Research Saturday 10.28.23
Ep 305 | 10.28.23

No rest for the wicked HiatusRAT.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. So over the last, you know, several months, we've continued to pursue a number of different router-based intrusions as that kind of that weird nebulous area that doesn't really get covered very well by firewalls or EDRs but still poses a very significant threat to networks of our customers. That's Danny Adamitis. He's a principal information security engineer with Lumen's Black Lotus Labs. The research we're discussing today is titled "No rest for the wicked: HiatusRAT takes little time off in a return to action." [ Music ]

Danny Adamitis: So as part of that, we kind of deployed these proactive hunting rules and we were able to actually come across a sample, I want to say it was actually in late 2022, early 2023, about the first HiatusRAT malware sample.

Dave Bittner: So before we dig into some of the details here, can we touch on your interest in routers here and what makes them particularly noteworthy?

Danny Adamitis: So I look for router malware because I feel like it's one of those very kind of niche subjects that is in my mind one of the most critical aspects of security but doesn't typically get the coverage that I feel it deserves. This was something that was actually even noted in the latest Mandiant report where they talked about Chinese cyber espionage tactics and they noted that a lot of these advanced threat actors, such as those posed from China, they tend to live in these networking devices just because there really is no good EDR solution. There is not really a lot of blocking. There's not really a lot of monitoring. I would argue, if you go into most small or medium-sized businesses and ask them to point to the router, they wouldn't even know where exactly it is. But as we're going to kind of talk about in this campaign, all of the traffic that comes outside of that network traverses through that one device. So I kind of see that as this very critical chokepoint where if you're able to actually get access to that router, it could give you access to everything that's occurring behind that device and it can kind of provide that foothold that they need in order to kind of perform the operations that they want to perform and get the information they need to get.

Dave Bittner: Well, let's dig into the research here. Start us off, who do we suppose this is and what are they targeting?

Danny Adamitis: So we assessed that this kind of aligns with the strategic interests of the People's Republic of China. We kind of talk about this and this is going to kind of be a little bit of a longer talk, because our research actually started back in 2022. And then we saw from that timeframe that they were targeting a lot of I want to say operational networks that we believe possess rich follow-on access. So if I could quote from my favorite Office of the Director of National Intelligence Cyber Threat Assessment that came out in 2023, they saw that China poses this really broad threat and the most active and persistent threat to US-based government and private sector networks and that they're going to target "targets of rich follow-on opportunity." So this kind of grabbed our attention, because when we started looking at some of these targets, we were seeing things like IT service providers, we were seeing things like MSSP's. These are the sorts of networks that if they were able to target one of those, it could in theory actually give them access to a number of their downstream customer networks. We also saw targeting of things that just kind of align more traditionally with Chinese espionage. We saw some municipal level government organizations, we saw things like the pharmaceutical companies, and we saw a little bit of oil and gas. And these are just kind of things that typically align with their economic goals.

Dave Bittner: So this starts with a particular model of router, which you point out in the research here is end-of-life. These are DrayTek Routers. Tell us about them.

Danny Adamitis: Yes. So our initial campaign seemed to focus exclusively on these DrayTek Vigor Routers. These are the I want to say 2960s and the 3900s. So these were something that have been end-of-life for a very long time, but they're still kind of existing on the Internet. In fact, when we did our first report back in March, we saw that there was about 3,100 of these still existing on the Internet based off of things like Shodaning census. But based off our telemetry, we only observed targeting of around 100 of them. Which means that whoever was behind this campaign was really only targeting about 3% of the eligible population. So again, that kind of led us to believe that whoever's behind this campaign, they were kind of taking a more targeted approach and they weren't just going after every single device that existed on the Internet. Now, one kind of other note I'd like to make is that while we originally only saw telemetry stemming from these DrayTek Vigor Routers, we did actually find binaries that were compiled for things like MIPS, for ARM, for some of these other I'm going to say router based architectures. And then in the summer of 2023, we actually saw them starting to shift and targeted different types of devices such as Ruckus wireless and again some of these other architectures. We believe that, again, this is just kind of where they chose to be. I don't really think the limiting factor was you had to have a DrayTek; it was just you had to be of interest to this particular activity cluster.

Dave Bittner: Well, let's talk about the malware itself. I mean, you point out in the research here, there are two primary things that they seem to be up to.

Danny Adamitis: Correct. So we kind of broke down the targets. So there was two binaries, and we believe they each kind of served a distinct purpose. One of the binaries should be kind of common to most of your listeners. It was just a variant of TCP dump. TCP dump is just basically a packet capture binary that was compiled for the L format. So this would allow them to actually collect packets as they were traversing outside of the network to somewhere else on the Internet. We believe that in the initial stages, we saw a bash script that would actually highlight a couple different ports. They were things like port 21 for FTP, port 25 for SMTP. They were also targeting things like POP3, IMAP. And they were really trying to get what we believe is more email based traffic. This would be what we think is deployed on networks of interest. These are targets that we believe, you know, have some sort of strategic intelligence to the threat actor. Whereas the second binary that we are actually calling HiatusRAT was the custom actual trojan. This was a little bit different. And it afforded some of the same functionalities that everyone knows and has come to love over time. You can upload files. You can download files. You can execute commands. But the thing that really stood out to me is that there were two embedded functions, one of which is called TCP forward and the other was just called SOCKS5. This is what we assessed was going to be deployed on targets of opportunity. So what we think is that they could be actually targeting networks I want to say within a certain geographical region, and they might be looking for a vulnerable router in that same geographical area. They can then I want to say deploy this HiatusRAT trojan and potentially have a piece of my malware beacon out to the router, employ something like the TCP forward function, and then actually have that beacon go back to a further upstream command-and-control node that would allow them to add another layer of obfuscation to the work to kind of evade some of that geolocation based blocking that may exist. [ Music ]

Dave Bittner: Do you have a sense for how someone would find themselves infected with this?

Danny Adamitis: So, unfortunately, we were not able to recover the initial exploit. But as we kind of mentioned before, because these were end-of-life, there are vulnerabilities that exist on places like Exploit DB and GitHub. It's just really hard to kind of know because I'm going to say they're just so darn old. Our kind of advice is that if you find yourself in an enterprise environment and your router is end-of-life, it might be time to consider upgrading that to something that actually has tech support. And once you actually have a router that supports, you know, patching, we highly encourage people to do things like make sure they know what their router is, have a routine patch schedule, institute some form of blocking, and kind of check on it periodically for abnormal files.

Dave Bittner: You know, it's really good insight there. I mean, that old saying, "if it ain't broke, don't fix it." But that really doesn't apply when it comes to cybersecurity and some of these old hardware devices that can be sitting there doing their job for decades, but over time, the vulnerabilities are revealed.

Danny Adamitis: If anything, I want to say this is actually, you know, almost a nod to the DrayTek folks that they've made these routers that seem to seamlessly work for years and years on end without any sort of, you know, updating or monitoring. This is not intended to be, you know, anything derogatory towards DrayTek, that was just kind of what the target, you know, took an interest in. But these things just kind of keep on running. So if it's, again, not broke, why would we try to fix it?

Dave Bittner: Yeah. Well, what about command-and-control here, what did you all see when it comes to that?

Danny Adamitis: So we observed initially two command-and-control nodes. And they actually kind of did this interesting thing where they kind of siloed operations. We had one command-and-control server that we called the heartbeat server, and the malware itself would actually beacon to this heartbeat server every eight hours. Again, in my mind, this is also kind of notable, because when you look at most of these campaigns, like Cobalt Stike beacons or other malware beacons, they tend to be over the course of maybe a few hours or, you know, even a couple minutes. To have something only beacon every eight hours, it kind of really limits that detection opportunity if you're doing this from a host-based network. The second command-and-control server that we saw in the original campaign was called the "upload server." So as we kind of mentioned previously, they were doing things like collecting packet captures of things like email based traffic. Well, once they actually had that traffic collected and all those packets captured, they still need to send it somewhere. So this is kind of where we believe that they would kind of just run the script, they would collect X number of packets, we'll say 10,000 just for the sake of the number. And then once it kind of hits that limit, it would then upload all those packets to the actual server and then they would kind of delete themselves. Because they do have limited storage capability on these routers.

Dave Bittner: Because all this is happening at the router level, what are the opportunities for defenders to detect this?

Danny Adamitis: So that's a great question, and it poses a bit of a problematic stance. You would actually kind of have to start checking your router for this sort of attack. So this is one of the other things I kind of wanted to highlight. As I'm sure you and, you know, listeners know, there's kind of been I want to say a bit of an onslaught against email clients over the past year or two, where people have been targeting things like on-prem, on Zimbra, even some instances Azure. This would kind of allow them to collect that same sort of data from the router layer without any sort of agent on that, you know, email server where you might actually be able to have some sort of EDR based processing or blocking there. Unfortunately, really the only way you can actually tell if you are infected by this is to have your local sysadmin or network engineer log in and check for some of these abnormal files. We kind of highlight this in our report. We noticed that they created this own kind of temp directory called database. So again, kind of looking at things like your temp files for just directories that don't really belong there. If you see something like "database," that could kind of be the tip off that, hey, maybe this isn't supposed to happen. Because no one really runs a database on a router. But, unfortunately, that's really it for the time being.

Dave Bittner: Yeah. What is your sense of the sophistication of the folks who are operating this campaign?

Danny Adamitis: We assessed that they were highly sophisticated. As we kind of mentioned before, they were very intentional, these targeting. Again, they were only really targeting like 3% of the vulnerable applications. Another thing is we think that they kind of almost intentionally chose these end-of-life products. Because if you're running a product that's been end-of-life 10 years ago, the odds of people performing that I want to say cyber hygiene or due diligence is probably very low.

Dave Bittner: Right. They've already demonstrated their lack of attention, right?

Danny Adamitis: Yes. So they've been kind of just able to continue to operate there. But one of the other things that we kind of thought was a little bit unique with this threat actor is that even after we did our initial publication in March, they just kind of continued on with operations as if nothing happened. This was something that was a little bit brazen almost in my mind. Where traditionally, you know, it's that fun cat-and-mouse game where threat hunters look for threats, they publish a report, the threat actor then responds. They kind of configure C2 to be a little differently. They might remodify some variations. They actually kept the exact same command-and-control servers that they were using in March all throughout the summertime. Then, if I can, I think this is a good segway. In the summertime, we actually started to see that kind of strategic shift in targeting. Where I want to say when we're talking about the early 2023/2022 campaign, they were kind of going after these traditional I want to say espionage targets. But starting in the summer of 2023, they really doubled down and focused almost exclusively on Taiwan and US military procurement servers. So then when we kind of start talking about things like, oh, we're seeing an interest in economic espionage, sometimes it's easy to say, well, that's not really a national security problem, or that's not really something I need to be concerned about because I fit into this other vertical. We then kind of saw them employ those exact same TTPs to start going after these other organizations, which I would argue are more high value.

Dave Bittner: Can you give us some insights on the type of visibility that you and your colleague there at Black Lotus Labs have into this sort of thing and the place that you all sit in the ecosystem that provides you with this sort of visibility?

Danny Adamitis: So we kind of have two different types of visibility. We have obviously host and network based. So working at a US-based ISP, I obviously take a strong interest in routers because we operate a large number of routers from different manufacturers. They're located I'm going to say quite literally all around the world. So we are able to get some of that host based access that we sometimes use to try to look for these abnormalities. The second thing that we have that's I want to say a little bit unique to Lumen Technologies is we have that global Internet backbone, where we collect I think it's something like 200 billion net flow sessions a day that allows us to kind of start parsing through this data and looking for who exactly is being infected. And the other nice thing is because we have some of these other assets like the formal Level 3 ASN, 3356, we can actually see some transient information. So our visibility isn't inherently limited to our customers, it allows us to kind of get that global view that allows us to build those global heat maps that actually show us that there might be targeting in Latin America or in Europe or wherever. And we can kind of correlate all those logs together to kind of get a better understanding of what the threat actor is. Lastly, we do have some DNS visibility as well. This is based off of our resolvers. I believe that they're posted online. I encourage everyone to use them. We can kind of do things with our DNS based visibility to try to look for other indicators of compromise and kind of help piece all this stuff together. By taking some of those network-based indicators, enriching them a little bit with DNS, enriching it with net flow, we feel that we're able to kind of give a more complete story than some other firms.

Dave Bittner: So, Danny, what are your recommendations here? I mean, based on the information you all have gathered, what should people be doing out there?

Danny Adamitis: So there should be a couple things. For this particular type of attack, we believe that the threat actor was essentially exploiting the fact that some network based data is still being transmitted unencrypted. So, again, they were really taking advantage of things like SMTP. We would encourage everyone to use secure SMTP. And, again, this is just like a small configuration change that can be done by a system admin and can really have a bigger effect. We encourage group policies that would use things like secure POP3 or secure IMAP. This is, again, a way to still be able to remotely access your email but would allow you to do it in the way that provides an added layer of encryption. And if you are working at a small, medium, or even larger business, we would really encourage people to just kind of know, just think about the fact of what is our routers, where are they located, what is our patch cycle, when have they ever been checked? And just kind of be aware of the fact that a lot of people seem to think of their perimeter as ending at the firewall, and I would argue it actually goes one hop further. You need to know what is your actual router that you are using. And I would encourage you to actually talk to your ISP as well to kind of see what routers they are using. Because, again, it's all interconnected. And then the last thing is, when you are looking for things like this, I would almost argue that you need to have some sort of analytics in place to look for weird data transfers regardless of where they are. I know a lot of firms in the past have done things like geo-blocking based off of country code or ESNs. But by using things like HiatusRAT, it would allow a threat actor to actually kind of tunnel all this traffic through an IP address, potentially in the same city as where your organization or where your people are actually living. And this just kind of breaks that traditional threat model. So, again, we just kind of need to have some form of logging in there and data loss protection that could potentially try to alert us before this turns into a monumental one. [ Music ]

Dave Bittner: Our thanks to Danny Adamitis from Lumen's Black Lotus Labs for joining us. The research is titled "No rest for the wicked: HiatusRAT takes little time off in a return to action." We'll have a link in the show notes. [ Music ] The CyberWire Research Saturday podcast is a production of N2K networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Elliott Peltzman. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. [ Music ]