Research Saturday 1.29.22
Ep 217 | 1.29.22

Use of legitimate tools possibly linked to Seedworm.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Sylvester Segura: So, the set of activity that we are looking at here is from mid to late 2021, and it was a set of attacks against various organizations, but they all seemed to be focused on the telecommunications sector...

Dave Bittner: That Sylvester Segura. He's a threat research analyst with Symantec's Threat Hunter Team. The research we're discussing today is titled "Espionage Campaign Targets Telecoms Organizations Across the Middle East and Asia."

Sylvester Segura: ...And the organizations were in the Middle East and also in Asia and Southeast Asia.

Dave Bittner: Well, let's walk through the structure of the attack here. How did they go about doing it?

Sylvester Segura: So, most of these attacks started with discovery commands. That's sort of where we discovered the activity. But in at least one case, we saw what looked like the initial infection vector. So, stepping back a bit, the initial set of suspicious activity was ScreenConnect so this is a legitimate tool ScreenConnect installer is a remote control tool that had been zipped into an archive, and then it was likely emailed to the target victims. This is consistent with some public reporting of very similar activity. After that, what we typically would see was a set of discovery commands just gathering basic information, looking for other devices on the network, trying to find a path to privilege escalation. And all of that looked like it was being carried out by some unknown script.

Sylvester Segura: The attacks proceeded into credential theft with just various different methods hacking tools and some legitimate tools were used to steal credentials. They also deployed a keylogger. They use a number of legitimate tools pretty heavily things like CertUtil, PowerShell to download additional hacking tools, proxy tools, tunneling tools, and additional scripts that they would run. We think that based on the types of tools that they were downloading we think their primary objective is just stealing information. What type of information, we're not really sure at this point.

Dave Bittner: Hmm. Interesting. And so at what point were the organizations who were targeted how did they detect that something was going on? What triggered that detection?

Sylvester Segura: Well, there are a number of things that would cue an organization that something fishy is going on. One would definitely be the existence of these tunneling tools and proxy tools, especially if they're not expected on these particular machines. Keyloggers being detected and hacking tools being detected for credential theft would definitely be red flags.

Dave Bittner: Right. So, who do we suppose is behind this? Any indications there?

Sylvester Segura: So, there are a number of aspects of the attacks that lead us to think that this may be an actor publicly reported as MuddyWater. That's an actor that we call Seedworm.

Dave Bittner: And they're from where?

Sylvester Segura: Seedworm is believed to be an Iran-based organization.

Dave Bittner: Now there's another incident that you all are tracking here, a bit of an outlier, from a company in Laos.

Sylvester Segura: Yeah, that one was a bit curious because it didn't seem to line up with the telecommunications targeting that we saw with the other attacks. But when we drilled down into it and looked through the data, we found evidence that these attackers were trying to connect to other organizations that were related to the telecommunications sector, from this organization. So it looks like something of a supply-chain attack, where they use one organization and the access that that has to the other, to pivot and jump to their actual intended target.

Dave Bittner: I see. Now, based on the the tactics, techniques, and procedures that you all have observed here, do you have a sense for the sophistication of this adversary?

Sylvester Segura: If this truly is Seedworm, we're looking at a relatively sophisticated adversary. I mentioned that there were a number of aspects of the attacks that suggested that it could be Seedworm. One of those was network infrastructure that had been reused. That's something that's a little out of the ordinary for Seedworm. They tend to cycle through their infrastructure relatively quickly, so that makes it harder to track this actor and harder to attribute to this actor. And that's part of what makes them a little bit more sophisticated as far as APTs go.

Sylvester Segura: Another thing that we noticed as far as TTPs in these attacks, I mentioned the use of an unknown script. Now, at the beginning of these attacks, typically we would see the same set of discovery commands, almost like a recipe or a playbook. It was the same set of commands over and over. But in at least one case, we saw one program being issued a "help" command, suggesting that there's arbitrary access essentially, there's hands on keyboard at this point, and it's through a script. Now, Seedworm is known to produce script-based backdoors. That's something that makes them a little bit unusual and more sophisticated than, say, your everyday cybercrime actor or even some APTs. Now, this activity that we saw with the script and the help command suggests also that arbitrary access using scripts was used in this case. That's one additional piece of evidence that suggests that this is Seedworm.

Dave Bittner: Where do we stand in terms of persistence? You know, once these organizations found that they were being targeted and I assume went through remediation efforts, has there been any sense that whoever this actor is has either managed to stay in their systems or attempted to get back in?

Sylvester Segura: Well, we can definitely say based on the sets of tools that they were trying to bring in proxying tools, tunneling tools, that their intent is really to stay as long as possible, and if they get kicked out, they're probably going to try and get back in. Given that these attacks are so highly focused on the telecommunications sector, it's highly likely that we're looking at actors that are intent on staying focused on this sector. And so they're likely going to come back and try and repeatedly hit these targets of theirs.

Dave Bittner: I see. So, as you say, I mean, this is likely more on the espionage side of things, as opposed to someone trying to inject some ransomware or, you know, make some money off of these organizations.

Sylvester Segura: Exactly. Espionage is definitely something that we believe is part of the motive. Whether it's industrial espionage so, you know, just gathering information about the telecommunications sector technologies or if it's something more like surveillance, that is not really clear at this point.

Dave Bittner: Hmm. Now, the research that you all published points out that these attackers make heavy use of legitimate tools as well as publicly available hacking tools. Can you give us a little bit of an overview of the types of utilities that they're using here?

Sylvester Segura: So, they use a whole host of different tools that are all publicly available tools or they're open-source tools, things like in-sudo, which is used to escalate privileges, SharpHound, which is used for discovery, surveying the network, and looking for other devices ways to escalate privileges as well. Hacking tools like Mimikatz, things like that. All sorts of different various tools, and a lot of these tools are are legitimate, so they could be used either for legitimate IT purposes or they can be used for malicious purposes.

Dave Bittner: I see. Is it fair to say that when they're making use of these legitimate tools, that that makes it a little more unlikely that they'd be detected because the tool isn't necessarily absolutely a bad one?

Sylvester Segura: Exactly. That's why it makes it so hard to find these types of actors that use these dual-use tools, especially in attacks like these, where there's no custom malware to be found. The organization really has to have a feel and an idea for what tools are being used in their environment and where.

Dave Bittner: So, based on the information that you all have gathered here, I mean, what are your recommendations for organizations to best protect themselves against this sort of thing?

Sylvester Segura: Well, as always, you want to have defense-in-depth, so you want to have defenses that are at the network level as well as the endpoint level and everything in between. But again, you also want to make sure that you're monitoring the behavior, that you have some sort of system or solution that you can use to monitor the behavior of your machines. So, you know, reaching out to unusual IP addresses, unusual network infrastructure, things of that nature. So you can sort of catch these clues that you might have an actor already in your environment.

Dave Bittner: Our thanks to Sylvester Segura from Symantec Threat Hunter team. The research is titled, "Espionage Campaign Targets Telecoms Organizations Across Middle East and Asia." We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.