zero-day exploits will continue to be a highly effective and common way for APT groups to compromise their victims, even in surprisingly creative ways—as shown by Lazarus’s recent campaign,” comments Ariel Jungheit, senior security researcher with GReAT.
The Q1 APT trends report summarizes the findings of Kaspersky’s subscriber-only threat intelligence reports, which also include Indicators of Compromise (IOC) data and YARA rules to assist in forensics and malware hunting.
To protect your company from advanced persistent threat activity, Kaspersky experts recommend:
• Install patches for the new vulnerability as soon as possible. Once it is downloaded, threat actors can no longer abuse the vulnerability.
• Perform a regular security audit of an organization’s IT infrastructure to reveal gaps and vulnerable systems.
• Vulnerability and patch management capabilities in an endpoint protection solution can significantly simplify the task for IT security managers.
• Install anti-APT and EDR solutions, enabling capabilities for threat discovery and detection, investigation and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework.