At a glance.
- China-linked APTs cooperate in Linux targeting.
- Observed zero-day exploitation is on the rise, most likely due to spyware vendors.
- Most Exchange servers still vulnerable to CVE-2020-0688.
- New Magecart skimmer linked to Group 7.
Five China-aligned APTs have been targeting Linux systems for years.
BlackBerry released a report describing how five related Chinese-government-aligned APTs have conducted espionage operations against Linux servers over the course of the past decade. Four of these groups are known to the industry as the WINNTI GROUP, PASSCV, BRONZE UNION, and CASPER (LEAD), and BlackBerry's researchers identified a new group they've dubbed "WLNXSPLINTER." Blackberry researchers believe these groups are made up of contractors working for the Chinese government, and they appear to share tools, techniques, and infrastructure with each other. All five of these groups used "WINNTI-style tooling."
The researchers offer a helpful etymological breakdown of the term "WINNTI." The name originally referred to a strain of malware discovered in 2011, and the China-linked group using that malware was known as the "Winnti Group." The "Winnti Group" handle later expanded to become an umbrella term applied to a wide range of related activity associated with China-aligned actors. The researchers conclude that "WINNTI has come to represent more of an approach rather than a moniker for any single crew. It refers to a method of attacks wherein cells of civilian contractors are assembled, attack tools and intelligence are shared, and the targets are assigned. The tools and infrastructure favored by each cell, or APT group, differs - but sharing between the groups regularly occurs. This suggests that either the APT contractor community in China regards sharing favorably and tolerates it openly, or that members travel between cells over time or groups of them break off from individual cells to form new ones, or both."
The five groups have been targeting systems running Red Hat Enterprise, CentOS, and Ubuntu at organizations in a wide variety of industries. The groups displayed "a significant degree of coordination" when targeting Linux systems. The researchers note that most security companies focus on front-end systems running Windows and MacOS, so Linux malware in general often has an easier time flying under the radar. In addition, the threat actors tracked by BlackBerry developed sophisticated malware, including a kernel-level rootkit, that was even harder to detect. The researchers say "[t]he combination of poor security solution coverage for Linux and highly tailored, complex malware has resulted in a suite of adversary tools that has largely - if not entirely - gone undetected for years."
Zero-days are increasingly commodified.
Researchers at FireEye note that access to zero-days is increasingly linked to having deep pockets rather than technical skill. The researchers observed more zero-days being exploited in 2019 than in any of the prior three years, and "a wider range of tracked actors appear to have gained access to these capabilities." The researchers attribute this trend to private-sector spyware companies, since they've seen multiple independent threat actors tied to different countries using the same sets of zero-days. For example, Stealth Falcon, a group aligned with the Emirati government, and SandCat, a threat actor associated with Uzbekistan’s State Security Service, were both seen using three particular zero-days in their operations (CVE-2018-8589, CVE-2018-8611, and CVE-2019-0797), and FireEye points out that "it is unlikely that these distinct activity sets independently discovered the same three zero-days." These three zero-days also happened to be sold by the controversial Israeli spyware vendor NSO Group, which is thought to count Uzbekistan among its customers.
The researchers note the possibility that part of the reason they're seeing more use of zero-days could be due to offensive security companies providing their tools to actors with poor operational security. (Vice said in October that SandCat, the Uzbekistan-linked group, had "spectacularly bad OPSEC.")
FireEye predicts that "the number of adversaries demonstrating access to these kinds of vulnerabilities will almost certainly increase and will do so at a faster rate than the growth of their overall offensive cyber capabilities—provided they have the ability and will to spend the necessary funds."
Most Exchange servers are still vulnerable to serious flaw.
Rapid7 warns that 82.5% of Internet-facing Microsoft Exchange servers are vulnerable to CVE-2020-0688, a flaw that can enable an attacker to run SYSTEM-level code on a server after compromising any Exchange user account. More than 357,000 of the 433,464 servers surveyed were found vulnerable, and the researchers stress that the number could be higher since their tool performed the checks as an unauthenticated user. Rapid7 has instructions for applying the patch as well as for determining if a server has already been compromised.
New Magecart skimmer linked to Group 7.
RiskIQ came across a new Magecart skimmer that's been placed on at least nineteen compromised websites. The researchers call the skimmer "MakeFrame," and they attribute it to Magecart Group 7 based on the fact that it uses the compromised sites to host its own code, load skimmers onto other compromised sites, and exfiltrate data. The skimmer also displayed similar code construction, encoding methods, and data exfiltration techniques to those used by Group 7. RiskIQ notes that Magecart activity in general has risen by 20% during the COVID-19 pandemic, as online shopping has increased considerably.