003. Are they that advanced? Spotlighting Salt Typhoon
Hello everyone! I'm not sure about you, but I often ask myself one question: "Are Advanced Persistent Threats that advanced?". We are tracking lots of adversaries, mostly those targeting CIS. I also read lots and lots of public reports. And you know what? Yes, many modern threat actor use custom malware, for example, but at the same time, their behaviors are quite easy to detect, especially if you have good threat intelligence sources.
So, in "Are they that advanced?" series we'll look at various APTs from the headlines in order to find low-hanging fruits for detection and hunting.
Let's start from Salt Typhoon (yes, I like Microsoft naming taxonomy), which, according to news, successfully compromised at least eight U.S. telecommunication networks, including AT&T and Verizon.
First of all, the threat actors use well-known vulnerabilities in public-facing applications, for example, Ivanti Connect Secure VPN and Microsoft Exchange. I'm sure, it's not the first time you here about it.
Yes, the adversary have a few malware families in its arsenal, for example, Deed RAT and DEMODEX rootkit. At the same time, installation routine is quite noisy. According to Trend Micro report, the threat actors leveraged PsExec (which is really easy to detect) to install DEMODEX, running the following command:
Powershell.exe -ex bypass c:\windows\assembly\onedrived.ps1 password@123
Looks suspicious, right? Bypassing the execution policy, "onedrived" instead of "onedrive", and this password... Also, PowerShell executions are always good candidates for threat hunting: if you know what's common for your environment, it's quite easy to spot suspicious activity related to it.
Next thing, Salt Typhoon uses DLL sideloading heavily. Another Trend Micro report contains lots of information on legitimate binaries this threat actor uses for sideloading. Another hunting tip - always check the location of such binaries. The same can be said about persistence mechanisms: the adversary usually use Run keys, scheduled tasks and services.
Let's look at another example of lateral movement from Trend Micro report - abusing wmic:
WMIC.exe /node:<REDATED> /user:<REDATED> /password:<REDATED> process call create "cmd.exe /c expand c:/windows/debug/1.zip c:/windows/debug/notepadup.exe
So, this is another great candidate for threat hunting. Of course, it may be used in your environment legitimately, but in most cases - it's malicious activity.
As you can see, if you deal with advanced adversaries, you usually have LOTS of detection opportunities, even if you just look at antivirus alerts - you just need to respond properly. That's it!
See you tomorrow!
Comments
Post a Comment