Research Saturday 10.17.20
Ep 156 | 10.17.20

Intentionally not drawing attention.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Liviu Arsene: Basically, the investigation pretty much started like any other investigation. We were called in to figure out what happened in a company, to figure out what caused a potential breach.

Dave Bittner: That's Liviu Arsene. He's a Senior Cybersecurity Analyst at Bitdefender. The research we're discussing today is titled, "APT Hackers for Hire Used for Industrial Espionage."

Liviu Arsene: We started doing the forensic analysis on some of the infected endpoints. We created a technical report based on our findings and we presented it to the client, if you will, the customer. However, when we took a step back after completing the report, we took – literally, we took a step back and took another look at some of the fine print of what we found. And it was really interesting because we found three very interesting aspects to the investigation, which pretty much led us in the direction of an APT-style attack.

Liviu Arsene: And these three things basically were, the entire attack occurred because of a zero-day vulnerability that was being used by attackers. There were some custom tools that were apparently specifically created for this attack. I mean, most of the time you see tools that are off-the-shelf when you see some sort of traditional attack going after this type of company. And then there was the motivation angle. Traditionally, most of these companies that work in verticals don't really or haven't really been touched by APT-style attacks. You know, the motivation is usually financial. It's either a ransomware demand or it's an extortion that the attacker's trying to achieve. But in this case, it was simply information collection, information, exfiltration. So they had a very clear purpose in mind. And that's pretty much what tipped us off that something was going on that's beyond the obvious.

Liviu Arsene: And when we basically corroborated that with some of our previous research, I remember us talking about a month ago about another APT group, StrongPity. And going back even further than that, earlier this year, we found some remote desktop components that were being used by Trickbot to target specific telecom companies in the US and Hong Kong. It kind of all seemed to fit a pattern. And the pattern was that what if cybercriminals, especially skilled cybercriminals like APT groups, were moving away from the politically motivated attacks towards, you know, free professionals, if you will, or as-a-service attacks, where they could just offer their services to pretty much anybody interested in compromising a potential victim, a potential target, or a potential competitor in this case.

Dave Bittner: Yeah, it's interesting stuff for sure. There are many elements about this one that sort of caught my eye, beginning with the type of organization, as you say, that was being targeted here. Who were they going after?

Liviu Arsene: Exactly. So this seems to be an organization that does architectural design. So their background is actually design architecture, but they also do 3D production. When you have a blueprint for a building or some sort of project, you usually try to give your customer a 3D rendering of that project.

Dave Bittner: Right. 

Liviu Arsene: So this is what they do. They work closely with real estate, for example, and they have been actively involved in billion-dollar projects. And this is kind of weird, because you don't see – or, traditionally we haven't seen attacks on this type of vertical or this type of company profile, especially such sophisticated attacks.

Dave Bittner: Interesting to me is how they made their way in there. I mean, they were – the payload came in as a plugin for some popular graphics software. What was going on there?

Liviu Arsene: So, yeah. So that was an interesting one, because when we did the investigation, we didn't know that that was actually a zero-day vulnerability. So when we presented the report, we gave them all our findings, we told them that this is a malicious plugin that was pretty much tampering with the 3ds Max functionality. And only a couple of days before us publishing the report, we found 3ds Max publishing the vulnerability and the patch for it. So apparently these guys, whoever they were, these APT hackers-for-hire, they literally exploited a zero-day vulnerability before the software actually figured out that they had such a vulnerability. So, whoever has the skills to find a zero-day vulnerability in 3ds Max definitely knew what they were doing.

Dave Bittner: Now, did you have any sense or were you able to determine how this infected plugin got installed on the system? How they got, I guess, tricked into using it?

Liviu Arsene: Unfortunately, no, because, you know, the company didn't have any sort of CM or tools meant for monitoring network traffic or monitoring everything from a security perspective for a very long time. So we could only see what pretty much what we were allowed to see, if you will. But as it is with most of these attacks, I think it probably was some sort of spearphishing attack or maybe – as it was with the StrongPity APT group – maybe some sort of waterholing attack, you know, where the attackers know what the company profile is. They know what type of software they use and maybe they use that against him. Either they compromised a popular plugin downloading website or maybe tricked them with some sort of phony campaign of a new and interesting plugin. But unfortunately, that plugin was tainted.

Dave Bittner: Well, let's walk through it together, I mean, the way that this goes at the business that it does, the functionality, its capabilities – can you take us through what you learned?

Liviu Arsene: Absolutely. So basically, you have this first payload, if you will, which ends up on the victim's computer by exploiting a vulnerability in this 3ds Max computer software, mostly used for architectural design, you know, 3D rendering. Afterwards, it brings with it a lot of other components, mostly used for crawling for specific files, for specific file extensions. And then an additional component that involves stealing information like passwords or credentials, authentication credentials for various services.

Liviu Arsene: What was interesting about the crawler, for example, is that it seems to be custom-built for this specific victim. I mean, it specifically skips some extensions, you know, like media files, both, for example, JPEG or MPEG files. And it doesn't archive them. It just – it has the ability to just directly upload them to the attacker-controlled server, the command-and-control server belonging to the attacker. It also has the ability to allow the attacker to simply browse through any other directory or drive from the victim's computers, including network-attached drives, for example, for example.

Liviu Arsene: Yeah, so these were basically tools that we haven't seen actually in any attack. We have looked in our telemetry and they were very, very scarce. I mean, maybe they maybe deployed them on other victims just to test them, but it seems that they were really put to good use in this particular case. 

Dave Bittner: And it was capable of taking screenshots as well?

Liviu Arsene: Exactly. So it had the ability to take screenshots. It had the ability to collect usernames, computer names, IP addresses. It had the ability to – or it was specifically tied, if you will, to a user on a computer, so you wouldn't find the same payload on two different usernames, two different computers. So I guess that was mostly because whoever was behind it wanted to know exactly what victim they infected – I mean, from whom inside the organization they were collecting that sort of telemetry.

Dave Bittner: It was interesting to me too in your research that you noted that this software seemed to be intentional in not drawing too much attention to itself.

Liviu Arsene: Exactly. So, another interesting aspect was that whenever it would find that top task manager or some sort of performance-monitoring app was running, it would automatically stop doing whatever it was doing to consume CPU power. We believe that maybe it's the type of behavior employed, you know, in order not to raise any alarm bells to the victim. For example, if you're running 3ds Max and you're doing a lot of post-processing and you notice that all of a sudden your CPU starts consuming more CPU cycles than normally, then you would naturally open task manager to see what processes and what services are running, to see what's clogging up performance. And maybe they just hid their processes, you know, the malicious processes in order not to attract any attention whenever these high-performance activities were going on on the victim's computer, just to fly below the radar.

Dave Bittner: Yeah, that's interesting because, you know, I mean, it's been my experience that the folks who are doing these sorts of 3D-rendering jobs, I mean, they're looking to squeeze every bit of performance out of the machines as possible. So it's just interesting that the bad guys were aware of that and tried not to raise any flags there.

Liviu Arsene: Exactly. So it's actually interesting because, you know, it's a first to see the bad guys don't want to interfere with your daily activities. They just want to leave you to your stuff, and while you're not using the computer, they'll use it for you.

Dave Bittner: (Laughs) Now, what sort of information were you able to glean in terms of the command-and-control server?

Liviu Arsene: So, as it is with most APTs, it's difficult to say just who is behind them or where the cybercriminals are based. But in this case, we know that the command-and-control infrastructure seems to be based in South Korea. That doesn't necessarily mean that these hackers, these APT hackers-for-hire are also based in South Korea. As we've seen with previous APT groups, they can be scattered across the world. So this just might be maybe the first tier in their infrastructure or something that they've commissioned specifically for a job. So in this case, this makes attribution a lot more difficult.

Liviu Arsene: And I think this is going to be the trend from now on. You know, if this whole thing turns out to be – turns into an APT-as-a-service, if you will, it's going to make attribution for security researchers a lot more difficult. Because if until now you've had political motivations, like state-sponsored APT groups, or if you've had financial motivations, take Carbanak, for example – we know that they targeted financial institutions. Now, if you have APTs-as-a-service, you may find yourself in a pickle because attribution is going to be a lot more difficult. And finding out the purpose, the reason, or the motivation behind an attack is going to be a lot more difficult.

Dave Bittner: Is it, I suppose, plausible that this could be some folks working for an APT group that are taking side jobs?

Liviu Arsene: We were just asking ourselves that around the office, because there's not a lot of people that have the skills to do this. I mean, to find a zero-day vulnerability and actually use it on, let's say, a relatively low-profile victim. Plus, it's not uncommon, or it's not unlikely, if you will, that part of these APT groups, there could be members that either operated, used to operate, or still operate for state-sponsored APT groups that have simply, you know, band with other skilled individuals to make some money on the side. You know, if we're talking about as-a-service, it's pretty much like software outsourcing. You find a good developer, you try to co-opt him for a project, and, you know, he's giving you his best, basically. So it wouldn't surprise me if these guys were basically trained and skilled by nation-states, or they've honed their skills in various other APT-style attacks and APT groups like Carbanak. So this could also be a possibility, yeah.

Dave Bittner: And what was it that tipped the victim off that they had an issue here and made them bring you all in?

Liviu Arsene: Basically, there were a couple of alarms and bells from their network trafficking analysis solution, and they pretty much wanted to call us in and investigate to see if there's something going on their endpoints.

Dave Bittner: Have you had any indication that there are other organizations that are fallen victim to a similar type of attack? 

Liviu Arsene: As far as we know, no. Because whenever we looked at this infrastructure, this specific infrastructure used in this attack, there were no signs that it was communicating to other victims or that it was receiving some sort of telemetry from other victims. Even the payloads or the tools that we found in this particular example seem to be unique for this client. So we haven't seen them – at least from our telemetry perspective – we haven't seen them anywhere.

Dave Bittner: And so what are your recommendations for organizations to protect themselves against this sort of thing?

Liviu Arsene: Well, I think this kind of changes the whole threat landscape, if you will, or the whole threat paradigm for small, medium-sized, or even large businesses. Well, maybe not so much for large businesses, but maybe for small- and medium-sized businesses. I say that because if until now APT were mostly something that large corporations, large organizations had to worry about, it was part of their threat model, if you will. Now, with APTs-as-a-service and pretty much being available to anyone who's willing to open up their pockets could be a problem for small- and medium-sized businesses.

Liviu Arsene: And let's just take a scenario, for example, imagine you're a small, mid-sized business. Let's take this particular example – you're small, mid-sized business that works in architecture and design, for example. And you know you want to bid for a contract in a multi-billion-dollar real estate project. But you're not alone bidding for that project. There are other larger companies with bigger budgets that want the inside scoop. What if those bigger – those larger companies could turn to these APT hackers for hire to compromise you to see what kind of deals you're trying to strike with the contract, where they're trying to find out how you're planning your negotiations to get the contract. And that means they could be turning against you. They could be turning these APT hackers for hire against small- and medium-sized businesses just to gain the upper hand, to gain leverage. If we're talking about large contracts, large projects, it would make sense for these kind of APT hackers for hire to be used on SMBs.

Dave Bittner: Yeah, I have to say, this was a bit of an eye-opener to me, you know, having throughout my career made use of various programs like this, you know, graphics programs, audio editing programs, and so many of these software packages make use of plugins, and they have third-party plugins, you know, they come from a variety of sources. And I think in my mind, a plugin for a package like this has always been something sort of benign in my mind in terms of a security issue. I never really imagined that a plugin for a package like this could bring with it security issues, and this sort of changes that game.

Liviu Arsene: Exactly. So, you can look at plugins as any other application that you install. It's code, it's new code that's running on your machine, either in an application or your operating system, that could be doing wrong stuff, illegitimate stuff. So this is something that, you know, you have to worry about as a large or mid-sized organization. But the interesting thing is that, you know, this – again, this type of, if you will, service – APT-hackers-as-a-service is something that we kind of, if you look back, we were kind of expecting this to happen. I mean, just look at malware, for example. For the past decade, it has evolved from traditional malware – you know, some malware developer trying out code and then infecting victims – to malware-as-a-service, where malware developers are no longer focused on the infection part of the attack chain. They simply focused on developing the malware and selling it.

Liviu Arsene: Look at ransomware. You had ransomware that was going after the average user. So, there was the ransomware developer and then going after the average user with ransomware demands anywhere between two-hundred dollars to seven-hundred dollars. And then you had ransomware-as-a-service, when they again focused more on the development part and the service part, offering ransomware to those who were interested and then making a cut off each ransom demand. So I guess APTs – this evolution towards APTs-as-a-service – it shouldn't come as a shocker for everybody. So, it's kind of like a natural evolution.

Dave Bittner: It also strikes me that this sort of highlights the importance of having that defense-in-depth, of not only looking for things like signatures, but as this case points out, looking for behaviors, unusual activity on your network.

Liviu Arsene: Exactly. So this, again, if – large companies usually have the budgets, the manpower, or even the SOC teams, you know, that are capable of uncovering, if you will, these types of attack tactics and techniques that revolve around stealth or persistency. It's the small and mid-sized businesses that will have an issue with dealing when dealing with these APT-style attacks. I mean, it's already bad enough that skill shortage is an issue, is a thing. There's also the issue of neurodiversity. For example, when you want to build your own IT or security teams, you need to make sure that they all have diverse backgrounds, especially security background. But there's also the matter of budget. Not any company can afford to have their in-house security teams.

Liviu Arsene: Now, I think the security industry is going to adapt to these as well. So, if security – or, you can do so much from a security-stack perspective, you know, endpoint security, network security, EDR security. I think you can also manage the skill-shortage security by, you know, turning to, for example, MDR solutions – managed detection and response solutions – which basically means you have your own SWAT team. You can hire an IT or security SWAT team to come in and investigate whenever there's a problem. So, I think the threat landscape shouldn't scare us so much, because I think there's always going to be the security counter-perspective that addresses that problem.

Dave Bittner: Our thanks to Liviu Arsene from Bitdefender for joining us. The research is titled, "APT Hackers for Hire Used for Industrial Espionage." We'll have a link in the show notes. 

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing. CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.