APT Predictions 2020 As it happened..Predicting 2021

Trying to make predictions about the future is a tricky business. As per the researchers what they predicted and what is happened.. and what going to happen they elobrated

  • The next level of false flag attacks
    Olympic Destroyer , Death Stalker
  • From ransomware to targeted ransomware
    Attacks targetting mainly hospitals and universities
  • New online banking and payments attack vectors
    FIN7, Cobalt Groups, Silence and Magecart, as well as APT threat actors such as Lazarus.
  • More infrastructure attacks and attacks against non-PC targets
    Tunnel Snake, Mosaic Regressor
  • Increased attacks in regions that lie along the trade routes between Asia and Europe
    Strongpity4
  • Increasing sophistication of attack methods
    Geo-fencing attacks or hosting malware and used for C2 communications).
  • A further change of focus towards mobile attacks
    TwoSail Junk
  • The abuse of personal information: from deep fakes to DNA leaks
    Leaked/stolen personal information is being used more than ever before in up-close and personal attacks.

Turning our attention to the future, these are some of the developments that we think will take center stage in the year ahead, based on the trends we have observed this year.

APT threat actors will buy initial network access from cybercriminals

More Silicon Valley companies will take action against zero-day brokers

Increased targeting of network appliances

The emergence of 5G vulnerabilities

Demanding money “with menaces”

More disruptive attacks

Attackers will continue to exploit the COVID-19 pandemic

FunnyDream APT targets Asian countries

A new Chinese state-sponsored hacking group (also known as an APT) has infected more than 200 systems across Southeast Asia with malware over the past two years.Appears to be primarily interested in cyber-espionage, concentrating on stealing sensitive documents from infected hosts, with a special focus on national security and industrial espionage.

The malware infections are part of a widespread cyber-espionage campaign carried out by a group named  FunnyDream, targets in Malaysia, Taiwan, and the Philippines, with the most victims being located in Vietnam

Payloads has 3 malwares Chinoxy, PCShare, and FunnyDream

Each of the three malware strains has a precise role. Chinoxy was deployed as the initial malware, acting as a simple backdoor for initial access.

PCShare, known Chinese open-source remote access trojan, was deployed via Chinoxy and was used for exploring infected hosts.

FunnyDream was deployed with the help of PCShare, and was the most potent and feature-rich of the three, had more advanced persistence and communication capabilities, and was used for data gathering and exfiltration.

funnydream-timeline-tools.png

“Even looking at the tool usage timeline we can see that threat actors started by deploying a series of tools meant for quick and covert data exploration and exfiltration, and later decided to bring on a full toolkit, specifically the FunnyDream toolkit, for prolonged surveillance capabilities,” using living of the land tools

APT Groups in Action against Covid Vaccine Makers

Microsoft revealed that at least three APT groups have targeted seven companies involved in COVID-19 vaccines research and treatments.

In recent times cyberattacks from three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for Covid-19. The targets include leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea and the United States. The attacks came from Strontium, an actor originating from Russia, and two actors originating from North Korea that we call Zinc and Cerium.

Microsoft linked the attacks to the Russia-linked Strontium APT group (aka APT28, Fancy Bear, Pawn Storm, Sofacy Group, and Sednit) and two North Korea-linked groups tracked as Zinc (aka Lazarus Group) and Cerium.

The group mainly targeted vaccine makers that are testing Covid-19 vaccines, one of them is a clinical research organization involved in trials, while another one has developed a Covid-19 test. Several organizations targeted by the APT groups that have contracts with or investments from government agencies for Covid-19 related work.

Strontium hackers launched password spraying and brute-force attacks to break into victim accounts and steal sensitive information.

Zinc APT targeted the centers with spear-phishing campaigns aimed at employees working at the targeted companies using messages pretending to be sent by recruiters.

Cerium APT also launched Covid-19 themed spear-phishing campaigns using messages that pretend to be sent by representatives from the World Health Organization.

The targets were located in Canada, France, India, South Korea, and the United States, according to Microsoft.

Microsoft revealed that the majority of the attacks were blocked by protections implemented in its solutions, the IT giant already notified all organizations that were breached by the hackers.

Unfortunately, these attacks are just the tip of the iceberg, the healthcare industry is a privileged target for hackers that are also attempting to take advantage of the ongoing pandemic.

Security measures should be Stringent to get rid of these attacs.. international laws should be in place to take action against countries that involved in these types of state sponsered attacks.

KillSomeOne ☠️ To Curious Clue

APT cloaks identity using script-kiddie messages and advanced deployment and targeting techniques.

Based on messages, such as “KilllSomeOne”, used in attack code strings, coupled with advanced deployment and targeting techniques, they say the APT has a split personality.

“The messages hidden in their samples [malware] are on the level of script kiddies. On the other hand, the targeting and deployment is that of a serious APT group,” relies on a technique called DLL side loading usually used by Chinese APT groups

DLL side-loading, simply put, is a type of application that appears to be legitimate and can often bypass weak security mechanisms such as application whitelisting. Once trusted, the application gains additional permissions by Windows during its execution.

“Side-loading is the use of a malicious DLL spoofing a legitimate one, relying on legitimate Windows executables to load and execute the malicious code,”.

All four DLL side-loading scenarios execute malicious code and install backdoors in the networks of targeted organizations. Each also share the same program database path and plaintext strings written in poor English with politically inspired messages in their samples,

“The cases are connected by a common artifact: the program database (PDB) path. All samples share a similar PDB path, with several of them containing the folder name ‘KilllSomeOne,’” .

“The types of perpetrators behind targeted attacks in general are not a homogeneous pool. They come with very different skill sets and capabilities. Some of them are highly skilled, while others don’t have skills that exceed the level of average cybercriminals,”

“The group responsible for the attacks we investigated in this report don’t clearly fall on either end of the spectrum. They moved to more simple implementations in coding—especially in encrypting the payload,”.