Two advanced persistent threat actors (APT’s) accounted for almost half of the APT attacks detected by researchers at Trellix in the third quarter of 2021.
This is one of the nuggets drawn from the first advanced threat research report issued by Trellix, the new brand of the merged McAfee Enterprise and FireEye companies.
The two threat actors are known in the industry as APT41, a China-based group that according to Mandiant engages in espionage for the country as well as stealing valuable data for financial gain; and APT29, a Russian-based group nicknamed Cozy Bear or The Dukes by some researchers, which has been blamed for a number of incidents including cyberattacks to steal COVID-19 research. The United States has linked it to Russia’s Foreign Intelligence Service.
Most recently CrowdsStrike has linked ATP29 to a campaign it calls StellarParticle, which it says is related to the Sunspot implant used in the compromise of SolarWinds’ Orion network management platform. StellarParticle uses a technique called credentials hopping, in which the attacker gains access to a victim’s network by logging into a public-facing system via Secure Shell (SSH) using a local account acquired during previous credential theft activities. Then the attacker uses port forwarding capabilities built into SSH on the public-facing system to establish a Remote Desktop Protocol (RDP) session to an internal server using a domain service account. From that server, another RDP session is established on a second internal server. Then the attacker can log into Office 365 as a user with privileged access to cloud resources.
According to the Trellix report, APT41 accounted for 24 per cent of attacks attributed to advanced threat actors, followed by APT29 with 22 per cent in the third quarter, for a total of 46 per cent. The third most common group — with 10 per cent of attacks — is dubbed TA505, a financially-motivated criminal group that has been active since at least 2014. One news report alleges it was involved in campaigns aimed at distributing the Dridex banking Trojan, along with several ransomware families.
The Trellix report also lists the four most common tools used by advanced threat actors:
- Cobalt Strike, the criminal version of a commercial remote access and penetration tool;
- Mimikatz, an open-source application that allows users to view and save authentication credentials. According to Varonis, Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it;
- Net.exe, a component of Windows used in command-line operations for control of users, groups, services, and network connections abused by hackers in living-off-the-land attacks to gather system and network information and moving laterally through SMB/Windows Admin Shares;
- PSExec, a Windows utility that enables IT administrators to run commands and executable binary files on remote servers which can also be abused by hackers with administrative privileges. ExtraHop has this advice for detecting abuse of PSExec.