A security joint advisory revealed about a sophisticated espionage tool dubbed as Snake malware used by Russian cyber actors against their targets.
The malware is spread across 50 countries across North America, South America, Europe, Africa, Asia, and Australia, Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts. Globally, the Russian Federal Security service has used Snake to collect sensitive intelligence from high-priority targets such as government networks, research facilities, and journalists.
The advisory was published by the US FBI, the US NSA, the US CISA, US CNMF, the UK NCSC, the Canadian CCS, the Canadian CSE, the Australian ACSC, and the New Zealand NCSC.
This tool is the most sophisticated cyber espionage tool in the FSB’s arsenal, stemming from three principal areas.
- First, Snake employs means to achieve a rare level of stealth in its host components and network communications.
- Second, Snake’s internal technical architecture allows for easy incorporation of new or replacement components.
- Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity.
The FSB has also implemented new techniques to evade detection, with the effectiveness of the cyber espionage implant depending on its long-term stealth to provide consistent access to important intelligence. It is deployed to external-facing infrastructure nodes on a network, and from there uses other TTPs to conduct additional exploitation operations.
Once after gaining access to a target network, the FSB typically enumerates the network and works to obtain administrator credentials and access domain controllers. A wide array of mechanisms has been employed to gather user and administrator credentials to expand laterally across the network, to include keyloggers, network sniffers, and open-source tools.
The threat actor relies on credentials and lightweight remote-access tools internally within a network. Sometimes they deploy a small remote reverse shell along with Snake to enable interactive operations.
Methods for detecting Snake malware
Network-based detection:
- Advantages include high-confidence, large-scale (network-wide) detection of custom Snake communication protocols.
- Disadvantages include low visibility of Snake implant operations and encrypted data in transit. There is some potential for false positives in the Snake HTTP, HTTP2, and TCP signatures.
Host-based detection:
- Advantages include high confidence based on totality of positive hits for host-based artifacts.
- Disadvantages include that many of the artifacts on the host are easily shifted to exist in a different location or with a different name. As the files are fully encrypted, accurately identifying these files is difficult.
Memory analysis:
- Advantages include high confidence as memory provides the greatest level of visibility into Snake’s behaviours and artifacts.
- Disadvantages include potential impact on system stability, difficult scalability.
Preventing Snake’s persistence and hiding techniques
- Changing Default Passwords will prevent FSB actors from compromising default credentials to gain initial access or move laterally within a network.
- Requiring Minimum Password Strength across an organization will prevent FSB actors from being able to successfully conduct password spraying or cracking operations.
- Requiring Unique Credentials will prevent FSB actors from compromising valid accounts through password spraying or brute force.
- Separating User and Privileged Accounts will make it harder for FSB actors to gain access to administrator credentials.
- Network Segmentation to deny all connections by default unless explicitly required for specific system functionality, and ensure all incoming communication is going through a properly configured firewall.
- Implementing Phishing Resistant MFA adds an additional layer of security even when account credentials are compromised and can mitigate a variety of attacks towards valid accounts, to include brute forcing passwords and exploiting external remote services software.
- Deploy Security.txt Files to ensure all public facing web domains have a security.txt file that conforms to the recommendations in RFC 9118.
