Nation state sponsored actors are reportedly launching cyber offensives against COVID-19 vaccine research facilities across the globe, which are currently in various stages of vaccine development. The threat actors are reported to have had some success in establishing an initial foothold or even exfiltrating research/ other data.[/vc_wp_text][vc_column_text]
Threat Actor Objectives
The involvement of nation-states in the ongoing cyber offensives can be attributed to the state of the world economy post-COVID-19. This has driven nation-states to compromise or acquire research data from foreign research entities, in a bid to win the ‘vaccine race,’ that will enable the rapid resurgence of their respective economies.
Threat Description
Threat actors are targeting individuals and organisations by direct methods such as password spraying and by employing social engineering methods, such posing as WHO officials and job recruiters, to make the victims open malicious email attachments. They are also launching attacks on Internet-facing assets, by abusing weak RDP credentials, to gain an initial foothold on the target network to further the attack and compromise the target infrastructure.
Key Threat Actors
| Threat Actor * | APT28 - Russia | Lazarus - N Korea | Cerium - N Korea |
| Country of Origin | Russia | North Korea | North Korea |
| APT ID | APT 28 | APT 38/37 | Not yet designated |
| Alias/ Group | FancyBear, CozyBear, Strontium, Sofacy |
Lazarus Group, Zinc, HiddenCobra | Cerium |
| Attack Vector |
|
|
|
| Category | Advanced Persistent Threat (APT) | ||
| Target Sectors | Pharmaceutical (Vaccine R&D) | ||
| Target Regions | Canada, France, India, South Korea, United States | ||
[/vc_column_text][vc_column_text]
MITRE ATT&CK HEAT MAP
- Russian Group
- North Korea Groups
- Common TTPs
[/vc_column_text][vc_single_image image="8660" img_size="large" onclick="custom_link" img_link_target="_blank" link="https://cloudsek.com/wp-content/uploads/2020/11/image1.png"][vc_column_text]
Mitigation measures
Mitigations need to be addressed not only by technical means but also by enforcing security policies that implement technical solutions.
Mitigations to offset the risks associated with crucial stages in the cyber kill chain:
| Phase | Mitigation Type |
| Initial Access Phase | Administrative (Policy) |
| Payload Staging/ Execution-Installation | Technical |
| Lateral Movement | Technical |
| Exfiltration/Objective | Administrative (Policy/ Technical) |
Initial Access Phase Mitigation
- Administrative policy to enforce strong passwords: Passwords should contain alphanumerics, special characters, and should not contain dictionary words.
- Lockout Policy: To prevent brute-forcing and password spraying.
Payload Staging/ Execution-Installation Mitigation
- Security administrators should be aware of the “Living-Off-The-Land” approach of the adversaries, which is nothing but using trusted applications on the victim host to do the bidding of the attacker.
- Effective log monitoring for suspicious activities, for example: abnormal use case of “mshta” and “regsvr32.”
- Effective IDR/ XDR solutions to monitor host activities.
- Ingress/ egress traffic flow monitoring.
- Most of the outlined measures can be implemented with a SIEM.
- System Configuration auditing.
Lateral Movement Mitigation
- Proper user privilege auditing, use only standard user accounts
- Enforcement of “Principle of Least Privilege.”
- Implementation of Application Allow Listing.
- Multi-Factor Authentication.
- Context-based and adaptive access controls.
- Strong password policy.
- Network segmentation and air gaping.
- Deploy threat behavior model detection solutions like modern IDR/ XDR systems.
- Awareness of tools commonly used by actors to execute lateral movement.
Exfiltration/Objective Mitigation
- Effective DLP solutions to monitor border router egress traffic.
- Awareness of exfiltration techniques used by actors, for example: DNS/ HTTPS
- Attackers can make use of even trusted applications on the victim environment to exfiltrate data out of the target network (Living off The Land).
Basic Incident Response Guidelines
| Guide | Body |
ISO/IEC 27035 ISO/IEC 27035-1 |
ISO |
| SP 800-61 | NIST (US) |
Appendix
APT28
Tactics, Techniques, and Procedures of APT28:
| MITRE-ID | Description | MITRE-ID | Description |
| T1134.001 | Access Token Manipulation: Token Impersonation/Theft | T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| T1583.001 | Acquire Infrastructure: Domains | T1092 | Communication Through Removable Media |
| T1071.003 | Application Layer Protocol: Mail Protocols | T1213.002 | Data from Information Repositories: Sharepoint |
| T1071.001 | Application Layer Protocol: Web Protocols | T1005 | Data from Local System |
| T1560 | Archive Collected Data | T1025 | Data from Removable Media |
| T1119 | Automated Collection | T1001 | Data Obfuscation: Junk Data |
| T1037.001 | Boot or Logon Initialization Scripts: Logon Script (Windows) | T1074.001 | Data Staged: Local Data Staging |
| T1110.003 | Brute Force: Password Spraying | T1140 | Deobfuscate/Decode Files or Information |
| T1110.001 | Brute Force: Password Guessing | T1114.002 | Email Collection: Remote Email Collection |
| T1059.001 | Command and Scripting Interpreter: PowerShell | T1573.001 | Encrypted Channel: Symmetric Cryptography |
| T1546.015 | Event-Triggered Execution: Component Object Model Hijacking | T1068 | Exploitation for Privilege Escalation |
| T1190 | Exploit Public-Facing Application | T1210 | The exploitation of Remote Services |
| T1203 | Exploitation for Client Execution | T1083 | File and Directory Discovery |
| T1211 | Exploitation for Defense Evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories |
| T1564.003 | Hide Artifacts: Hidden Window | T1003 | OS Credential Dumping |
| T1070.006 | Indicator Removal on Host: Timestamp | T1003.001 | LSASS Memory |
| T1070.001 | Indicator Removal on Host: Clear Windows Event Logs | T1120 | Peripheral Device Discovery |
| T1070.004 | Indicator Removal on Host: File Deletion | T1566 | Phishing: Spear Phishing Link |
| T1105 | Ingress Tool Transfer | T1566 | Phishing: Spear Phishing Attachment |
| T1056.001 | Input Capture: Keylogging | T1542.003 | Pre-OS Boot: Bootkit |
| T1559.002 | Inter-Process Communication: Dynamic Data Exchange | T1057 | Process Discovery |
| T1498 | Network Denial of Service | T1090.002 | Proxy: External Proxy |
| T1040 | Network Sniffing | T1091 | Replication Through Removable Media |
| T1027 | Obfuscated Files or Information | T1014 | Rootkit |
| T1137.002 | Office Application Startup: Office Test | T1113 | Screen Capture |
| T1091 | Replication Through Removable Media | T1218.011 | Signed Binary Proxy Execution: Rundll32 |
| T1014 | Rootkit | T1528 | Steal Application Access Token |
| T1113 | Screen Capture | T1221 | Template Injection |
| T1218.011 | Signed Binary Proxy Execution: Rundll32 | T1199 | Trusted Relationship |
| T1528 | Steal Application Access Token | T1550 | Authentication Material: Pass the Hash |
| T1221 | Template Injection | T1550 | Use Alternate Authentication Material: Application Access Token |
| T1199 | Trusted Relationship | T1204.002 | User Execution: Malicious File |
| T1550 | Authentication Material: Pass the Hash | T1078 | Valid Accounts |
| T1550 | Use Alternate Authentication Material: Application Access Token | T1204.002 | User Execution: Malicious File |
| T1078 | Valid Accounts |
Software used by APT28:
| MITRE-ID | Software | MITRE-ID | Software |
| S0045 | ADVSTORESHELL | S0251 | Zebrocy |
| S0351 | Cannon | S0250 | Koadic |
| S0160 | certutil | S0162 | Komplex |
| S0023 | CHOPSTICK | S0397 | LoJax |
| S0137 | CORESHELL | S0002 | Mimikatz |
| S0243 | DealersChoice | S0138 | OLDBAIT |
| S0134 | Downdelph | S0174 | Responder |
| S0502 | Drovorub | S0136 | USBStealer |
| S0193 | Forfiles | S0191 | Winexe |
| S0410 | Fysbis | S0314 | X-Agent for Android |
| S0135 | HIDEDRV | S0161 | XAgentOSX |
| S0044 | JHUHUGIT | S0117 | XTunnel |
Lazarus Group
Tactics, Techniques, and Procedures of Lazarus:
| MITRE-ID | Description | MITRE-ID | Description |
| T1134.002 | Access Token Manipulation: Create Process with Token | T1059.005 | Command and Scripting Interpreter: Visual Basic |
| T1098 | Account Manipulation | T1059.001 | Command and Scripting Interpreter: PowerShell |
| T1071.001 | Application Layer Protocol: Web Protocols | T1543.003 | Create or Modify System Process: Windows Service |
| T1010 | Application Window Discovery | T1485 | Data Destruction |
| T1560 | Archive Collected Data | T1132.001 | Data Encoding: Standard Encoding |
| T1560 | Archive via Library | T1005 | Data from Local System |
| T1560 | Archive via Custom Method | T1001.003 | Data Obfuscation: Protocol Impersonation |
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1074.001 | Data Staged: Local Data Staging |
| T1547.009 | Boot or Logon Autostart Execution: Shortcut Modification | T1491.001 | Defacement: Internal Defacement |
| T1547.005 | Boot or Logon Autostart Execution: Security Support Provider | T1561.002 | Disk Wipe: Disk Structure Wipe |
| T1110.003 | Brute Force: Password Spraying | T1561.001 | Disk Wipe: Disk Content Wipe |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell | T1189 | Drive-by Compromise |
| T1203 | Exploitation for Client Execution | T1573.001 | Encrypted Channel: Symmetric Cryptography |
| T1008 | Fallback Channels | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| T1083 | File and Directory Discovery | T1041 | Exfiltration Over C2 Channel |
| T1564.001 | Hide Artifacts: Hidden Files and Directories | T1562.004 | Impair Defenses: Disable or Modify System Firewall |
| T1562.001 | Impair Defenses: Disable or Modify Tools | T1070.004 | Indicator Removal on Host: File Deletion |
| T1105 | Ingress Tool Transfer | T1070.006 | Indicator Removal on Host: Timestomp |
| T1056.001 | Input Capture: Keylogging | T1112 | Modify Registry |
| T1036.004 | Masquerading: Masquerade Task or Service | T1571 | Non-Standard Port |
| T1027 | Obfuscated Files or Information | T1003.001 | OS Credential Dumping: LSASS memory |
| T1027.002 | Software Packing | T1566.001 | Phishing: Spearphishing Attachment |
| T1566.003 | Phishing: Spearphishing via Service | T1057 | Process Discovery |
| T1542.003 | Pre-OS Boot: Bootkit | T1055.001 | Process Injection: Dynamic-link Library Injection |
| T1090.002 | Proxy: External Proxy | T1021.002 | Remote Services: SMB/Windows Admin Shares |
| T1012 | Query Registry | T1496 | Resource Hijacking |
| T1021.001 | Remote Services: Remote Desktop Protocol | T1489 | Service Stop |
| T1218.001 | Signed Binary Proxy Execution: Compiled HTML File | T1016 | System Network Configuration Discovery |
| T1218.005 | Signed Binary Proxy Execution: Mshta | T1033 | System Owner/User Discovery |
| T1082 | System Information Discovery | T1529 | System Shutdown/Reboot |
| T1124 | System Time Discovery | T1047 | Windows Management Instrumentation |
| T1204.002 | User Execution: Malicious File |
Software used by Lazarus:
| MITRE-ID | Software | MITRE-ID | Software |
| S0347 | AuditCred | S0108 | netsh |
| S0245 | BADCALL | S0238 | Proxysvc |
| S0239 | Bankshot | S0241 | RATANKBA |
| S0498 | Cryptoistic | S0364 | RawDisk |
| S0497 | Dacls | S0263 | TYPEFRAME |
| S0181 | FALLCHILL | S0180 | Volgmer |
| S0246 | HARDRAIN | S0366 | WannaCry |
| S0376 | HOPLIGHT | S0271 | KEYMARBLE |
| S0431 | HotCroissant | S0002 | Mimikatz |