🚀 لقد رفعت CloudSek جولة B1 من السلسلة B1 بقيمة 19 مليون دولار - تعزيز مستقبل الأمن السيبراني التنبؤي
اقرأ المزيد
Nation state sponsored actors are reportedly launching cyber offensives against COVID-19 vaccine research facilities across the globe, which are currently in various stages of vaccine development. The threat actors are reported to have had some success in establishing an initial foothold or even exfiltrating research/ other data.[/vc_wp_text][vc_column_text]
Threat Actor Objectives
The involvement of nation-states in the ongoing cyber offensives can be attributed to the state of the world economy post-COVID-19. This has driven nation-states to compromise or acquire research data from foreign research entities, in a bid to win the ‘vaccine race,’ that will enable the rapid resurgence of their respective economies.
Threat Description
Threat actors are targeting individuals and organisations by direct methods such as password spraying and by employing social engineering methods, such posing as WHO officials and job recruiters, to make the victims open malicious email attachments. They are also launching attacks on Internet-facing assets, by abusing weak RDP credentials, to gain an initial foothold on the target network to further the attack and compromise the target infrastructure.
Key Threat Actors
Threat Actor *APT28 - RussiaLazarus - N KoreaCerium - N KoreaCountry of OriginRussiaNorth KoreaNorth KoreaAPT IDAPT 28APT 38/37Not yet designatedAlias/ GroupFancyBear, CozyBear,
Strontium, Sofacy
Lazarus Group, Zinc, HiddenCobraCeriumAttack Vector- Initial Entry via password spraying and brute force attacks to compromise valid user accounts
- RDP credential compromise
- Spear-phishing with malicious attachments
- Phishing campaigns masquerading as job offerings
- COVID-19 themed attacks
- Spear phishing posing as WHO officials
- Emails laced with malicious attachments
[/vc_column_text][vc_column_text]
MITRE ATT&CK HEAT MAP
- Russian Group
- North Korea Groups
- Common TTPs
[/vc_column_text][vc_single_image image="8660" img_size="large" onclick="custom_link" img_link_target="_blank" link="https://cdn.cloudsek.com/wp-content/uploads/2020/11/image1.png"][vc_column_text]
Mitigation measures
Mitigations need to be addressed not only by technical means but also by enforcing security policies that implement technical solutions.
Mitigations to offset the risks associated with crucial stages in the cyber kill chain:
PhaseMitigation TypeInitial Access PhaseAdministrative (Policy)Payload Staging/ Execution-InstallationTechnicalLateral MovementTechnicalExfiltration/ObjectiveAdministrative (Policy/ Technical)
Initial Access Phase Mitigation
- Administrative policy to enforce strong passwords: Passwords should contain alphanumerics, special characters, and should not contain dictionary words.
- Lockout Policy: To prevent brute-forcing and password spraying.
Payload Staging/ Execution-Installation Mitigation
- Security administrators should be aware of the “Living-Off-The-Land” approach of the adversaries, which is nothing but using trusted applications on the victim host to do the bidding of the attacker.
- Effective log monitoring for suspicious activities, for example: abnormal use case of “mshta” and “regsvr32.”
- Effective IDR/ XDR solutions to monitor host activities.
- Ingress/ egress traffic flow monitoring.
- Most of the outlined measures can be implemented with a SIEM.
- System Configuration auditing.
Lateral Movement Mitigation
- Proper user privilege auditing, use only standard user accounts
- Enforcement of “Principle of Least Privilege.”
- Implementation of Application Allow Listing.
- Multi-Factor Authentication.
- ضوابط الوصول المستندة إلى السياق والتكيفية.
- سياسة كلمة مرور قوية.
- تجزئة الشبكة والفجوة الهوائية.
- قم بنشر حلول الكشف عن نماذج سلوك التهديد مثل أنظمة IDR/XDR الحديثة.
- الوعي بالأدوات التي يشيع استخدامها من قبل الممثلين لتنفيذ الحركة الجانبية.
الاختراق/التخفيف الموضوعي
- حلول DLP الفعالة لمراقبة حركة مرور خروج جهاز التوجيه الحدودي.
- الوعي بتقنيات التسلل المستخدمة من قبل الجهات الفاعلة، على سبيل المثال: DNS/HTTPS
- يمكن للمهاجمين الاستفادة حتى من التطبيقات الموثوقة في بيئة الضحية لسحب البيانات من الشبكة المستهدفة (Living off The Land).
إرشادات الاستجابة للحوادث الأساسية
هيئة الدليلأيزو/إيك 27035
أيزو/إيك 27035-1
ايزونائب رقم 800-61العش (الولايات المتحدة)
الملحق
شقة 28
تكتيكات وتقنيات وإجراءات APT28:
وصف معرف Mitre - وصف معرف MitreT1134.001معالجة رمز الوصول: انتحال شخصية/سرقة الرمزT1059.003مترجم الأوامر والبرمجة: ويندوز كوماند شيلT1583.001احصل على البنية التحتية: نطاقاتT1092التواصل من خلال الوسائط القابلة للإزالةT1071.003بروتوكول طبقة التطبيقات: بروتوكولات البريدT1213.002البيانات من مستودعات المعلومات: شاريبوانتT1071.001بروتوكول طبقة التطبيقات: بروتوكولات الويبT1005بيانات من النظام المحليT1560أرشفة البيانات المجمعةT1025البيانات من الوسائط القابلة للإزالةT1119المجموعة الآليةT1001تشويش البيانات: بيانات غير مهمةT1037.001البرامج النصية لبدء التشغيل أو تسجيل الدخول: البرنامج النصي لتسجيل الدخول (Windows)T1074.001تم تنظيم البيانات: تنظيم البيانات المحليةT1110.003القوة الغاشمة: رش كلمة المرورT1140إزالة التشويش/فك تشفير الملفات أو المعلوماتT1110.001القوة الغاشمة: تخمين كلمة المرورT1114.002مجموعة البريد الإلكتروني: مجموعة البريد الإلكتروني عن بُعدT1059.001مترجم الأوامر والبرمجة: بوويرشيلT1573.001القناة المشفرة: التشفير المتماثلT1546.015التنفيذ الناتج عن الحدث: اختطاف نموذج كائن المكونT1068الاستغلال من أجل تصعيد الامتيازاتT1190استغلال التطبيق الذي يواجه الجمهورT1210استغلال الخدمات عن بُعدT1203الاستغلال من أجل تنفيذ العميلT1083اكتشاف الملفات والدليلT1211الاستغلال للتهرب من الدفاعT1564.001Hide Artifacts: Hidden Files and DirectoriesT1564.003Hide Artifacts: Hidden WindowT1003OS Credential DumpingT1070.006Indicator Removal on Host: TimestampT1003.001LSASS MemoryT1070.001Indicator Removal on Host: Clear Windows Event LogsT1120Peripheral Device DiscoveryT1070.004Indicator Removal on Host: File DeletionT1566Phishing: Spear Phishing LinkT1105Ingress Tool TransferT1566Phishing: Spear Phishing AttachmentT1056.001Input Capture: KeyloggingT1542.003Pre-OS Boot: BootkitT1559.002Inter-Process Communication: Dynamic Data ExchangeT1057Process DiscoveryT1498Network Denial of ServiceT1090.002Proxy: External ProxyT1040Network SniffingT1091Replication Through Removable MediaT1027Obfuscated Files or InformationT1014RootkitT1137.002Office Application Startup: Office TestT1113Screen CaptureT1091Replication Through Removable MediaT1218.011Signed Binary Proxy Execution: Rundll32T1014RootkitT1528Steal Application Access TokenT1113Screen CaptureT1221Template InjectionT1218.011Signed Binary Proxy Execution: Rundll32T1199Trusted RelationshipT1528Steal Application Access TokenT1550Authentication Material: Pass the HashT1221Template InjectionT1550Use Alternate Authentication Material: Application Access TokenT1199Trusted RelationshipT1204.002User Execution: Malicious FileT1550Authentication Material: Pass the HashT1078Valid AccountsT1550Use Alternate Authentication Material: Application Access TokenT1204.002User Execution: Malicious FileT1078Valid AccountsSoftware used by APT28:
MITRE-IDSoftwareMITRE-IDSoftwareS0045ADVSTORESHELLS0251ZebrocyS0351CannonS0250KoadicS0160certutilS0162KomplexS0023CHOPSTICKS0397LoJaxS0137CORESHELLS0002MimikatzS0243DealersChoiceS0138OLDBAITS0134DowndelphS0174ResponderS0502DrovorubS0136USBStealerS0193ForfilesS0191WinexeS0410FysbisS0314X-Agent for AndroidS0135HIDEDRVS0161XAgentOSXS0044JHUHUGITS0117XTunnel
Lazarus Group
Tactics, Techniques, and Procedures of Lazarus:
MITRE-IDDescriptionMITRE-IDDescriptionT1134.002Access Token Manipulation: Create Process with TokenT1059.005Command and Scripting Interpreter: Visual BasicT1098Account ManipulationT1059.001Command and Scripting Interpreter: PowerShellT1071.001Application Layer Protocol: Web ProtocolsT1543.003Create or Modify System Process: Windows ServiceT1010Application Window DiscoveryT1485Data DestructionT1560Archive Collected DataT1132.001Data Encoding: Standard EncodingT1560Archive via LibraryT1005Data from Local SystemT1560Archive via Custom MethodT1001.003Data Obfuscation: Protocol ImpersonationT1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1074.001Data Staged: Local Data StagingT1547.009Boot or Logon Autostart Execution: Shortcut ModificationT1491.001Defacement: Internal DefacementT1547.005Boot or Logon Autostart Execution: Security Support ProviderT1561.002Disk Wipe: Disk Structure WipeT1110.003Brute Force: Password SprayingT1561.001Disk Wipe: Disk Content WipeT1059.003Command and Scripting Interpreter: Windows Command ShellT1189Drive-by CompromiseT1203Exploitation for Client ExecutionT1573.001Encrypted Channel: Symmetric CryptographyT1008Fallback ChannelsT1048.003Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolT1083File and Directory DiscoveryT1041Exfiltration Over C2 ChannelT1564.001Hide Artifacts: Hidden Files and DirectoriesT1562.004Impair Defenses: Disable or Modify System FirewallT1562.001Impair Defenses: Disable or Modify ToolsT1070.004Indicator Removal on Host: File DeletionT1105Ingress Tool TransferT1070.006Indicator Removal on Host: TimestompT1056.001Input Capture: KeyloggingT1112Modify RegistryT1036.004Masquerading: Masquerade Task or ServiceT1571Non-Standard PortT1027Obfuscated Files or InformationT1003.001OS Credential Dumping: LSASS memoryT1027.002Software PackingT1566.001Phishing: Spearphishing AttachmentT1566.003Phishing: Spearphishing via ServiceT1057Process DiscoveryT1542.003Pre-OS Boot: BootkitT1055.001Process Injection: Dynamic-link Library InjectionT1090.002Proxy: External ProxyT1021.002Remote Services: SMB/Windows Admin SharesT1012Query RegistryT1496Resource HijackingT1021.001Remote Services: Remote Desktop ProtocolT1489Service StopT1218.001Signed Binary Proxy Execution: Compiled HTML FileT1016System Network Configuration DiscoveryT1218.005Signed Binary Proxy Execution: MshtaT1033System Owner/User DiscoveryT1082System Information اكتشافT1529إيقاف تشغيل النظام/إعادة التشغيلT1124اكتشاف وقت النظامT1047أجهزة إدارة WindowsT1204.002تنفيذ المستخدم: ملف ضار
