Breaking Badness Episode 4

You Down With APT, Yeah You Know Me

Coming up this week on Breaking Badness. Today, we discuss: Sleep Deprivation Isn’t the Only Thing Attacking Your (Machine’s) Memory (PowerShell + DMA Attacks), An Update on APT 27 Titled: The Gh0st in the Shell, and Our Unresolved Issues With DNS Tunneling Attacks.

Here are a few highlights from each article we discussed:

Sleep Deprivation Isn’t the Only Thing attacking Your (Machine’s) Memory (PowerShell + DMA Attacks)
IBM X-Force Report
  • Once a company’s network is compromised, threat actors are more likely to usePowerShell for their goals instead of deploying malware.
  • In 2018, 43% of attacks used locally installed files, and 57% used no malware and used tools like PowerShell or PSExec scripts to execute in memory without significantly touching file systems, if at all.
  • According to the IBM X-Force Report, most of the time malware was used was an APT group.
  • Once an actor is on the system, he or she will not download and execute malware, but instead will run scripts in PowerShell to do any number of things, including stealing passwords and mining cryptocurrency.
  • Protection by: requiring scripts to be digitally signed, upgrade to latest version of PS and make sure to disable the ability to downgrade, apply principle of least privilege (ie, restrict who actually has access to run certain PowerShell commands by using PowerShell constrained language, and of course logging.
Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via DMA from Untrustworthy Peripherals
  • New class of vulnerability affecting all major OS that allows attackers to bypass protections against DMA attacks. Discovered by researchers from University of Cambridge, Rice University, and SRI International.
  • DMA – direct memory access.
  • DMA attacks involve a threat actor plugging in a malicious device such as an external memory card into a Thunderbolt-3 or USB-C port.
  • By mimicking the functionality of a legitimate peripheral device, an attacker can trick targeted operating systems into granting it access to sensitive regions of memory.
An Update on APT 27 Titled: The Gh0st in the Shell
  • This is a story regarding Chinese-nexus APT group (Emissary Panda/APT 27).
  • The threat actor was identified in 2018 using updated source code to target data owned by political, technology, manufacturing and humanitarian organizations.
  • Using publicly available tools that have been around for years, but in 2018 APT 27 was using them with updated code – especially updated remote access trojans (RATs), such as ZxShell, Gh0st RAT, and SysUpdate malware.
  • In its most recent campaign, the threat group used phishing, scan and exploit, and watering hole techniques to target and compromise organizations – especially known for watering holes.
  • ZxShell updates: embedded in HTran packet redirection tool and had certs signed by Hangzhou Shunwang Technology Co., Ltd and Shanghai Hintsoft Co., Ltd., which can indicate APT 27 activity.
  • Gh0st RAT updates: made it more challenging for security tools to detect
    SysUpdate updates: deployed via RTF documents, which may indicate delivery via phishing emails. Can also deploy or withdraw second stage payloads at will, which enables them to remain more stealthy.
  • Known for living off the land (using native tools, services, and creds).
Our Unresolved Issues With DNS Tunneling Attacks
  • DNS Tunneling is a method of cyber attack where an attacker hides information or payloads in DNS queries. It requires access to an internal DNS server with network connectivity.
  • DNS tunneling is a covert channel technique to transfer arbitrary information over DNS via DNS queries and answers.
  • Only 3 second level domains are responsible for more than half of all newly observed domain names per day (Google AMP [accelerated mobile pages], Spotify, and a DNS tunnel provider).
  • Analysis reveals that nearly all resource record type NULL requests and more than a third of all TXT requests can be attributed to DNS tunnels.
  • They were able to successfully identify 273 suspicious domains related to DNS tunnels, including three known APT campaigns [Wekby, AKA Dynamite Panda (China)][APT32, AKA Ocean Lotus (Vietnam)][APT34, AKA Oilrig (Iran)].
  • Dynamite Panda and Oilrig used DNS tunneling for C2 communication.
  • The advantages of DNS tunneling include that DNS is almost always available, no direct connection is established between victim and attacker, and pure data exfiltration (upstream only) is difficult to detect.
This Week’s Hoodie Scale

Sleep Deprivation Isn’t the Only Thing Attacking Your (Machine’s) Memory 
[Emily]: 4.5/10 Hoodies

An Update on APT 27 Titled: The Gh0st in the Shell
[Emily]: 4/10 Hoodies

Our Unresolved Issues With DNS Tunneling Attacks
[Emily]: 4/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us next Wednesday at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!