Weekly Threat Briefing: December 2 - 6, 2024
Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Attackers Use Corrupted Files to Evade Detection
Bottom Line: Threat actors are utilizing corrupted documents and the recovery functionality of Word documents to hide malicious content.
On December 5th, researchers from Any.Run released a technical report on a novel phishing attack that exploits corrupted Word documents to bypass security systems. The campaign has reportedly been active since August 2024 and takes advantage of Microsoft (MS) Word’s built-in recovery feature, allowing the malicious files to remain undetected by most antivirus software.
The phishing campaign uses intentionally corrupted Word documents in emails that pretend to be from payroll and human resources departments. These emails often contain attachments related to employee benefits and bonuses. The filenames contain a base64-encoded string. When the recipient opens the attachment, MS Word detects that the file is corrupted and displays a message stating that it "found unreadable content" in the file.
Word then prompts the user to recover the file. Despite being corrupted, the files are designed in a way that they can be easily recovered, and when opened, they display a message asking the user to scan a QR code in order to retrieve the document. The QR code leads the user to a phishing site that masquerades as a Microsoft login page in an attempt to steal the user's credentials.
According to Any.Run, when the corrupted file was submitted to VirusTotal, no antivirus solutions flagged it as malicious. This is because most antivirus software and automated tools lack the recovery functionality found in applications like Word, which prevents them from accurately identifying the nature of the corrupted file.
The report also delves into the structure of Word documents, which, since the mid-2000s, have been organized as archives containing various parts of the document. The "Local File Header (LFH)", "End of Central Directory Record" (EOCD) and "Central Directory File Header" (CDFH) are key components in this structure. Attackers can manipulate these parts of the archive to corrupt the document while keeping it recoverable by Word.
Through hypothesis testing, the researchers found that Word is more resilient to file corruption compared to other software, such as ZIP archivers. Word was able to recover files even when the CDFH and EOCD were damaged, whereas ZIP software failed in similar scenarios.
In response to these observations, eSentire’s Threat Response Unit (TRU) is investigating the topic for additional details and detection opportunities.
Secret Blizzard compromising Storm-0156
Bottom Line: A Russian state-sponsored APT group has been identified targeting other APTs. This is done to gain access to both victim organizations and sophisticated tools, while increasing the difficulty for defenders to attribute malicious activity to a specific group.
On December 4th, Lumen’s Black Lotus Labs and Microsoft released reports outlining the Russian state- sponsored APT group Secret Blizzard’s (aka. Turla, Venomous Bear, Waterbug, Snake, Turla Team, and Turla APT Group) attack on the infrastructure of the Pakistan state-sponsored threat actor group Storm-0156 (this group overlaps with Side-Copy, Transparent Tribe, and APT36).
Cybersecurity and Infrastructure Security Agency (CISA) has attributed Secret Blizzard to Center 16 of Russia’s Federal Security Service (FSB). Secret Blizzard targets various sectors, primarily focusing on ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies globally. The group aims to establish long-term access to systems for intelligence gathering.
They utilize extensive resources, including multiple backdoors featuring peer-to-peer functionality and several Command-and-Control (C2) communication channels. Storm-0156 is a Pakistan state-sponsored APT group known to target government agencies, mainly from Afghanistan, and government agencies and critical infrastructure in India. The threat actor has been observed to use a mix of open-source tools and custom remote access trojans in their campaigns.
Microsoft and Lumen identified that by early November 2022, Secret Blizzard had infiltrated the Storm-0156 C2 infrastructure, and by mid-2023, they had expanded their control to include several C2 servers linked to the Storm-0156 actor. This enabled Secret Blizzard to gain insights into Storm-0156's tools, access credentials for both C2 servers and targeted networks, and exfiltrate data from earlier operations of Storm-0156. The reports did not identify the means of initial access to Storm-0156's network.
Upon the successful compromise of C2, the threat actor leveraged the access obtained by the Storm-0156 to deploy their own malware, TwoDash (Tiny Turla backdoor; a .NET backdoor) and Statuezy (Clipboard monitoring tool) into several networks linked to Afghan government entities. By mid-2024, the group used malware families previously utilized by the Storm-0156 group in attacks against Indian government agencies, such as Wainscot (a Golang-based backdoor) and CrimsonRAT (.NET-based backdoor).
Storm-0156's C2 compromise impacted Afghan government entities, such as the Ministry of Foreign Affairs, the General Directorate of Intelligence (GDI), and Afghan foreign consulates, as the Secret Blizzard group deployed backdoors on their devices. The group avoided targeting Indian organizations, with only one instance observed where Secret Blizzard used a Storm-0156 backdoor to deploy the TwoDash backdoor on a target desktop in India.
Secret Blizzard has previously also compromised other APT groups and leveraged the tools of these groups to conduct their malicious activities. In 2017, Secret Blizzard accessed tools and infrastructure associated with the Iranian state-sponsored threat actor Hazel Sandstorm (also known as OilRig, APT-34, and Crambus), as reported by Symantec and US and UK intelligence agencies.
Recommended by LinkedIn
In 2022, the group reused Andromeda malware to deploy the KopiLuwak and QuietCanary backdoors, as reported by Mandiant. Additionally, a report by Kaspersky revealed that in 2022, Secret Blizzard attempted to deploy QuietCanary using the backdoor of the Kazakhstan-based threat actor Storm-0473 (also called Tomiris).
eSentire's Threat Response Unit (TRU) recommends that organizations implement robust endpoint and network security solutions to identify suspicious activity from an APT group. Organizations must perform in-depth investigations and remediation actions upon identifying an attack by an APT group. These highly sophisticated actors establish multiple persistence mechanisms to ensure persistent access to victim devices. In rare cases like those reported by Black Lotus Labs and Microsoft, that access may be abused by separate threat actor groups.
eSentire MDR for Network detects KopiLuwak, TwoDash, and CrimsonRAT. Our Threat Response Unit (TRU) is performing indicator-based threat hunting across the client base. eSentire is actively tracking this topic for additional details and detection opportunities.
Chinese APT Activity and Five Eyes Recommendations
Bottom Line: This week, multiple security companies and intelligence agencies have discussed the threat of Chinese state-sponsored threat actors targeting critical infrastructure, including telecommunication companies. Five Eye’s Intelligence agencies have provided a list of best practices for defending against these attacks.
Chinese state-sponsored APT groups remain in the headlines this week with two recent reports on ongoing campaigns. On December 6th, Microsoft’s Redmond Security Research Group shared information on Storm-0227, a threat actor that is confirmed to have targeted critical infrastructure organizations and U.S. government agencies as recently as December 5th.
On December 3rd, Five Eyes intelligence agencies (CISA, NSA, FBI, ASD, ACSC, NCSC-NZ) released a joint publication warning of ongoing attacks by People’s Republic of China (PRC) affiliated threat actors against organizations in the telecommunications industry.
Storm-0227 is a PRC affiliated threat group that has been active since at least January 2024. They primarily target U.S. organizations in the “defense industrial base, aviation, telecommunications, financial and legal services industries, plus government and non-governmental agencies”.
Information on the group’s ongoing campaign is minimal, but Storm-0227 is reported to target vulnerabilities in Internet-facing applications, as well as employing spear-phishing emails with malicious attachments and links, for initial access into victim organizations. This activity resulted in the deployment of malware and theft of cloud credentials leading to the exfiltration of emails and other sensitive files.
According to the recent report from Five Eyes intelligence agencies, “People’s Republic of China (PRC)- affiliated threat actors compromised networks of major global telecommunications providers to conduct a broad and significant cyber espionage campaign.”
In response to this campaign against telecommunication organizations, a list of recommendations and security best practices for both Network Defenders and Network Engineers has been released. In total, the report includes 39 technical recommendations, a subset of which are shown below.
Network Defenders:
Network Engineers:
eSentire maintains a variety of detections for known Chinese APT TTPs. The Our Threat Response Unit (TRU) team is actively monitoring this topic for additional details and detection opportunities.
About the eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.