Research Saturday 7.8.23
Ep 289 | 7.8.23

Creating PANDA-monium.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Thomas Etheridge: It all started with deployment of our technology at a net new customer opportunity. So in the process of deploying the technology, our threat hunters uncovered some hands-on keyboard activity that we soon attributed to Vanguard Panda

Dave Bittner: That's Thomas Etheridge. He's chief global professional services officer at CrowdStrike. The research we're discussing today is titled "Business as Usual: Falcon Complete MDR Thwarts Novel Vanguard Panda Tradecraft".

Dave Bittner: And who is Vanguard Panda, we suppose?

Thomas Etheridge: Vanguard Panda is a threat actor that we have been tracking since the mid-2020s. We believe them to be of China Nexus, and they are focused primarily on targeting multiple sectors, including aviation, technology, and the defense sectors. CISA recently reported on this threat actor in May of 2023 as targeting critical infrastructure organizations across multiple industry verticals throughout the US and its territories.

Dave Bittner: Well, let's walk through this together. It's an interesting one. Can we go through it step-by-step, here? I mean, what was the first indication to your team that something was amiss?

Thomas Etheridge: As I mentioned earlier, our threat hunting team uncovered some hands-on keyboard activity that we knew to be malicious activity. We notified the manage, detect, and response team, who took some quick remediation steps by quarantining - network quarantining the machine that the threat actor was leveraging to carry out some of its tradecraft. One of the things that we noticed in doing some of our investigation is that the threat actor was moving very, very quickly in the environment and had what appeared to be very good - a very good understanding of the customer's infrastructure, in order to carry out the commands and the tradecraft of being able to traverse through the customer's environment. So they were clear to us that they had been in the environment for a while, had established some persistence mechanisms, and had good familiarity with the overall infrastructure of the customer's environment.

Dave Bittner: Now, when you say, "hands-on keyboard activity", what exactly does that entail?

Thomas Etheridge: It's typically picked up, Dave, when we see a threat actor using commands or running tools on an environment that we either know those commands or tools to be malicious in nature or a combination of commands and actions that a threat actor performs in an environment, the combination of those tools at the same time or in near proximity to one another typically is an indicator that the user that's performing those actions is not a legitimate user, and that's when we would typically send a notification or if we're providing a managed service like our MDR, take corrective action to try to quarantine or stop that threat actor from being able to easily traverse through the environment.

Dave Bittner: So Tom, without getting too much in the weeds with some of the technical things, here, can you kind of take us through an overview of, you know, the kinds of tools that you all are seeing them use, here, the tradecraft that you all witnessed?

Thomas Etheridge: Sure, Dave. We reported in our blog that the malicious activity was involving listing processes, doing network connectivity testing, gathering some user and group information, mounting network sharers, and then enumerating domain trusts over WMI, and listing DNS zones over WMI. So the threat actor was doing this pretty quickly, which was also an indication of the familiarity that they had with the environment.

Dave Bittner: Now, in the blog, you draw particular attention to JSP compilation. You highlight that as being a bit of a giveaway, here. Are there any specific elements that are worth highlighting with that?

Thomas Etheridge: I think the importance of that in the blog is that this threat actor was doing a lot of cleanup after their actions. They were moving evidence of their activity; they were deleting logs and evidence of their activity. One of their slipups was missing that particular log source, and that is what the investigators uncovered to tip them off to the threat actor also operating extensively in the environment.

Dave Bittner: Can we talk a little bit at a high level, here? I mean, as you described this, you know, you engaged with a client and they deploy your specific technology, and this is discovered. I assume that this client wasn't running completely unguarded before. Is it a typical thing? Does this - I guess, how often does this happen where, you know, a company will try a different technology or switch vendor and discover that someone's been camping out in their system for quite a while?

Thomas Etheridge: This happens quite frequently, Dave, with the deployment of some of the advanced EDR technologies that exist in the market today. Picking up novel and, you know, previously undetected threats is something that's quite commonplace. But CrowdStrike has a, you know, common theme we communicate to victims that the threat actors aren't breaking into your environment. They're logging into your environment. So one of the pieces of tradecraft related to Vanguard Panda is that they heavily leverage stolen credentials to gain initial access to their targets, and that was the case, here, as well. The threat actor was able to gain access to the infrastructure using credentials that were probably procured through the access broker markets and was using those credentials to carry out their tradecraft and had gone undetected if not for the advanced EDR technology and the threat hunting capabilities of our Falcon Overwatch team.

Dave Bittner: And when we talk about advanced capabilities, here, are we looking at behavioral things in addition to signatures? I mean, my understanding is that it's, you know, it's quite a cocktail of capabilities that come into play, here.

Thomas Etheridge: Absolutely. I think first and foremost, it's understanding through rich intelligence gathering and integration capabilities, the tradecraft that threat actors are carrying out. So what are the things that threat hunters and investigators and security professionals need to understand about how the threat actor could be using specific tools or tradecraft to operate within their environment. The second piece of this is on the identities side of the house: understanding credentialing, privileged access, systems that are critical to protect, and you know, honestly, having capabilities like multi-factor authentication and implementing zero-trust capabilities to help thwart threat actors from simply being able to steal credentials or procure credentials, and then be able to use those credentials to go navigate through the environment without being challenged. Those are some big things that we talk to victims and organizations about from a security posture perspective.

Dave Bittner: And what about the incident response in a case like this, where you know that you have someone who's had some persistence for a while, what are the sorts of things that an organization goes through to make sure that they're - truly have cleaned out these bad guys.

Thomas Etheridge: First is just getting that rich visibility across the environment. So deploying advanced EDR tools to gain that visibility, and being able to threat hunt using those rich intelligence indicators, understand whether or not some activity being performed in the environment is legitimate or illegitimate, but being able to do that around the clock, I think, is really important. Threat actors don't just operate Monday morning at 9:00 to Friday at 5:00. They're typically operating off hours, so being able to hunt continuously against the infrastructure, I think, is really important. The second piece is, I mentioned earlier, understanding identities, credentialing in the environment, and critical assets that may require additional levels of protection where we may want to challenge a user with a second factor of authentication in order to validate that they are who they claim to be. I think that's really important. And then the last thing, which I think is a key focus for managed detection and response type capabilities, it's being able to take that corrective action very, very quickly. We reported in our annual threat report this past year that breakout time had dropped to about 84 minutes, so just under 2 hours from the time a threat actor gains access to the environment until the time they can move laterally towards a target. Being able to take that corrective action within that 84-minute window is something that will help deter threat actors from being able to carry out their tradecraft.

Dave Bittner: You know, Tom, you mentioned your global threat report, and I know one of the things you highlighted in there was activity that you all are seeing from China. And with the supposition that Vanguard Panda is indeed a Chinese threat actor, it sort of keys right into the recommendations you had in that report.

Thomas Etheridge: Absolutely. We introduced over 33 new adversaries last year, tracking from an intel perspective, raising our total to over 200. So it just demonstrates the pervasiveness and opportunity for threat actors to carry out their missions. China, in particular, was one of the most aggressive in 2022. We observed them targeting nearly all 39 global industry sectors in 20 geographic regions across the globe. So pretty prolific in 2022.

Dave Bittner: Our thanks to Thomas Etheridge from CrowdStrike for joining us. The research is titled "Business as Usual: Falcon Complete MDR Thwarts Novel Vanguard Panda Tradecraft". We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday podcast is a production of N2K Networks, proudly produced in Maryland out of the Startup Studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Elliott Peltsman, our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.