Blogs by Ashwin

  About  Advanced Persistent Threat BlackTech is China linked cyber espionage group. They have targeted many organizations working with the U.S, and Japan militaries to steal sensitive information. They are also capable of modifying router firmware, deploying backdoors in victims' networks, and moving laterally between the networks while evading detection. First appeared in 2010, BlackTech make use of various malwares to affect Windows, Linux, and FreeBSD and updates them regularly. With the help of stolen code signing certificates, adversaries sign the malware to make them appear legitimate and avoid their victims' defense mechanisms. The threat actor can also blend in benign operating systems and network activities via Living-off-the-Land tools as well as techniques.  However, their most dangerous technique is modifying router firmware without detection. This sophisticated technique helps in establishing persistence, disable logging, move laterally, and hide their C2 communic

  Overview Threat actor Higaisa is suspected to have South Korean origins. They have repeatedly targeted government, public, and trade organizations of North Korea, along with China, Russia, Poland, and other nations. Although it was discovered in 2019, but have been in action since 2009 at least. How does Higaisa works? The initial access is achieved via spear phishing. They send emails containing malicious links to their targets. These links are laced with files disguised either as the documents of interest or as opinion forms allegedly coming from another organization. The victim ends up downloading the malicious link file or an executable (leading to a Cobalt Strike loader). Protection Owners of the network edge devices should ensure that management interfaces are not exposed to the public internet to reduce their attack surface. Enforce strong multi-factor authentication (MFA) policies with the help of hardware security keys or Microsoft Authenticator.  Reduce the attack surface b

  About Stone Panda or APT10 or Red Apollo or MenuPass or POTASSIUM, is a China-backed cyberespionage group, active since 2006. They generally targets aerospace, engineering, and telecom firms of China's rival countries.  Allegedly, in March 2021, this advanced persistent threat have also targeted the world's largest vaccine makers, Bharat Biotech and Serum Institute of India (SII), by identifying gaps and vulnerabilities in their IT infrastructure and supply chain software. The motive behind this is exfiltrating intellectual property and getting competitive advantage over Indian pharmaceutical companies.  Tactics This group use RAT and directly targets managed information technology service providers (MSPs). Generally, an MSP helps manage a company's computer network and can be compromised via Poison Ivy, FakeMicrosoft, PlugX, ArtlEF, Graftor, and ChChes, through spear-phishing emails.  Prevention General methods to combat a ransomware attack are as follows- Mandatory stro

  Overview A previously unknown threat actor codenamed GambleForce has been discovered in 2023. It was tracked under the name EagleStrike GambleForce in Group IB's Threat Intelligence Platform. Since its emergence, it has targeted more than 20 gambling, government, retail, and travel websites of the countries like Australia, India, Canada, Indonesia, the Philippines, China, South Korea, Thailand, and Brazil.  GambleForce make use of very basic yet sophisticated techniques, such as SQL injections and the exploitation of vulnerable website Content Management System (CMS), to steal sensitive information. Its name was also coined due its initial target interest in the gambling industry.  Tactics & Techniques The basic strategy of GambleForce rely on fundamental but effective techniques to exploit SQL vulnerabilities and weak spots in website CMS. They have precise target scope with the gambling, government, retail, and travel industries in their crosshairs. However, the infamous SQ

  Overview UNC3886 is a China-linked hacker group, that has been exploiting vCenter server zero-day vulnerability CVE-2023-34048 since at least late 2021. They possess unique capabilities in how they operate on-network as well as tools used in their campaigns.  They generally targets firewall and virtualization technologies which lack EDR support. This indicates that the group have curated a  deeper-level of understanding of such technologies. They have also modified the publicly available malware.  How does it works? According to an investigation, UNC3886 relies on vSphere Installation Bundles (VIBs) to install two backdoors on the ESXi hypervisors, tracked as VIRTUALPITA and VIRTUALPIE. VIBs are collection of files designed to manage virtual systems used to create startup tasks, custom firewall rules, or deploy custom binaries upon the restart of an ESXi machine. The cyber espionage group harvest credentials for service accounts from a vCenter Server for all the connected ESXi hosts

  Introduction APT 28 is also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, Tsar Team, and STRONTIUM or Forest Blizzard. It is a Russian cyber espionage group and allegedly related to the Russian military intelligence agency GRU. Active since 2004, this group uses zero-day exploits, spear phishing, and malware to attack their targets.  It has reportedly compromised the Hilary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016, attempting to interfere the U.S. presidential elections. They are also said to be related with the cyber attacks on the German Parliament, the Norwegian Parliament, the French television station TV5Monde, the White House, NATO, the Organization for Security and Co-operation in Europe, and the campaign of French presidential candidate Emmanuel Macron. Targets APT28 have targeted Eastern European governments and militaries, the country of Georgia and the Caucasus, Ukraine, security related organ

  Introduction Earth Lusca is also known as AQUATIC PANDA, BRONZE UNIVERSITY, CHROMIUM, Charcoal Typhoon, ControlX, FISHMONGER, Red Dev 10, RedHotel, and TAG-22. It is a Chinese threat actor, that targets the organizations of interest to the Chinese government.  So far, they have targeted academic institutions, telecommunication companies, religious organizations, and other civil society groups. Its tools closely resembles to those used by Winnti Umbrella. However, it seems the group operates separately. Earth Lusca has also started targeting the cryptocurrency payment platforms and cryptocurrency exchanges in its financially motivated attacks.  How does Earth Lusca works? The initial access is achieved via spear phishing and/or watering hole websites. They send emails containing malicious links to their targets. These links are laced with files disguised either as the documents of interest or as opinion forms allegedly coming from another organization. The victim ends up downloading t

  Overview Carderbee is a previously unknown APT (Advanced Persistent Threat) group. They make use of the legitimate Cobra DocGuard software to carry out a supply chain attack to deploy the Korplug backdoor on their victims' computers. Their most of the victims include Hong Kong and the other Asia-based individuals or organizations.  Supply Chain Attack The threat actors behind Carderbee are highly skilled and patient. They can leverage both a supply chain attack and signed malware for their attacks, trying to stay under the radar. Their malicious activity was once seen on about 100 computers of the impacted organizations but, the Cobra Docguard software was installed on around 2000 computers. It indicates that the attackers may be selectively pushing payloads to specific victims.  In 2023, various distinct malicious malware families were deployed with the help of this method. In one case, a downloader deployed by these attackers had a digitally signed certificate from Microsoft, c

  Overview APT 32 is also known as Ocean Lotus, APT-C-00, SeaLotus, and Cobalt Kitty.  It is a suspected Vietnamese hacker group, active since 2014. It generally targets the entities considered hostile to Vietnameses nationalists interests.  Hence, APT 32 targets the foreign companies doing business with Vietnam, Vietnamese government critics, local and ex-pat Vietnamese human rights activists, and rival South East Asian foreign governments, especially the Philippines and Cambodia. Its attacks often coincide with important contract and legal negotiations between foreign companies and the Vietnamese government.  How Does It Works? APT32 uses less sophisticated, distinct, and fully-featured commercially available tools and malware collection. They start with a highly customized spear-phishing campaigns containing malicious files attached to it. They are also laced with custom spyware toolkits, that can easily infect and steal information from macOS, Android, and Windows-based devices.  M

  About Kimsuky is also known as Velvet Chollima, Black Banshee, THALLIUM, or Emerald Sleet. It is a well-known North Korea backed hacker group and APT (Advanced Persistent Threat). It mainly targets South Korean think tanks, industries, nuclear power operators, and South Korean Ministry of Unification. The other targeted countries are Russia, USA, and European Nations.  The U.S. Cybersecurity and Infrastructure Security Agency speculated that Kimsuky is active since 2012. Allegedly, this hacker group stole data from South Korea Hydro & Nuclear Power in March 2015, targeted retired South Korean diplomats, government as well as military officials in August 2019 (calling the attack "the first of its kind"), hacked 11 officials of the United Nations Security Council in September 2020, and intruded the internal networks of the Korea Atomic Energy Research Institute in May 2021.  Key Factors Kimsuky uses common commo social engineering tactics, spearphishing, and watering hole

  Overview UNC2452 is also known as APT29, Cozy Bear, Dark Halo, Midnight Blizzard, NOBELIUM, Solar Phoenix, and StellarParticle. This threat group have been attributed to Russian Intelligence Service (SVR), operating since at least 2008. They generally targets government networks in Europe and NATO member countries, research institutes, and think tanks. Reportedly, they have compromised the Democratic National Committee in the summer of 2015. Also, the US and UK governments attributes the SolarWinds compromise of 2021 to the SVR.  UNC2452 uses various tools like SUNBURST, SUNSPOT, SUPERNOVA, TEARDROP, RAINDROP, SOLARFLARE, SUNSHUTTLE, Cobalt Strike, and Mimikatz. Evolution of UNC2452 Since its discovery, UNC2452 has continued to evolve and refine its operational and behavioral tactics, techniques, and procedures. The threat group is regularly is regularly advancing its TTPs while adopting new measures and technologies to emerge as unstoppable.  High Operational Tempo & Scale- They

  About Maze is a sophisticated Windows ransomware out for various organizations of the world. They asks ransom in the form of cryptocurrency for the safe recovery of the stolen encrypted data. Just like the other threat actors, if the victims refuse to pay Maze threatens to leak their confidential data. This ransomware was discovered in 2019 and considered to be a variant of ChaCha ransomware. Since then, it is proactively targeting its victims worldwide. Its most high profile ransom case was that of Cognizant, one of the biggest IT services providers in the world. Its attack costed the company $50m and $70m in the immediate aftermath and further more to fully restore the organization's systems.  How does it works? Maze ransomware typically attacks through spam emails, brute force attacks, and via an exploit kit. The attack may also come from an organization's client or partner who is already a victim of the hackers. After gaining access, the hackers then try to get elevated p

  Overview Chrysene is also known as Cobalt Gypsy, APT 34, EUROPIUM, Greenbug, Hazel Sandstorm, and OilRig. This threat actor group is developed from a long-running cyber espionage activity that was discovered in 2012 after a destructive cyberattack impacting Saudi Aramco. They leverage 64-bit malware that can only run in 64-bit environments to establish unique Command and Control Network capabilities.  This group have targeted Iraq, Pakistan, the UK, and Israel with special focus on the Arabian Gulf region. They generally aims for petrochemicals, oil, gas, and electricity generation sectors. Nowadays, they are into directly targeting ICS resources. Chrysene is suspected to be backed by Iranian government. How Does it Work? Just like the other ransomware attacks, Chrysene also intrude the network via email phishing. They prompt the users to click on a link with a malicious file, disguised as a legitimate one. They successfully compromises a target and passes the victim to another group