Cyberwar Bulletin: Iran and Albania

CSW’s AI-based insights into APT groups and their arsenal

Posted on Apr 14, 2022 | By Priya Ravindran

The only way for organizations to stay safe from today’s state-of-the-art threats is to secure the exposures in their attack surfaces. CSW’s predictive warnings, combined with years of threat research experience, can help identify and address possible attack vectors, before they can be exploited. 

 

The last couple of years have seen heightened activity in terms of cyber attacks, website hacks and network outages. This has also brought to the forefront a variety of threat actors who are constantly scouting for exposures to exploit; their intentions varying from disinformation, propaganda, espionage, to destructive cyber attacks. This blog calls attention to a specific category of threat actors, the Advanced Persistent (APT) Groups.

 

Advanced Persistent Groups can be nation-state or state-sponsored threat actors, or actors who attack with motives like identity theft or financial gain, stealthily invading networks and causing cumulative damage over extended periods. As they do not demand ransoms or claim attack victims on leak sites, they usually remain undetected for prolonged periods, thus compounding the damage - a classic example being the Elephant Beetle group. This makes it all the more critical to ward off such threats by proactively monitoring the exposures in organizational attack surfaces and addressing the ones that could give rise to network compromises. 

 

In this blog, we probe deeper into the findings from CSW’s continued research on APT groups and the vulnerabilities they are after.

 

Our research has identified 117 distinct APT groups with vulnerability associations, cumulatively using 235 vulnerabilities to invade victim networks. 

 

State-Sponsored APT Groups

Of the APT groups identified, 89 groups are backed by 18 nation states. State-sponsored groups are known to target intellectual property and critical industry sectors in order to establish a competitive advantage over the target nation. China, Russia and Iran are linked to the most number of threat groups, with the former two nations together accounting for almost 63% of all known groups. 

 

 

Most Dangerous APT groups

We analyzed the top APT groups by the number of vulnerabilities associated. Unsurprisingly, the top position goes to the Russia-based Nobelium, or the APT 28 group, best known for the Solarwinds incident that brought a whole new dimension to supply chain attacks.

 

Interestingly, a North Korean group, APT 37 (Kimsuky, InkySquid, Reaper and ScarCruft) bags the 3rd spot, with 20 vulnerabilities in its arsenal. The group’s primary targets are China, Hong Kong, India, Japan, Kuwait, Nepal, Romania, Russia, South Korea, UK, USA, Vietnam and the Middle East. APT37 is also known to have waged attacks against the Ministry of Unification, Sejong Institute, Korea Institute for Defense Analyses, and Republic of Korea/South Korea. APT37 was highly active in the latter half of 2021, with many small campaigns across multiple industries.

 

APT Group

Popular Aliases

Origin Country

Year of Origin

Count of Vulnerabilities

APT29

Yttrium, Nobelium, Dukes, APT 28, APT 29, Fancy Bear

Russia

2008

53

Winnti Group

Earth Baku,  APT 41, APT 22

China

2010

25

Kimsuky

APT 37, Thallium, Operation Daybreak, TA406, ScarCruft, InkySquid

North Korea

2012

20

Threat Group-3390

APT 27, Iron Tiger

China

2010

17

PittyTiger

Keyhole Panda, APT24, APT 12, APT 5

China

2011

16

 

Going by the age of threat actors, Turla, the oldest APT group, was first identified in 1996. The last decade between 2011 and 2020 observed 80 new threat groups in operation, including popular groups such as Wizard Spider, FIN7, FoxKitten, Kimsuky and Mustang Panda. Hafnium (China), Chamel Gang, DEV-0322 (China) and Lone Wolf are the latest groups to have joined the fray, in the year 2021.

 

APT Groups Deploying Ransomware

Time and again, APT Groups have been noted for deploying a variety of sophisticated tools and techniques as part of their weaponry. Most popular among these are Cobalt Strike, Beacon, Sogu, BazarLoader, and many remote access trojans. Furthermore, 29 APT groups also favor the use of ransomware in order to amplify the intensity of their attacks. 

 

A noteworthy observation is the continued adoption of new trojans, and amp-up of old malware capabilities, in order to wage devastating attacks on unsuspecting establishments; MuddyWater, Kimsuky, Molerats, Sandworm groups- to name a few.

 

Maze ransomware is the most in demand, with links to five different APT groups, including the recently active APT41 group which was involved in campaigns against the airline industry and US state governments. The TA505 group and Sandworm groups from Russia, and China-based DEV-0401 utilize ten, seven and four ransomware codes respectively in their attacks. The new Exotic Lily joins the ranks of Wizard Spider, the player behind the ravenous Conti and Ryuk ransomware, with the addition of Conti and Diavol to its arsenal.

 

Most Used Vulnerabilities by APT Groups

As part of our analysis, we also researched the 235 vulnerabilities used by APT groups and identified the ones that were most in demand amongst threat actors.


 

Vulnerabilities

Vendor

Product

CVSS Severity

Exploit Type

Count of APT Groups using the vulnerability

CVE-2017-11882

Microsoft

Microsoft Office

High

RCE

22

CVE-2012-0158

Microsoft

MSCOMCTL.OCX

Critical

RCE

20

CVE-2017-0199

Microsoft

Windows, Windows Server, Microsoft Office

High

RCE, WebApp

18

CVE-2018-0802

Microsoft

Microsoft Office

High

NA

13

CVE-2021-26855

Microsoft

Microsoft Exchange Server

Critical

RCE, WebApp

11

 

CSW’s Prediction of High Exploitability of the APT Vulnerabilities

 

CSW’s experts continuously analyze trending threats and would-be exposures based on hacker chatter, dark web activity and exploitation trends. Backed by this, our researchers classify 92.7% of these vulnerabilities as having maximum likelihood of exploitation, and warn users to patch these 218 APT vulnerabilities, or upgrade to the latest product versions, without delay. 

 

CSW has called out 73% vulnerabilities in its blogs, reports and patchwatch sections. Our research also shows that 43% of the APT vulnerabilities are also being used by ransomware groups, and were warned about in our yearly Ransomware Spotlight Reports and its quarterly updates.

 

Interestingly, 56% of the APT vulnerabilities also feature in CISA’s recently released directive that mandates federal agencies and public sector organizations to patch a list of Known Exploited vulnerabilities. The repeated warnings are a definite indication for organizations that have not yet addressed these vulnerabilities to sit up and take immediate notice.

 

Recent Spurt of APT activity

 

The role played by APT groups has become increasingly evident in the recent past. Long standing APT campaigns, and shorter unsuccessful attempts are in the news every other week. Here is a look into some of the APT campaigns that have come to light in early 2022.

  • The China-based APT 10 (Stone Panda, Bronze Riverside) group was linked to month-long attacks on Taiwanese financial institutions.

  • Attacks on European diplomatic entities were attributed to the China-based Mustang Panda group.

  • Groups that are still under research, like Modified Elephant, have also been associated with targeted attacks.

 

The Lazarus group was also observed going after a zero-day RCE vulnerability in Google Chrome, CVE-2022-0609, in attacks targeting news media, IT companies, cryptocurrency, and fintech organizations. Clearly, zero-day vulnerabilities are highly sought after by threat actors, with ransomware groups latching on to the trend as well, as called out in our Ransomware Reports.

 

In the wake of the Russia-Ukraine cyber war, a surge of APT group activity has been observed. Gamaredon, Wizard Spider, Nobelium and GhostWriter are back in action. While technical details are still under research, the Anonymous threat group has been recently involved in hacks on the Central Bank of Russia,  


 

Predict, Prioritize, Patch 

 

Our analysis shows that unpatched vulnerabilities and overlooked exposures are the number one weapon for threat actors to enter and crawl deeper into vulnerable networks. Thus, organizations must ensure they perform regular scans to discover all possible exposures in their assets, including hidden or unknown ones that are not part of the asset inventory. Once identified, the exposures must be prioritized in order of severity considering CVSS scores, threat associations, exploit trends and the risks involved owing to business criticality of the asset. Lastly, workarounds and mitigations must be applied until such a time all exposures can be wholly addressed.

 

CSW’s AI-based threat and vulnerability intelligence can help organizations look ahead and predict a possibility of future attacks. 

Sign up for CSW’s ASM-as-a-service and VMaaS, and keep networks secure.

 

Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito