eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
CleverSoar Installer Targets Chinese and Vietnamese Users
Bottom Line: Rapid7 has released a report on the use of CleverSoar malware, which includes sophisticated capabilities such as EDR evasion, geographic targeting, and Rootkit deployment. eSentire has recently observed this threat across multiple customer environments.
On November 27th, Rapid7 released a report on a new, evasive malware installer, CleverSoar, targeting Chinese and Vietnamese-speaking users. This sophisticated malware deploys advanced malicious tools such as the Winos4.0 framework and the Nidhogg rootkit to enable data exfiltration, keystroke logging, system control, and security bypasses. Rapid7 states that the nature of the attack indicates a prolonged espionage effort focused on data capture and surveillance.
The CleverSoar malware is primarily distributed via a .msi installer package, which extracts and executes the CleverSoar installer. According to Rapid7, the CleverSoar installer is being used to specifically target Chinese and Vietnamese speaking users. The installer uses advanced techniques to evade detections, including checking the system’s firmware table for signs of virtual environments, and bypassing Windows Defender emulator. It performs several system checks, including verifying whether the operating system is Windows 10 or 11, and attempts to prevent third-party DLL injections. This makes it harder for Antivirus and EDR solutions to detect the malware. Timing-based anti-debug checks and username checks for known sandbox and emulator usernames are also performed to further evade detection.
Upon successful evasion, the CleverSoar installer checks the system language and terminates if the language is not Chinese or Vietnamese. It then creates registry keys and files to persist on the system and ensures the malware runs with elevated privileges. The installer also attempts to disable security solutions by searching for processes associated with popular antivirus software and modifies system settings to prevent malware detection.
CleverSoar creates a new service called “Nidhogg” that runs a rootkit at startup, allowing the threat actor to maintain control over the infected system. The Nidhogg rootkit provides a low-level, stealthy foothold on the system by modifying kernel-level components, making it difficult to detect using traditional antivirus tools. The malware also installs a scheduled task to ensure persistence, disabling Windows Firewall in the process. CleverSoar further executes additional malicious payloads, including the 'winnt.exe' and 'runtime.exe' binaries, which are associated with the Winos4.0 Command and Control (C2) framework and a custom backdoor, respectively.
eSentire Threat Intelligence Analysis:
Disabling or bypassing security solutions, such as Antivirus software, Firewalls, or Endpoint Detection and Response (EDR) tools, significantly increases the risk of successful cyberattacks. Once these protections are compromised, attackers can operate with greater freedom, enabling them to conduct activities such as data exfiltration, lateral movement, and installation of additional malicious payloads, all while staying undetected. In some cases, attackers also deploy backdoors or rootkits to maintain long-term access to the compromised system.
eSentire has recently observed similar incidents to the techniques described in the Rapid7 report, where attackers deployed an MSI file into the victim’s system, used malicious commands to create persistent services and attempted to install rootkits. The creation of kernel-level services, along with the use of non-standard file paths and scheduled tasks, suggests a sophisticated effort to maintain undetected access to the compromised system. While the specific actions of data exfiltration were not observed in these incidents, as the hosts were immediately isolated by eSentire’s SOC, the techniques used to gain persistent access and maintain control suggest that the next step in the attack could very likely involve data collection and transfer of sensitive data to attacker’s Command-and-Control (C2) servers. eSentire has observed CleverSoar incidents across a range of different countries, not specific to China or Vietnam.
To mitigate the risk of attackers tampering with security solutions and ensure systems remain protected during a targeted attack, employ a multi-layered security architecture that provides protection even if one layer is bypassed. This should include Endpoint Detection and Response (EDR), Intrusion Detection/Prevention Systems (IDS/IPS), and Firewalls. Each layer should offer overlapping detection capabilities to identify threats, even if one layer is compromised.
In response to these observations, eSentire’s Threat Intelligence team is performing Indicator-based threat hunts and validating detection coverage. eSentire MDR Suite has detections in place to identify the activities associated with the CleverSoar Installer. The eSentire Threat Response Unit (TRU) is investigating the topic for additional details and detection opportunities.
Nearest Neighbor Attack
Bottom Line: APT28 was recently identified gaining access to organizations via previously compromised companies in the physical vicinity of the target organization, utilizing the first compromise for lateral movement. This tactic has been dubbed the “Nearest Neighbor” attack.
On November 22nd, Volexity published a report detailing cyberattacks attributed to the Russian state-sponsored Advanced Persistent Threat (APT) group APT28 (aka GruesomeLarch, Forest Blizzard, Sofacy, Fancy Bear). These attacks involved a previously undocumented technique dubbed the Nearest Neighbor attack. While the campaign is only now being publicly disclosed, it initially occurred in early 2022.
APT28 targeted organizations in Ukraine and organizations engaged in Ukrainian related projects. In observed attacks, threat actors attempted to gain initial access to organizations via password-spraying attacks, but these failed due to the implementation of Multi-Factor Authentication (MFA). APT28 went on to target less secure organizations that were located in the vicinity of the primary target. The primary target’s enterprise Wi-Fi did not require MFA for successful authentication, and as such, was vulnerable to brute-force attacks. The actors moved laterally in the secondary organization until they had compromised devices that had both a wired and wireless Internet connection. These compromised devices were then used to connect to the SSID of the primary target’s Wi-Fi and authenticate to it, granting APT28 access to the organization.
Following successful access to the primary target, APT28 was identified employing Living-Off-the-Land (LotL) tools, exploiting a now patched Windows zero-day vulnerability for privilege escalation, and collecting and exfiltrating sensitive data. The goal of this activity is believed to be information gathering for espionage purposes proceeding Russia’s invasion of Ukraine.
eSentire Threat Intelligence Analysis:
This is the first confirmed incident of threat actors compromising secondary targets in order to access the primary organization via exposed Wi-Fi. Tactics like the Nearest Neighbour Attack highlight the importance of strengthening security controls around Wi-Fi networks, similar to those protecting internet facing applications. In order to prevent similar attacks, organizations should harden access requirements for Wi-Fi networks, including implementing MFA. Endpoint agents should be deployed across workstations and servers to identify any post-compromise activity. It should be noted that this campaign was carried out by a highly sophisticated APT, only after more traditional initial access methods failed. Ensuring best security practices are followed will prevent low skilled actors and increase the difficulty of access for even sophisticated threat actors.
APT28 has been engaged in cyberattacks since at least 2014. The group’s activity is focused on espionage. While the Nearest Neighbor Attack has only been identified impacted organizations related to Ukraine, it is highly probable that APT28 will employ it against hardened organizations in other geographic locations based on future intelligence gathering requirements. As this attack has now been publicized, the eSentire’s Threat Intelligence team assesses it is almost certain that other advanced threat actor groups and state-sponsored APTs will adopt the technique.
The eSentire product suite includes a variety of detection for known APT28 Tactics, Techniques, and Procedures (TTPs).
T-Mobile Breach Notification
Bottom Line: In light of recent reports on Chinese APTs targeting telecommunication organizations, T-Mobile has released a statement on recently observed attacks. They confirm that no customer data has been impacted to date.
On November 27th, T-Mobile released a statement outlining information on recent attacks against the organization. According to T-Mobile, the company has faced multiple cyberattacks over the past “few weeks”. The cyberattacks were carried out from a wireline provider’s network, that had an established business connection with T-Mobile. It is suspected that the wireline provider was previously compromised and is being used to launch attacks against partner companies. The threat actor failed to gain access to any sensitive customer data and the attacks have not resulted in any service disruption.
T-Mobile states that they have been closely monitoring information on the Chinese state-sponsored APT Salt Typhoon, but they do not attribute the recent attacks to any specific group. In response to these attacks, T-Mobile has “severed connectivity to the provider’s network”, reported their findings to law-enforcement, and continues to monitor the situation.
eSentire Threat Intelligence Analysis:
The telecommunication industry is currently in the spotlight, following confirmation that multiple Chinese state-sponsored APT groups have compromised major telecommunication organizations including Verizon, AT&T, and Lumen. According to the chairman of the U.S. Senate Intelligence Committee, this activity represents, the “worst telecom hack in our nation's history - by far". The intent of the Chinese APT groups to compromises critical industries with sensitive information reveals a strategy to target high-value sectors, for geopolitical, economic, or intelligence-gathering purpose. Access to classified data could enable espionage, giving adversaries a strategic advantage. Telecommunications may be viewed as an especially valuable target for threat actors due to the access to personal information and conversation details. Previous cyberattacks against telecommunication organizations lead to the theft of sensitive data including phone calls, text messages, and more.
The Salt Typhoon APT group (aka Earth Estries, FamousSparrow, Ghost Emperor, and UNC2286) has gained significant attention due to their campaigns against Verizon, AT&T, and Lumen. CISA and the FBI released a statement confirming that these attacks impacted “a limited number of individuals who are primarily involved in government or political activity.” According to the statement, these campaigns are being carried out to “enable the theft of customer call records data, the compromise of private communications” for espionage purposes.
Last week, CrowdStrike’s Senior Vice President of Counter Adversary Operations disclosed a new Chinese state-sponsored APT group, tracked as Liminal Panda, during their testimony to the U.S. Senate Judiciary Subcommittee on Privacy, Technology, and the Law on Chinese cyber threats to critical infrastructure. According to CrowdStrike, Liminal Panda specifically targets the telecommunication industry. Notably, Liminal Panada is reported to exploit the interconnectedness of telecommunication organizations to spread across multiple companies via existing infections. This tactic matches the description provided by T-Mobile, but T-Mobile has not attributed recent activity to a known threat actor group.
The eSentire Threat Intelligence team continues to track Chinese state-sponsored APT groups in order to perform threat hunts and verify detection content.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
