Close-up of the notorious group of hackers APT32 in action
In October 2016, a new customer contacted information security company Cybereason, worrying that he might be compromised in some kind of violation. In fact, this is exactly what happened - one of the notorious hacker groups: APT32.
At that moment, the client, a large international company based in Asia, did not know which devices and servers were affected by hacking or whether the hacking finally happened. “They saw a lot of weird stuff on their network,” says Assaf Daan, director of advanced security at Cybereason.
The company has already used security products, such as firewalls, network filters, and scanners, but none have detected intrusions. However, when Cybereason was investigating, he began to detect more and more suspicious malicious activity. In the end, the security firm discovered a large-scale attack that lasted for a year, and in it they saw a clear reference to APT32.
Also called OceanLotus Group, APT32 is known for its complex attacks on private companies, foreign governments, journalists, and activists. The activity of the group began in 2012, when the organization began an attack on Chinese objects before the expansion of attacks by Asia, including Vietnam and the Philippines. Unlike other groups that tend to support, at least indirectly, the main hacker interests sponsored by the state, APT32 often do not respect the interests of well-known players such as Russia or China.
')
The recently published details of the attack on Cybereason contributed to understanding how APT32 and its possible motives work. For such “permanent advanced threats” financial resources and labor are needed to install and then see all the way to the end; however, groups that fund them can get invaluable data in return.
In this case, Cybereason says that APT32 was clearly focused on intellectual property and confidential business information, as well as, over time, tracking the company's work on specific projects.
“Her (attack) scale was quite disturbing. This is not a trifle, ”says Daan. “We needed to keep this secret, we tried to protect the anonymity of our clients, so we could not publish anything. But we felt that as soon as we made public, more security companies or even government agencies would notice the attack and help stop this group. ”
In the incident, Cybereason resumed, the company traced the invasion to phishing emails that lured victims to download a fake Flash installer or a malicious Microsoft Word document, and instead kept the malware on the network. After installation, the group used numerous exploiters and manipulations vulnerabilities, moving across the network and embedding various malicious programs.
Hackers used the Windows PowerShell configuration management tool, a popular hacker entry point, to install malicious scripts on the system. They then manipulated legitimate Windows network management services, such as Windows Registry Autorun and Windows Scheduled Tasks, permanently retaining their malicious code for an unlimited time, hence, it will continue even after the device is restarted. The hackers also used Microsoft Outlook properties, the Google Updater application and Kaspersky Labs antivirus tools to get deeper into the network. Having assessed the situation for several weeks, Cybereason identified a different set of tools and hackers methods.
“They are focused on top-level management, like vice-presidents, directors, about 40 of their management staff, including the secretary general,” says Daan. “They set their goals very well. They knew who to exploit and where to move, being already in the network. They knew exactly what mechanisms they are interested in. ”
However, when Cybereason blocked burglars, interesting things began to happen. As the company took steps to limit the presence of the group on the network and, eventually, get rid of them, the attackers began to pull out more and more unique attacks, restoring themselves.
After blocking network intruders, Cybereason says they will be reborn anywhere from 48 hours to 4 weeks. In all, attackers used more than 70 different pieces of malware to perform various phases of a long-term attack. “They knew the network very well, they could create a lot of back doors or loopholes to return, and they also had enough money in their arsenal,” says Daan. "It really was a cat and mouse game."
Security researchers, such as FireEye, tracked APT32 actions and noticed features such as the use of basic and client-specific tools, as well as ways to persist over a long period. Researchers have already published some acts that Cybereason has seen in practice.
Nicholas Carr, senior incident response manager at FireEye, consulted in about a dozen APT32 infections, and says that the type of attack described by Cybereason is consistent with the form APT32, although he did not study the Cybereason report. “It's not strange that APT32 is so decisive in maintaining access to the network,” he says. “They are interested in such long-term access to new developing situations. They have an impressive team scale and management infrastructure. ”
Many questions about APT32 remain unanswered. FireEye suggests that the group’s projects seem to serve the interests of Vietnam, but so far there is no general research consensus. Experts also need to confirm the attributions of APT32 in this particular case. But given the well-known examples of APT32 attacks, and those that are publicly analyzed and those that firms evaluate internally, APT32 certainly has the resources and capabilities to perform incredible large-scale network attacks, as in the case of Cybereason; in particular, for observation and exfiltration of data.
“If this group can manage multiple campaigns at the same time, it talks a lot about it,” notes Dahan. "This proves their ability, strength and resourcefulness."
Origanal
At that moment, the client, a large international company based in Asia, did not know which devices and servers were affected by hacking or whether the hacking finally happened. “They saw a lot of weird stuff on their network,” says Assaf Daan, director of advanced security at Cybereason.
The company has already used security products, such as firewalls, network filters, and scanners, but none have detected intrusions. However, when Cybereason was investigating, he began to detect more and more suspicious malicious activity. In the end, the security firm discovered a large-scale attack that lasted for a year, and in it they saw a clear reference to APT32.
The notorious apt32
Also called OceanLotus Group, APT32 is known for its complex attacks on private companies, foreign governments, journalists, and activists. The activity of the group began in 2012, when the organization began an attack on Chinese objects before the expansion of attacks by Asia, including Vietnam and the Philippines. Unlike other groups that tend to support, at least indirectly, the main hacker interests sponsored by the state, APT32 often do not respect the interests of well-known players such as Russia or China.
')
The recently published details of the attack on Cybereason contributed to understanding how APT32 and its possible motives work. For such “permanent advanced threats” financial resources and labor are needed to install and then see all the way to the end; however, groups that fund them can get invaluable data in return.
In this case, Cybereason says that APT32 was clearly focused on intellectual property and confidential business information, as well as, over time, tracking the company's work on specific projects.
“Her (attack) scale was quite disturbing. This is not a trifle, ”says Daan. “We needed to keep this secret, we tried to protect the anonymity of our clients, so we could not publish anything. But we felt that as soon as we made public, more security companies or even government agencies would notice the attack and help stop this group. ”
"Cat and Mouse"
In the incident, Cybereason resumed, the company traced the invasion to phishing emails that lured victims to download a fake Flash installer or a malicious Microsoft Word document, and instead kept the malware on the network. After installation, the group used numerous exploiters and manipulations vulnerabilities, moving across the network and embedding various malicious programs.
Hackers used the Windows PowerShell configuration management tool, a popular hacker entry point, to install malicious scripts on the system. They then manipulated legitimate Windows network management services, such as Windows Registry Autorun and Windows Scheduled Tasks, permanently retaining their malicious code for an unlimited time, hence, it will continue even after the device is restarted. The hackers also used Microsoft Outlook properties, the Google Updater application and Kaspersky Labs antivirus tools to get deeper into the network. Having assessed the situation for several weeks, Cybereason identified a different set of tools and hackers methods.
“They are focused on top-level management, like vice-presidents, directors, about 40 of their management staff, including the secretary general,” says Daan. “They set their goals very well. They knew who to exploit and where to move, being already in the network. They knew exactly what mechanisms they are interested in. ”
However, when Cybereason blocked burglars, interesting things began to happen. As the company took steps to limit the presence of the group on the network and, eventually, get rid of them, the attackers began to pull out more and more unique attacks, restoring themselves.
After blocking network intruders, Cybereason says they will be reborn anywhere from 48 hours to 4 weeks. In all, attackers used more than 70 different pieces of malware to perform various phases of a long-term attack. “They knew the network very well, they could create a lot of back doors or loopholes to return, and they also had enough money in their arsenal,” says Daan. "It really was a cat and mouse game."
Security researchers, such as FireEye, tracked APT32 actions and noticed features such as the use of basic and client-specific tools, as well as ways to persist over a long period. Researchers have already published some acts that Cybereason has seen in practice.
Nicholas Carr, senior incident response manager at FireEye, consulted in about a dozen APT32 infections, and says that the type of attack described by Cybereason is consistent with the form APT32, although he did not study the Cybereason report. “It's not strange that APT32 is so decisive in maintaining access to the network,” he says. “They are interested in such long-term access to new developing situations. They have an impressive team scale and management infrastructure. ”
Many questions about APT32 remain unanswered. FireEye suggests that the group’s projects seem to serve the interests of Vietnam, but so far there is no general research consensus. Experts also need to confirm the attributions of APT32 in this particular case. But given the well-known examples of APT32 attacks, and those that are publicly analyzed and those that firms evaluate internally, APT32 certainly has the resources and capabilities to perform incredible large-scale network attacks, as in the case of Cybereason; in particular, for observation and exfiltration of data.
“If this group can manage multiple campaigns at the same time, it talks a lot about it,” notes Dahan. "This proves their ability, strength and resourcefulness."
Origanal
Source: https://habr.com/ru/post/357348/
All Articles