Opazili so skupino groženj, ki je bila prej povezana z zloglasnim trojancem za oddaljeni dostop ShadowPad (RAT), ki uporablja stare in zastarele različice priljubljenih programskih paketov za nalaganje zlonamerne programske opreme v sisteme, ki pripadajo več ciljnim vladnim in obrambnim organizacijam v Aziji.
Razlog za uporabo zastarelih različic zakonite programske opreme je v tem, da napadalcem omogočajo uporabo dobro znane metode, imenovane stransko nalaganje dinamične povezovalne knjižnice (DLL), za izvajanje svojih zlonamernih koristnih obremenitev v ciljnem sistemu. Večina trenutnih različic istih izdelkov ščiti pred vektorjem napadov, ki v bistvu vključuje nasprotnike, ki zlonamerno datoteko DLL prikrijejo kot zakonito in jo postavijo v imenik, kjer bi aplikacija samodejno naložila in zagnala datoteko.
Researchers from Broadcom’s Software’s Symantec Threat Hunter team observed the ShadowPad-related threat group using the tactic in a cyber-espionage campaign. The group’s targets have so far included a prime minister’s office, government organizations linked to the finance sector, government-owned defense and aerospace firms, and state-owned telecom, IT, and media companies. The security vendor’s analysis showed the campaign has been ongoing since at least early 2021, with intelligence being the primary focus.
Dobro znana taktika kibernetskega napada, a uspešna
"Uporaba legitimne aplikacije za olajšanje stranskega nalaganja DLL appears to be a growing trend among espionage actors operating in the region,” Symantec said in a report this week. It’s an attractive tactic because anti-malware tools often don’t spot the malicious activity because attackers used old applications for side loading.
“Aside from the age of the applications, the other commonality is that they were all relatively well-known names and thus may appear innocuous.” says Alan Neville, threat intelligence analyst with Symantec’s threat hunter team.
Dejstvo, da skupina, ki stoji za trenutno kampanjo v Aziji, uporablja taktiko, čeprav jo dobro razumejo, nakazuje, da tehnika prinaša nekaj uspeha, pravi Symantec.
Neville says his company has not recently observed threat actors use the tactic in the US or elsewhere. “The technique is mostly used by attackers focusing on Asian organizations,” he adds.
Neville pravi, da so akterji groženj v večini napadov v zadnji kampanji uporabili zakonit pripomoček PsExec Windows za izvajanje programov na oddaljenih sistemih za izvajanje stranskega nalaganja in razmestitev zlonamerne programske opreme. V vsakem primeru so napadalci že prej ogrozili sisteme, v katere je namestil stare, legitimne aplikacije.
“[The programs] were installed on each compromised computer the attackers wanted to run malware on. In some cases, it could be multiple computers on the same victim network,” Neville says. In other instances, Symantec also observed them deploying multiple legitimate application on a single machine to load their malware, he adds.
“They used quite an array of software, including security software, graphics software, and Web browsers,” he notes. In some cases, Symantec researchers also observed the attacker using legitimate system files from the legacy Windows XP OS to enable the attack.
Logdatter, obseg zlonamernih koristnih obremenitev
Eden od zlonamernih obremenitev je nov kraj informacij, imenovan Logdatter, ki napadalcem med drugim omogoča beleženje pritiskov na tipke, snemanje posnetkov zaslona, poizvedovanje po zbirkah podatkov SQL, vstavljanje poljubne kode in prenos datotek. Druge obremenitve, ki jih akter grožnje uporablja v svoji azijski kampanji, vključujejo trojanca, ki temelji na PlugX, dva RAT-ja, imenovana Trochilus in Quasar, ter več legitimnih orodij za dvojno uporabo. Ti vključujejo Ladon, ogrodje za testiranje penetracije, FScan in NBTscan za skeniranje okolij žrtev.
Neville pravi, da Symantec ni mogel z gotovostjo ugotoviti, kako lahko akterji groženj pridobijo začetni dostop do ciljnega okolja. Toda lažno predstavljanje in ciljanje na priložnosti nezakrpanih sistemov sta verjetno vektorja.
“Alternatively, a software supply chain attack is not outside the remit of these attackers as actors with access to ShadowPad are za katere je znano, da so izvajali napade na dobavno verigo in the past,” Neville notes. Once the threat actors have gained access to an environment, they have tended to use a range of scanning tools such as NBTScan, TCPing, FastReverseProxy, and Fscan to look for other systems to target.
Za obrambo pred tovrstnimi napadi morajo organizacije uvesti mehanizme za nadzor in nadzor programske opreme, ki se izvaja v njihovem omrežju. Prav tako bi morali razmisliti o izvajanju politike, ki dovoljuje samo aplikacijam s seznama dovoljenih, da se izvajajo v okolju, in dati prednost popravljanju ranljivosti v javnih aplikacijah.
“We’d also recommend taking immediate action to clean machines that exhibit any indicators of compromise,” Neville advises, “… including cycling credentials and following your own organization’s internal process to perform a thorough investigation.”
- blockchain
- kriptokurrency denarnice
- kripto izmenjava
- kibernetska varnost
- cybercriminals
- Cybersecurity
- Temno branje
- oddelek za domovinsko varnost
- digitalne denarnice
- požarni zid
- Kaspersky
- zlonamerna programska oprema
- Mccafee
- NexBLOC
- platon
- platon ai
- Platonova podatkovna inteligenca
- Igra Platon
- PlatoData
- platogaming
- VPN
- spletna varnost
