Research Saturday 5.13.23
Ep 281 | 5.13.23

Running away from operation Tainted Love.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Aleksandar Milenkoski: It all started when we had SentinelLabs and Qcorp is a partner iterative response company in Germany observe some malicious activities from Microsoft Exchange Server sites.

Dave Bittner: Our guests this week are Aleksandar Milenkoski and Juan Andres Guerrero-Saade from SentinelOne's SentinelLabs. We're discussing Operation Tainted Love, Chinese APTs target telcos in new attacks.

Aleksandar Milenkoski: What this really turned out to be was the initial attack phase that the threat actor was conducting. So this involves mostly reconnaissance and credential theft activities.

Dave Bittner: That's Aleksandar Milenkoski.

Aleksandar Milenkoski: Some of the initial TTPs that we observed were mostly the use of the net Windows utility for reconnaissance, the PSExec Windows SysInternals tool for lateral movement; and, of course, Mimikatz modifications for credential theft.

Dave Bittner: Before we dig into some of the technical elements here, what is your sense in terms of who they're targeting and who may be behind this?

Aleksandar Milenkoski: Okay. So I will start and you can just add on it. So regarding attributions, I think there are multiple components to this answer. So, first, targeting telcos in the Middle East aligns closely with targeting strategy of the operations of selectors, which Microsoft tracks as GALLIUM. So further the TDP that we observed closely matched those documented in previous reports on operation Soft Cell and also related activity clusters. And, finally, the TTP part of the mim221 tool, which we focus on in our article, overlaps with the TTP parts of tools used in operation Soft Cell and also related activity clusters. So, basically, pivoting on this TTP part we observed or identified a previous version of mim221, which is signed using a code signing certificate, which is known to be shared between APT41 and GALLIUM. So, basically, this latest assessment that we're dealing here with a threat actor somewhere in the nexus of APT41 and GALLIUM with a possibility of a shared pulling vendor.

Juan Andres Guerrero-Saade: I think at that point some of what you have to look at with these Chinese threat actors is they really just get incredibly complicated to parse,

Dave Bittner: That's Juan Andres Guerrero-Saade. He goes by Jag.

Juan Andres Guerrero-Saade: If you notice, there's quite a bit of ambiguity or back and forth between different threat intel providers when it comes to APT41, BARIUM, LEAD, GALLIUM. And then, obviously, when you get into folks that are talking more about campaign names like Operation Soft Cell and now, you know, how we try to cluster Tainted Love as a sort of evolved campaign, it's actually fairly complicated to sit down and then say this is particular to this cluster. When you look at a set of tools like this, as has happened with things like ShadowPad or PlugX in the past, there's definitely the notion of a, you know, is it a contract, or is it a quartermaster? Is there just some sharing arrangement between certain state functions that might have access to the same tools, and who are we looking at? In this case, you know, things pointed more towards GALLIUM. But you're always left with this slight sense of uncertainty that you know the general sort of region that this is coming from. And you have some groups that are connected to it, but it's not as clear cut as dealing with monolithic threat actors that have closed source tooling all on their own.

Dave Bittner: And in terms of the targeting here, it seems they're going after the telecommunication sector.

Aleksandar Milenkoski: Yeah, definitely. As I said if we didn't -- if we identify the initial attack phases, we observed multiple exchange sites affected at different telecommunication providers.

Dave Bittner: And, just for background, I mean, why -- why the telecommunication sector? What information does that provide for folks like this? How does it suit their interests?

Juan Andres Guerrero-Saade: The telecommunication sector is particularly interesting to cyber espionage actors, as you can imagine. Obviously, different threat actors have gone after different things. But it's such an enabler for future operations, for tracking individuals, figuring out who's in touch with whom, who has service where. And depending on the level of access that you get to a telco, you can even talk about how it'll enable further downstream operations. So we actually see a lot of threat actors targeting telcos and I think increasing interest from Chinese threat groups probably since 2017, 2016 when I think there were some discussions about early tooling for spying on SMS messages in particular parts of Asia during the -- during the riots in Hong Kong, for example, where you can tell that it's a sort of obvious enabler of intelligence requirements but how different threat actors go about that. You get all kinds of flavors.

Dave Bittner: Well, let's walk through the specifics here. I mean, how -- how does someone find themselves a target of here? How do they get their initial foothold? And then what do they do once they're in?

Aleksandar Milenkoski: This particular activity cluster that we analyzed, we basically observed web shells at certain exchange sites, which were basically modifications of China chopper. That is a web shell that is commonly used by Chinese threat actors. Forensic investigations are still ongoing for certain exchange sites where we basically suspect that the threat actors may have exploited a vulnerability or vulnerabilities in exchange deployments for ultimate command execution on the sites.

Juan Andres Guerrero-Saade: I mean, since the HAFNIUM catastrophe or however you want to refer to it, there really has been a massive increase in the love of web shells as initial infection vectors. And, in some case, we might be able to talk about novel exploits being used. But there's still so many folks with vulnerable exchange servers that you're basically just asking for it at that point.

Dave Bittner: So what does this group do specifically here? How -- where are they parking the files that they generate? What sorts of tools are they using?

Aleksandar Milenkoski: We observed exfiltration to attacker-owned hosts, but we don't have further intel on that one. Right. So we observe them using -- using different utilities to exfiltrate tools, which are mostly like tools that are available on the public domain. But we don't have further visibility in that direction.

Juan Andres Guerrero-Saade: Yeah. I think, in many ways, a lot of what you end up seeing in these ops, it's not the entirety of the actor's intent, and that can make it a little bit difficult to understand what the full impetus of the operation is, right? When you get initial access to do a web shell, lateral movement, and then deploying something like a modified version of meme casts, you're trying to steal credentials. You're trying to understand the network that you're in. In some cases, it looks like they already had an understanding of the network they were going after, which is why we look at things like GALLIUM and having had previous access to that network or attempted to be in that network before. Then you start to kind of add 2 and 2. But when you're going for credential theft and you're going for the sort of understanding, in many ways, the fact that our product ends up killing some of the execution thread leaves us in this very -- I think this sort of like researcher's dilemma, right. Like you're happy that your customer isn't popped, but we would have really liked to know what exactly they would have done if they'd had free rein. But you could tell that they're at least trying to grab enough to be able to continue to not necessarily have a foothold, but if you get kicked off, if you -- if a DFIR comes through and cleans you out, to hopefully be able to come right back in.

Aleksandar Milenkoski: I think it's important to add here that also what we mentioned in our report that we observed on the initial attack phases, which is what -- involves mostly exfiltrating reconnaissance information like network topography and channel host information, as well as credentials. Right. So as we documented in our report, we were able, basically, the incident response team stopped the attacker's activities in this phase.

[ Music ]

Dave Bittner: I'm curious how you would rate the sophistication of this organization? And I guess part of my question is, is sophistication required for this sort of thing?

Juan Andres Guerrero-Saade: If we had talked about this five to seven years ago, the discussion of really leveraging access to a telco would have usually come coupled with discussions about extreme sophistication, right? We would talk about things like Regin or Plexing Eagle or some of these really particular threat actors where you go in and you know these are like master of the universe sophisticated actors who are going to leverage that access as efficiently and innovatively as possible. That's not what we see now. Telcos have become not just increasingly popular but also being leveraged by a variety of threat actors. So something that Alex and I worked on, along with Amitai Ben Shushan Ehrlich last year was our research into a threat actor we call Metador. And what was very interesting about that research process was not just seeing this novel threat actor in a telco but that we found it or, you know, particularly Amitai had to disambiguate what was Matador's toolkit from among more than ten threat actors that were attempting to reside within the same telco. So it just goes to show that the -- you know, we're no longer talking about these rare targets, and only specific threat actors might go after them. They're very popular. They're very valuable. And you actually have -- you know, in this particular case, we had a dozen different APTs in there, and that's without even talking about, you know, getting your skiddies in there, people who want to do phone activations, lapses, etc. So it's just a very populated threat landscape when it comes to that vertical.

Dave Bittner: Yeah. It's really interesting insight. So based on the information you all have gathered here, what are your recommendations for folks to best protect themselves?

Juan Andres Guerrero-Saade: So it's actually -- it's quite interesting to kind of discuss that, in particular. When it comes to a telco, you have such a varied set of systems and requirements. In particular, I think, having a good understanding that what a telco does by its very nature is something so desirable to multiple types of threat actors that this kind of access is -- should not be an afterthought. And I think it isn't to most ISPs and telcos in the US and in parts of Western Europe. But it's actually kind of a hard message to drive to the variety of telcos out there. Obviously, recommendations, for us, you know, we don't get into sort of the sales side of the house. But I can tell you from an investigations perspective we've actually had quite a few setbacks and bumps in the road, when it comes to disparate deployments. So, for example, we'll go into a telco. They have XDR rolled out in all their Windows machines. We can see everything that's happening in those Windows machines. We find all these tools, then it's really quite evident that the threat actor is subsequently moving into or communicating with the core infrastructure, Linux servers, things that are actually managing a lot of the operational infrastructure inside of a telco. And there's a tendency to not have any coverage on that side. So both from the DFIR perspective and for us as a, you know, endpoint vendor, it's actually a really frustrating situation because you can see whole portions of a narrative of what's going on. And where a lot of the more interesting, more valuable stuff is happening, it's this complete darkness that comes with not having any telemetry, any logging, any -- anything sort of producing a kind of black box record of what happened. So, in many ways, it's not just to know that you're a target but also to have a sort of evenness of coverage that's going to let you get on top of an op and say, obviously, we're not going to reroll the entire core infrastructure of a telco. We need to keep working. But it would sure be nice to be able to say, well, we know exactly what they were after and what they were doing and that we've gotten ahead of that threat once we became aware of it.

Dave Bittner: Why do you suppose we're seeing that gap with the telcos? Is it awareness? Is it resources? A mixture of all those things?

Juan Andres Guerrero-Saade: I'm sure it's a mixture of all those things. I think there's also just different mentalities when it comes to the administration of Linux systems, when it comes to even endpoint agents for Linux, Mac, just general Unix systems. There's -- I think there's an outdated perspective among Linux sys admins that, because they have so much quote, unquote, control over what they've deployed, that they have a greater sense of certainty and awareness of what's happening. And they think that -- that they know what's happening inside of those systems to a degree that we tend to assume we don't know when it comes to consumer systems, when it comes to Windows systems. And nothing could be further from the truth. I mean, we've been seeing threat actors taking advantage of Linux malware that has lived for ten years unchanged and continues to compile for those newer Linux distributions. And, at the end of the day, the only defense is a password, a password that is even more vulnerable now because you're in a network. And there's all kinds of very weak practices that go into how passwords and hashes are managed across a network. So there's a very kind of outdated mentality that goes into managing those systems. And it tends to mean that folks who might really know to rely on a lot of security telemetry generation on Windows and maybe Mac tend to just skip it when it comes to their Linux servers. I can't tell you how disappointing it is, at least on our end, to not be able to see what's happening there.

Dave Bittner: How does this track, this campaign track with what we expect to see from Chinese threat actors? Is this a -- part of a continuum, or where do we stand there?

Juan Andres Guerrero-Saade: I think, in a way, it's part of a continuum of espionage activity that we've all grown very familiar with. But it's also representative of how threat actors and threat clusters related to China have changed in ways that maybe we haven't updated our concepts for. We're starting to discuss this in, you know, internally as this sort of notion between first generation of threat intel, second generation of threat intel. The difficulty that we have now is we kind of have to wrestle with the old concepts that we've proliferated and popularized over the past ten years or so where a lot of these threat actors have changed. Those organizations have reorg'd. Some APT front companies have gotten sanctioned. They've changed. Some practices have just plain changed. They've been updated. Those organizations decided to restructure how they work. You have different contractors in the middle. You have different, you know, providers of tooling and so on. So I think a lot of the time, we expect to see what we were used to with the threat actors of 2015 2016. And, instead, what you see now is a variety of more nimble threat clusters that are a little harder to categorize. You see tool sharing that, again, makes it a lot harder to categorize who you might be dealing with. And there are certain segmentations by functions and almost ephemeral operations that take place when it comes to initial access on the Chinese side, in particular, that a lot of us seem to be having a hard time tracking. And when we do get a sense of it, having a hard time explaining properly to folks who are still latching on to the discussions of your old APT3, APT10. Just an older generation of exposed threat intel that is no longer quite the case.

Dave Bittner: Our thanks to Aleksandar Milenkoski and Juan Andres Guerrero-Saade from SentinelOne SentinelLabs. The research is titled Operation Tainted Love: Chinese APTs Target Telcos in New Attacks. We'll have a link in the show notes.

The CyberWire Research Saturday Podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're cobuilding the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Elliot Peltzman. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.