eSentire’s Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Title:
Date published:
Volt Typhoon Activity
2024/02/09
Third Ivanti Zero-Day Vulnerability (CVE-2024-21893)
2024/01/31
UPDATE - Ivanti Zero-Day Vulnerabilities
2024/01/31
*This advisory will be posted to the eSentire website shortly
Noteworthy News
Volt Typhoon Remained Undetected for Years in U.S. Infrastructure
Bottom Line: Chinese state-sponsored actor Volt Typhoon is actively positioning themselves in the networks of critical U.S. infrastructure. Volt Typhoon actors employ advanced tactics including Living Off The Land (LOTL) techniques, valid account usage, and strong operational security to maintain long-term access within victim networks, complicating detection efforts.
On February 7th, CISA, NSA, FBI, along with Five Eyes intelligence partners, published a joint advisory related to state-sponsored actors from the People’s Republic of China (PRC), specifically the Volt Typhoon APT group. According to this report, Volt Typhoon is actively compromising U.S. critical infrastructure sectors with the intent of pre-positioning for potential disruptive or destructive cyberattacks during crises or conflicts. The group has been observed using a variety of tools and techniques to target organizations in U.S. as well as other countries. They are specifically targeting government organizations, communications, energy, transportation, and water/wastewater facilities.
In observed attacks, the group performs significant recognizance on targeted organizations and end-users. Separate campaigns are run to compromise Cisco and NETGEAR SOHO routers, which are then used as proxies to hide Command and Control (C2) infrastructure. For initial access into victim organizations, the group is known to exploit both known and zero-day vulnerabilities across a variety of products including Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco devices. Once access has been established, Volt Typhoon directly interacts with victim networks via the command-line or other native tools and processes (ie. Living Off the Land). For persistent access into breached networks, the group relies on compromised valid credentials. User credentials are gained through a variety of different means including exploitation of public-facing appliances, insecurely stored credentials, extracting the Active Directory database file (NTDS.dit), enumerating existing stored sessions, credential dumping through LSASS, and use of the Mimikatz and Impacket tools. CISA has identified Volt Typhoon exfiltrating zipped Files via Server Message Block (SMB). Information targeted by Volt Typhoon could be used to facilitate follow an attacks and additional malicious actions.
Organizations across impacted regions and industries are strongly encouraged to proactively review and apply the recommendations included in CISA’s joint advisory.
eSentire Threat Intelligence Analysis:
Volt Typhoon is a highly sophisticated threat actor group with a variety of tools and techniques that can be applied during attacks. As such, it is critical that organizations follow a defense-in-depth approach that includes Network, Endpoint, and Log monitoring to identify malicious activity.
Given the scope and scale of the reported intrusions by the FBI, and Five Eyes partners, and the strategic patience required to conduct this type of operation, the eSentire Threat Intelligence team assesses there is a realistic possibility this positioning by Volt Typhoon is in part a response to the August 2022 visit to Taiwan by members of the U.S. Congress. At the time it was widely reported that China's defense ministry stated it ‘will launch "targeted military operations" in response to U.S. House Speaker Pelosi's visit to Taiwan’.
It should be noted that the pre-positioning for destructive attacks is a major shift in Chinese APT activity. In the past, Chinese APT groups have heavily focused on data theft and espionage. Destructive attacks and wiper malware seem to be a growing trend amongst state-sponsored threat actors. Russian APT groups have made heavy use of wiper malware since the beginning of the 2022 Ukraine-Russia conflict. Additionally, there are increasing reports of wiper malware being used by Iranian APT groups to target Israeli based organizations. It is probable that APT groups and hacktivists will heavily rely on wiper malware in the context of future conflicts, whereas wipers are less likely to be used by financially motivated threat actors, as there is no simple means for monetization.
AnyDesk Breach
Bottom Line: AnyDesk, a widely used remote access software, experienced a significant security breach leading to the theft of code signing certificates and source code. Stolen certificates and source code may be employed by threat actors to bypass trust controls to execute malware on victim devices.
On February 2nd, the Remote Desktop Application company confirmed it was impacted by a cyberattack on its production systems. The breach was discovered during a security audit that was carried out after unusual activity was identified. In response to the incident, AnyDesk “revoked all security-related certificates and systems have been remediated or replaced where necessary.” Additionally, AnyDesk’s “assessment concluded that there was only a theoretical risk of credentials being compromised.” However, as a precautionary measure, they have forced a password reset for all users.
Updated versions of AnyDesk signed with a new certificate will be made available shortly. AnyDesk is asking users to update to the latest versions once they are published. Details on specific versions can be found on AnyDesk’s Incident FAQ.
eSentire Threat Intelligence Analysis:
AnyDesk is extensively used in various sectors, including enterprises for remote support. The breach's timing and the rapid response indicate a growing trend of targeted attacks against technology providers, emphasizing the critical nature of cybersecurity in protecting infrastructure and sensitive information.
The timeline surrounding the AnyDesk breach raises questions about the transparency and speed of the company's disclosure to its users and the public. AnyDesk updated its software on January 29th, as indicated by the changelog entry stating, "Exchanged code signing certificate. The previous certificate will be invalidated soon. Please update." However, the formal announcement of the cyberattack and its implications did not come until the end of the day on February 2nd. This delay in public disclosure, while the company took steps internally to mitigate the breach's impact by updating the software and revoking the compromised certificate, highlights a critical dilemma in incident response management: balancing the need for immediate user notification against the risk of providing incomplete information or potentially hindering ongoing response efforts.
The gap between AnyDesk's awareness of the breach and its public acknowledgment might reflect the company's cautious approach to ensure accurate and comprehensive analysis of the incident's scope. It also underscores the challenges that organizations face in managing communications following a cybersecurity incident, particularly when dealing with complex issues like the theft of code signing certificates, which could have far-reaching implications for software integrity and user trust.
The breach of AnyDesk's production servers highlights the role of a defense-in-depth strategy and the importance of Endpoint Detection and Response (EDR) tools. Defense-in-depth is a layered approach to security that employs multiple defensive mechanisms to protect information and systems. This strategy assumes that if one layer fails, another will succeed in its place, thereby providing a comprehensive safeguard against a wide range of cyber threats.
EDR tools are a cornerstone of this multilayered defense strategy, especially as detections are primarily behavior-based. Unlike traditional antivirus solutions that rely on known signatures to identify threats, EDR systems monitor and evaluate behaviors and anomalies in real-time. This capability is crucial for detecting sophisticated cyberattacks, including zero-day exploits, Advanced Persistent Threats (APTs), and compromised code signing certificates which may not have known signatures but exhibit irregular patterns indicative of malicious activity.
Microsoft Report on Iranian APT Activity
Bottom Line: Since the outbreak of hostilities between Hamas and Israel in October 2023, Iranian-aligned threat actors have intensified their pro-Hamas cyber and influence operations.
On February 6th, Microsoft released a report detailing the latest activity in the region. Iran’s cyber-enabled operations targeting Israel have followed a three-stage approach. Phase 1, Reactive and Misleading, threat actors have been leveraging pre-existing access to perform cyberattacks and re-used old leak data to claim new attacks. Phase 2, All Hands on Deck, Iran increased the number of threat actor groups targeting Israel and shifted to performing destructive attacks. Additionally, Iranian threat actor groups began to increasingly share information and tradecraft amongst themselves. Phase 3, Expanded Geographic Scope, attacks have become more targeted and shifted to include other regions such as Albania, Bahrain, and the USA. The attacks have also increasingly included hacktivist type language, with specific reference to Israel.
In their analysis of Iran's cyber operations, Microsoft identifies four primary objectives that Iran aims to achieve. First, Iran seeks to destabilize its targets by exacerbating domestic political and social rifts, a tactic aimed at creating polarization within societies. Second, through the use of hacktivist personas, Iran aims for retaliation, seeking revenge for actions taken by the Israeli government. Third, Iran's operations are designed to intimidate, undermining the security of Israel and its citizens, as well as threatening the families of Israeli Defense Forces (IDF) soldiers to erode morale and create a climate of fear. Lastly, Iran endeavors to undermine international support for Israel by focusing on and highlighting the damage caused by Israeli military actions in Gaza, aiming to sway global opinion against Israel.
eSentire Threat Intelligence Analysis:
Iran's cyber operations have transitioned from a reactive stance to a proactive, all-hands-on-deck approach, significantly increasing the threat landscape for Israel and its allies. This shift indicates Iran's intent to assert its influence and capabilities on the global stage through cyber means, posing a sustained and evolving threat.
Microsoft assesses that based on cyber-activity to date, “Iranian influence operations and cyberattacks will continue to be more targeted, more collaborative and more destructive as the Israel-Hamas conflict drags on. Iran will continue to test redlines, as they have done with an attack on an Israeli hospital and U.S. water systems in late November.” This reporting validates the assessment provided by the eSentire Threat Intelligence team on October 10th in the advisory titled ‘Cyber Threats due to Gaza and Israel-Hamas Conflict’; in which the eSentire Threat Intelligence team assessed that the ongoing conflict would increase the region's Advanced Persistent Threat (APT) activity.
U.S.-Iranian tensions are currently high, due to an attack on U.S. troops in Jordan by the Iranian-backed Iraqi military group Kataib Hezbollah and a U.S. missile strike which resulted in the death of a Kataib Hezbollah leader. Due to the escalating tensions between the U.S. and Iran, it is probable that Iranian APT groups will shift to increasingly target both government and private organizations in the U.S.
The increase in Iranian cyber operations is part of a broader strategy to support Hamas against Israel, reflecting Iran's long-standing opposition to Israeli policies. The operations are characterized by a mix of cyberattacks aimed at disruption and influence campaigns designed to sway public opinion and destabilize regional security. These efforts are in line with Iran's historical use of asymmetric warfare tactics, leveraging cyber capabilities to achieve strategic objectives against more conventionally powerful adversaries.
Iran's cyber operations against Israel and its allies showcase a sophisticated understanding of cyber warfare's strategic potential. The use of influence operations, rapid adoption of new exploits, and targeted attacks on critical infrastructure demonstrate Iran's commitment to advancing its cyber capabilities.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
