BIGFISH TECHNOLOGY LIMITED
11 June 2024

7 advanced persistent threats (APTs) you should know about right now.

An invisible opponent could quietly lurk within your networks for months or even years. Advanced Persistent Threats (APTs) use a methodical approach to reconnoitering, establishing footholds, and mapping important assets.

These clever, well-funded actors do not simply strike and disappear. Rather, they embed themselves within networks, obscuring their presence as they work toward their ultimate goal: a deadly cyber strike. By the time a given organization recognizes an APT, the damage may have be done.

Gain a better knowledge of the APT landscape and the adversaries attacking your industry. Learn about mitigation approaches that can improve your security and resilience capabilities. Get the facts below.

 7 advanced persistent threats you should know about right now

  1. The US-CERT has issued a technical alert regarding two malware strains, Joanap and Brambul, disseminated by the North Korean APT group Hidden Cobra.

    The notice, issued in partnership with the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), states that Hidden Cobra has used these malware types since at least 2009. Targets have included companies in the media, aircraft, finance, and essential infrastructure sectors.

Joanap is a remote access trojan (RAT) that enables Hidden Cobra agents to send commands to infected PCs via a command and control server. It typically infiltrates systems as a payload dumped by other Hidden Cobra malware, which users unintentionally acquire via infected advertising or files.

Brambul, on the other hand, is a brute-force authentication worm that spreads over SMB shares by performing password attacks using a list of hard-coded login credentials, allowing it to enter victims' networks.

To reduce the risks associated with these threats, US-CERT recommends that organizations keep systems up to date with the latest patches and antivirus software, enforce the principle of least privilege for user permissions, and implement effective email security software that can scan and block suspicious attachments.

Furthermore, stopping Microsoft's File and Printer Sharing connection requests can help prevent this form of malware from propagating across networks.


  1. LilacSquid, a new advanced persistent threat group, conducts data exfiltration assaults across multiple industry sectors in the United States and the European Union. The threat group's techniques are comparable to those of the North Korean threat organization Andariel, which is a sub-cluster of the Lazarus group.

    LilacSquid's early breach methods include exploiting known vulnerabilities in internet-facing application servers and utilizing stolen RDP credentials. After entering a system, LilacSquid uses a number of open-source tools, such as MeshAgent, which enables remote management, and InkLoader, which decrypts and loads malicious material.

To limit the threat posed by LilacSquid, enterprises should focus on keeping software systems up to date with the most recent security patches. It is also recommended that enterprises create robust password regulations and multi-factor authentication. Additionally, enterprises should monitor network traffic and use advanced threat detection systems.

 

  1. In Southeast Asia, a trio of state-aligned threat actors are carrying out Operation Crimson Palace, which is now targeting a high-profile government group. Attackers have stolen vital military and political secrets, including strategic documents pertaining to the disputed South China Sea.

    The operation employs complex malware tools, over 15 DLL sideloading attempts, and novel evasion methods.

The initial part of the operation, which began in March 2022, included the implementation of Mustang Panda's "Nupakage" data exfiltration tool. This was followed by covert backdoor deployments in December of the same year. The main campaign began in early 2023.

To mitigate this type of attack, businesses may want to deploy thorough cyber security measures. These include effective network segmentation, regular system updates, and advanced threat security systems capable of detecting new malware and backdoor tactics. Also, consider investing in AI-powered security solutions.

 

  1. To enter European diplomatic agencies, nation-state-backed hackers (attribution unclear) recently used two new backdoors known as LunarWeb and LunarMail. The hackers broke into an unknown European country's Ministry of Foreign Affairs, which has diplomatic missions in the Middle East.

    The attack chain begins with spear-phishing emails containing Word documents loaded with malicious macros that install the LunarMail backdoor. This backdoor establishes persistence by installing an Outlook add-in that activates whenever the email client is launched.

The attack also uses misconfigured Zabbix network monitoring tools to deliver the LunarWeb payload. LunarWeb continues to operate by masquerading as genuine traffic, including tactics such as Group Policy extensions, system DDL replacement, and embedding in legitimate applications. Both backdoors are decrypted and enabled by a component called 'LunarLoader' utilizing RC4 and AES-256 ciphers, ensuring that they only run in the targeted environment.

To avoid these types of risks, businesses should implement strong email security protocols. When it comes to increasing APT resistance, advanced threat prevention and detection technologies are essential.

 

  1. APT24, a state-sponsored hacking outfit, has recently used advanced social engineering techniques to disrupt networks and access cloud data in a number of industries. The group targets Western and Middle Eastern non-governmental organizations (NGOs), media organizations, academia, legal services, and activists.

    The group's strategies include posing as journalists and event organizers. This method allows APT42 to harvest credentials and acquire initial access to cloud environments, from which the group can extract valuable information.

To combat these risks, take the time to learn about the most recent social engineering techniques. Threat information can also help an organization prepare to deal with such sophisticated efforts.

 

  1. HellHounds, an advanced persistent threat (APT) operation, has been targeting telecommunications, information technology, government, and space industry entities across Russia using the Windows version of Decoy Dog malware. At least 48 different organizations have been compromised so far.

    To establish a presence within Russian organizations and avoid malware defenses, the HellHounds gang has changed open-source tools. The HellHounds toolbox, while mostly built on open-source sources, has been tailored to ensure long-term clandestine operations in compromised environments.

To mitigate this threat, organizations should install strong multi-factor authentication, update and patch their systems on a regular basis, and use advanced threat prevention and security solutions.

 

  1. APT28 uses HeadLace malware and credential harvesting tactics to attack European networks. APT28 operates in stealth, using legitimate internet services (LIS) and live off-the-land binaries (LOLBins) to conceal their harmful actions inside the stream of regular network traffic, considerably complicating detection efforts.

    To combat the issue, cyber security experts should prevent spear phishing efforts, establish complete email security services, and use multi-factor authentication.

 

Source: Cybertalk.org