7 advanced persistent threats (APTs) to know about right now – CyberTalk

EXECUTIVE SUMMARY:

An unseen adversary could stealthily lurk within your networks for months or even years. Methodically reconnoitering, establishing footholds, mapping out critical assets – this is the modus operandi of Advanced Persistent Threats (APTs).

These sophisticated, well-resourced actors don’t just strike and disappear. Rather, they entrench themselves within systems while obfuscating their presence as they move towards their ultimate objective; a devastating cyber attack. By the time that a given organization detects an APT, the damage might have already been done.

Believe it or not, 80% of organizations have contended with downtime due to APT incidents.

Develop a stronger understanding of the APT landscape and the adversaries that are targeting your industry. Beyond that, learn about mitigation techniques that can strengthen your security and fortify your resilience capabilities. Get the details below.

7 advanced persistent threats to know about right now

1. The US-CERT has released a technical alert regarding two malware strains; Joanap and Brambul, deployed by the North Korean APT group known as Hidden Cobra.

The alert, issued in collaboration with the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), explains that Hidden Cobra has been using these malware variants since at least 2009. Targets have included organizations in the media, aerospace, finance and critical infrastructure space.

Joanap is a remote access trojan (RAT) that allows Hidden Cobra operatives to remotely issue commands to infected systems via a command and control server. It usually infiltrates systems as a payload dropped by other Hidden Cobra malware, which people inadvertently download through compromised ads or attachments.

In contrast, Brambul is a brute-force authentication worm that propagates through SMB shares by using a list of hard-coded login credentials to perform password attacks; thereby gaining access to victims’ networks.

To mitigate the risks associated with these threats, US-CERT advises organizations to keep systems updated with the latest patches and antivirus software, to enforce the principle of least privilege for user permissions and to deploy effective email security software that can scan and block suspicious attachments.

In addition, disabling Microsoft’s File and Printer Sharing connection requests can prevent this type of malware from spreading within networks.

2. A new advanced persistent threat group, dubbed LilacSquid, engages in data exfiltration attacks across various industry sectors in both the U.S. and the E.U. The tactics employed by the threat group are similar to those of the North Korean threat group known as Andariel, a sub-cluster of the Lazarus group.

LilacSquid’s initial compromise methods include exploitation of known vulnerabilities in internet-facing application servers and use of stolen RDP credentials. After infiltrating a system, LilacSquid leverages a series of open-source tools, including MeshAgent, which allows for remote management, and InkLoader, which allows for decrypting and loading malicious content.

To mitigate the threat posed by LilacSquid, organizations are advised to focus on ensuring that software systems are up-to-date with the latest security patches. It is also suggested that organizations implement strong password policies and multi-factor authentication. Further, organizations should monitor network traffic and deploy advanced threat detection tools.

3. In Southeast Asia, a trio of state-aligned threat actors are executing Operation Crimson Palace, which is currently impacting a high-profile government group. Attackers have exfiltrated sensitive military and political secrets, including strategic documents related to the contested South China Sea.

The operation weaponizes advanced malware tools, involves over 15 DLL sideloading efforts, and innovative evasion techniques.

The operation’s first phase, in March of 2022, involved the deployment of the “Nupakage” data exfiltration tool by Mustang Panda. This was followed by covert backdoor deployments in December of that year. In early 2023, the main campaign began.

To mitigate this type of threat, organizations may wish to implement comprehensive cyber security measures. These include robust network segmentation, regular system updates and advanced threat protection systems that can identify novel malware and backdoor techniques. Also, consider investing in security solutions that use AI.

4. To infiltrate European diplomatic agencies, nation-state backed hackers (attribution unclear) have recently leveraged two new backdoors, known as LunarWeb and LunarMail. The hackers breached the Ministry of Foreign Affairs belonging to an undisclosed European country – one with diplomatic missions in the Middle East.

The attack chain initiates with spear-phishing emails that contain Word documents embedded with malicious macros, which deploy the LunarMail backdoor. This backdoor establishes persistence by creating an Outlook add-in, which activates anytime that the email client is launched.

The attack also exploits misconfigured Zabbix network monitoring tools to deliver the LunarWeb payload. LunarWeb persists by masquerading as legitimate traffic, utilizing techniques such as the creation of Group Policy extensions, replacing system DDLs, and embedding in legitimate software. Both backdoors are decrypted and activated by a component named ‘LunarLoader’ using RC4 and AES-256 ciphers, ensuring that they run exclusively within the targeted environment.

To prevent these types of threats, organizations should install robust email security protocols. Using advanced threat prevention and detection systems is also a must when it comes to enhancing APT resilience.

5. State-backed hacking group APT24 has recently employed advanced social engineering approaches to disrupt networks and to access cloud data across a variety of sectors. The group targets organizations in Western and Middle Eastern NGOs, media organizations, academia, legal services and activists.

The group’s tactics involve posing as journalists and event organizers. This strategy enables APT42 to harvest credentials and gain initial access to cloud environments, from which the group can exfiltrate attractive data.

To counteract these types of threats, take the time to learn about the latest social engineering tactics. Threat intelligence can also enhance an organization’s abilities to contend with such sophisticated campaigns.

6. The advanced persistent threat (APT) operation known as HellHounds has been deploying the Windows version of Decoy Dog malware against telecommunications, IT, government and space industry entities across Russia. At least 48 different organizations have been affected thus far.

To maintain a presence within Russian organizations and to evade malware defenses, the HellHounds group has modified open-source tools. The HellHounds toolkit, though primarily based on open-source projects, has been optimized to ensure prolonged covert operations within compromised environments.

To mitigate this threat, organizations are advised to implement robust multi-factor authentication, regularly update and patch systems, and to employ advanced threat prevention and defense solutions.

7. APT28 is targeting European networks using HeadLace malware and credential harvesting techniques. Operating with stealth, APT28 employes legitimate internet service (LIS) and living off-the-land binaries (LOLBins) to hide their malicious activities within the stream of regular network traffic, significantly complicating detection efforts.

To mitigate the threat, cyber security professionals are advised to block spear phishing attempts, implement comprehensive email security services, and apply multi-factor authentication.

For more insights into the latest malware threats, please see CyberTalk.org’s past coverage. Lastly, to receive cyber security thought leadership articles, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.