eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Velvet Ant Abuses F5 Load Balancers for Persistence
Bottom Line: Researchers have identified prolonged campaigns attributed to a Chinese nexus APT group dubbed Velvet Ant. The group employs novel techniques and establishes long term persistence in victim environments, to enable data theft and espionage over multiple years.
On June 17th, researchers from Sygnia released a technical report which outlines a three-year intrusion that has been attributed to a Chinese nexus APT group tracked as Velvet Ant. Velvet Ant gained access to “a large organization” in late 2020; activity went unnoticed for approximately two years before they were identified, and threat actor activity carried on for another year before the incident was fully remediated. The goal of this operation is believed to have been espionage.
The initial access method employed in late 2020 was not identified. When Sygnia began initial remediation efforts, Velvet Ant quickly regained access via a previously deployed PlugX Remote Access Trojan (RAT). For lateral movement, the group used Impacket's wmiexec.py, and deployed additional malware including VELVETSTING, VELVETTAP, SAMRID, and ESRDE on compromised systems. For additional persistence, Velvet Ant targeted a legacy F5 BIG-IP appliance that was exposed to the Internet. The F5 device was used as a stealthy internal Command-and-Control (C2) server.
As malware was removed from compromised assets, Velvet Ant pivoted to alternative entry points. Threat actors focused on legacy and unmonitored systems, to maintain access to the victim network for as long as possible.
The eSentire product suite maintains a wide variety of detections of known Chinese APT malware, such as PlugX.
eSentire Threat Intelligence Analysis:
This Velvet Ant campaign, specifically their ability to maintain access over a three-year period, underscores the high level of operational security and adaptability of state-sponsored actors. The group’s prolonged presence and sophisticated use of legacy systems and network appliances for persistence demonstrate a deep understanding of target environments; it is probable that significant reconnaissance occurred before any overly malicious activity, such as data exfiltration. This three-year long incident highlights the criticality of fully investigating and remediating breaches, as Velvet Ant established multiple footholds in the victim network, so when one was discovered, attackers could pivot to another and continue operations.
PlugX malware has been in active use since at least 2012. It was initially only used by Chinese state-sponsored groups but has since been employed by a variety of different groups. As it is still commonly employed by Chinese APT groups, the identification of PlugX malware requires in-depth investigations to identify the deployment of other malware or persistence mechanisms.
According to CISA, Chinese APTs “remain the most active and persistent cyber threat to US Government, private-sector, and critical infrastructure networks”. Defending against sophisticated targeted attacks requires layered security. Organizations are strongly recommended to deploy endpoint monitoring to all workstations and servers, regularly audit Internet-facing applications ensuring vulnerabilities are patched, enforce the use of Multi-Factor Authentication (MFA), and confirm logging is enabled where feasible.
UNC3886 Espionage Operations
Bottom Line: UNC3886, a suspected China-nexus cyber espionage actor, has been exploiting a zero-day vulnerability in VMware ESXi to backdoor virtual machines, enabling unauthorized remote code execution and data theft.
On June 18th, Mandiant released a report discussing the Tactics, Techniques, and Procedures (TTPs) employed by the China-nexus espionage group UNC3886 in recent years. UNC3886 has been active since late 2021 and is known to target prominent strategic organizations globally. The group exploited a variety of zero-day vulnerabilities, including CVE-2023-34048 (CVSS:9.8), CVE-2022-41328 (CVSS:7.1), CVE-2022- 22948 (CVSS:6.5), and CVE-2023-20867 (CVSS:3.9).
After the group exploits the vulnerabilities for initial access, UNC3886 employs multi-layer persistence techniques, backdoors, rootkits, and custom malware samples. Deployed malware families include REPTILE, MEDUSA, MOPSLED, RIFLESPINE, VIRTUALSHINE, VIRTUALPIE, and VIRTUALSPHERE to maintain access, evade detection, and move laterally within compromised networks.
UNC3886 heavily relied on gathering and utilizing legitimate credentials through the backdoor applications to move laterally between guest virtual machines hosted on the compromised VMware ESXi infrastructure. The threat group extracted the TACACS credentials using the LOOKOVER sniffer and by replacing the legitimate TACACS+ daemon for Linux with a malicious version.
Mandiant observed UNC3886 targeting organizations located in North America, Southeast Asia, or Oceania regions. They have also identified evidence of additional victims located in Europe, Africa, and other parts of Asia. Targeted organizations include governments, telecommunications, technology, aerospace and defense, and energy and utility sectors.
eSentire Threat Intelligence Analysis:
The persistent exploitation of the VMware vCenter Server zero-day vulnerability (CVE-2023-34048) for two years by UNC3886 prior to patch release, highlights the severe risk state-sponsored threat actors pose to enterprises and government organizations globally. The use of multi-layered persistence techniques, backdoors, rootkits, and custom malwares, underscores the groups sophistication.
UNC3886’s adaptability within their TTPs shows the group will likely coordinate more complex attacks targeting governmental or high stakes organizations in the future. Defenders emphasize the importance of following security guidelines, updating defenses, and implementing proactive measures to defend against UNC3886's increasingly sophisticated attacks.
Organizations can use Endpoint Detection and Response (EDR) products as a mitigating factor against zero-day vulnerabilities. In the event of successful exploitation, EDR software can identify post compromise activity, mitigating potential damage to an organization.
eSentire has conducted threat hunts for known Indicators of Compromise (IoCs). Additionally, eSentire MDR for Network and eSentire MDR for Endpoint have detections in place for tools used in this campaign. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify the vulnerabilities exploited by the group.
U.S. Bans Kaspersky Software
Bottom Line: The U.S. government has banned the sale and use of Kaspersky Endpoint and Anti-Virus software in response to concerns that Kaspersky is a national security threat. While the companies’ products have been banned for use by U.S. government agencies since 2017, Kaspersky products are now banned for both sale and use across the U.S.
On June 20th, the United States Department of Commerce's Bureau of Industry and Security (BIS) announced a ban on the sale and use of Kaspersky antivirus and endpoint security software within the United States. This measure is based on security concerns regarding Kaspersky's alleged ties to the Russian government. The ban is effective July 20th, 2024; after this date, Kaspersky will be barred from providing updates or malware signature refreshes to these installations, significantly degrading their security effectiveness. The delay is intended to give current Kaspersky customers time to transition to alternative products.
This ban is a result of longstanding warnings from the U.S. intelligence community, which has considered Kaspersky a national security threat. The concerns center on allegations that Moscow could potentially exploit the company's antivirus software to conduct surveillance on its users. In 2017, the U.S. Department of Homeland Security (DHS) mandated that all U.S. government agencies stop using software products from Kaspersky Labs. Shortly afterwards, the Dutch government followed suit, phasing out the use of Kaspersky software.
Kaspersky released a statement on X (formerly Twitter), stating “Kaspersky believes that the Department of Commerce made its decision based on the present geopolitical climate and theoretical concerns, rather than on a comprehensive evaluation of the integrity of Kaspersky’s products and services.” The company argues that the ban will hinder international cybersecurity cooperation and limit consumer choice, forcing users to replace effective anti-malware technology. Despite the ban, Kaspersky remains committed to protecting against cyber threats and reports strong business growth. The company plans to pursue legal options to maintain its operations and defend its reputation.
eSentire Threat Intelligence Analysis:
Previously banned for use by US government agencies, Kaspersky products are now banned for both sale and use across the US. It is critical for organizations using Kaspersky software to transition to alternative cybersecurity solutions immediately to ensure continued protection.
In their press release the BIS stated, “[i]ndividuals and businesses that utilize Kaspersky software are strongly encouraged to expeditiously transition to new vendors to limit exposure of personal or other sensitive data to malign actors due to a potential lack of cybersecurity coverage. Individuals and businesses that continue to use existing Kaspersky products and services will not face legal penalties under the Final Determination. However, any individual or business that continues to use Kaspersky products and services assumes all the cybersecurity and associated risks of doing so.” While the 2017 ban of Kaspersky products for federal agencies should have been a warning for all organizations, the recent expansion of the ban highlights the severity of these risks. Although no legal penalties are imposed on those continuing to use Kaspersky products, the responsibility and associated cybersecurity risks are significant.
While the BIS has not presented direct evidence of Kaspersky conducting malicious activities, the company's connections to Russia raises concerns, particularly amid current geopolitical tensions. The potential for future escalations makes these ties problematic for national security. The precautionary ban underscores the importance of pre-emptively addressing security vulnerabilities that could be exploited in worsening geopolitical climates. Organizations must recognize the heightened risk due to geopolitical affiliations and take appropriate actions.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
