🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
The involvement of nation-states in the ongoing cyber offensives can be attributed to the state of the world economy post-COVID-19. This has driven nation-states to compromise or acquire research data from foreign research entities, in a bid to win the ‘vaccine race,’ that will enable the rapid resurgence of their respective economies.
Threat actors are targeting individuals and organisations by direct methods such as password spraying and by employing social engineering methods, such posing as WHO officials and job recruiters, to make the victims open malicious email attachments. They are also launching attacks on Internet-facing assets, by abusing weak RDP credentials, to gain an initial foothold on the target network to further the attack and compromise the target infrastructure.
Threat Actor * | APT28 - Russia | Lazarus - N Korea | Cerium - N Korea |
Country of Origin | Russia | North Korea | North Korea |
APT ID | APT 28 | APT 38/37 | Not yet designated |
Alias/ Group | FancyBear, CozyBear, Strontium, Sofacy |
Lazarus Group, Zinc, HiddenCobra | Cerium |
Attack Vector |
|
|
|
Category | Advanced Persistent Threat (APT) | ||
Target Sectors | Pharmaceutical (Vaccine R&D) | ||
Target Regions | Canada, France, India, South Korea, United States |
[/vc_column_text][vc_column_text]
[/vc_column_text][vc_single_image image="8660" img_size="large" onclick="custom_link" img_link_target="_blank" link="https://cdn.cloudsek.com/wp-content/uploads/2020/11/image1.png"][vc_column_text]
Mitigations need to be addressed not only by technical means but also by enforcing security policies that implement technical solutions.
Phase | Mitigation Type |
Initial Access Phase | Administrative (Policy) |
Payload Staging/ Execution-Installation | Technical |
Lateral Movement | Technical |
Exfiltration/Objective | Administrative (Policy/ Technical) |
Guide | Body |
ISO/IEC 27035 ISO/IEC 27035-1 |
ISO |
SP 800-61 | NIST (US) |
MITRE-ID | Description | MITRE-ID | Description |
T1134.001 | Access Token Manipulation: Token Impersonation/Theft | T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
T1583.001 | Acquire Infrastructure: Domains | T1092 | Communication Through Removable Media |
T1071.003 | Application Layer Protocol: Mail Protocols | T1213.002 | Data from Information Repositories: Sharepoint |
T1071.001 | Application Layer Protocol: Web Protocols | T1005 | Data from Local System |
T1560 | Archive Collected Data | T1025 | Data from Removable Media |
T1119 | Automated Collection | T1001 | Data Obfuscation: Junk Data |
T1037.001 | Boot or Logon Initialization Scripts: Logon Script (Windows) | T1074.001 | Data Staged: Local Data Staging |
T1110.003 | Brute Force: Password Spraying | T1140 | Deobfuscate/Decode Files or Information |
T1110.001 | Brute Force: Password Guessing | T1114.002 | Email Collection: Remote Email Collection |
T1059.001 | Command and Scripting Interpreter: PowerShell | T1573.001 | Encrypted Channel: Symmetric Cryptography |
T1546.015 | Event-Triggered Execution: Component Object Model Hijacking | T1068 | Exploitation for Privilege Escalation |
T1190 | Exploit Public-Facing Application | T1210 | The exploitation of Remote Services |
T1203 | Exploitation for Client Execution | T1083 | File and Directory Discovery |
T1211 | Exploitation for Defense Evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories |
T1564.003 | Hide Artifacts: Hidden Window | T1003 | OS Credential Dumping |
T1070.006 | Indicator Removal on Host: Timestamp | T1003.001 | LSASS Memory |
T1070.001 | Indicator Removal on Host: Clear Windows Event Logs | T1120 | Peripheral Device Discovery |
T1070.004 | Indicator Removal on Host: File Deletion | T1566 | Phishing: Spear Phishing Link |
T1105 | Ingress Tool Transfer | T1566 | Phishing: Spear Phishing Attachment |
T1056.001 | Input Capture: Keylogging | T1542.003 | Pre-OS Boot: Bootkit |
T1559.002 | Inter-Process Communication: Dynamic Data Exchange | T1057 | Process Discovery |
T1498 | Network Denial of Service | T1090.002 | Proxy: External Proxy |
T1040 | Network Sniffing | T1091 | Replication Through Removable Media |
T1027 | Obfuscated Files or Information | T1014 | Rootkit |
T1137.002 | Office Application Startup: Office Test | T1113 | Screen Capture |
T1091 | Replication Through Removable Media | T1218.011 | Signed Binary Proxy Execution: Rundll32 |
T1014 | Rootkit | T1528 | Steal Application Access Token |
T1113 | Screen Capture | T1221 | Template Injection |
T1218.011 | Signed Binary Proxy Execution: Rundll32 | T1199 | Trusted Relationship |
T1528 | Steal Application Access Token | T1550 | Authentication Material: Pass the Hash |
T1221 | Template Injection | T1550 | Use Alternate Authentication Material: Application Access Token |
T1199 | Trusted Relationship | T1204.002 | User Execution: Malicious File |
T1550 | Authentication Material: Pass the Hash | T1078 | Valid Accounts |
T1550 | Use Alternate Authentication Material: Application Access Token | T1204.002 | User Execution: Malicious File |
T1078 | Valid Accounts |
MITRE-ID | Software | MITRE-ID | Software |
S0045 | ADVSTORESHELL | S0251 | Zebrocy |
S0351 | Cannon | S0250 | Koadic |
S0160 | certutil | S0162 | Komplex |
S0023 | CHOPSTICK | S0397 | LoJax |
S0137 | CORESHELL | S0002 | Mimikatz |
S0243 | DealersChoice | S0138 | OLDBAIT |
S0134 | Downdelph | S0174 | Responder |
S0502 | Drovorub | S0136 | USBStealer |
S0193 | Forfiles | S0191 | Winexe |
S0410 | Fysbis | S0314 | X-Agent for Android |
S0135 | HIDEDRV | S0161 | XAgentOSX |
S0044 | JHUHUGIT | S0117 | XTunnel |
Lazarus Group
MITRE-ID | Description | MITRE-ID | Description |
T1134.002 | Access Token Manipulation: Create Process with Token | T1059.005 | Command and Scripting Interpreter: Visual Basic |
T1098 | Account Manipulation | T1059.001 | Command and Scripting Interpreter: PowerShell |
T1071.001 | Application Layer Protocol: Web Protocols | T1543.003 | Create or Modify System Process: Windows Service |
T1010 | Application Window Discovery | T1485 | Data Destruction |
T1560 | Archive Collected Data | T1132.001 | Data Encoding: Standard Encoding |
T1560 | Archive via Library | T1005 | Data from Local System |
T1560 | Archive via Custom Method | T1001.003 | Data Obfuscation: Protocol Impersonation |
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1074.001 | Data Staged: Local Data Staging |
T1547.009 | Boot or Logon Autostart Execution: Shortcut Modification | T1491.001 | Defacement: Internal Defacement |
T1547.005 | Boot or Logon Autostart Execution: Security Support Provider | T1561.002 | Disk Wipe: Disk Structure Wipe |
T1110.003 | Brute Force: Password Spraying | T1561.001 | Disk Wipe: Disk Content Wipe |
T1059.003 | Command and Scripting Interpreter: Windows Command Shell | T1189 | Drive-by Compromise |
T1203 | Exploitation for Client Execution | T1573.001 | Encrypted Channel: Symmetric Cryptography |
T1008 | Fallback Channels | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
T1083 | File and Directory Discovery | T1041 | Exfiltration Over C2 Channel |
T1564.001 | Hide Artifacts: Hidden Files and Directories | T1562.004 | Impair Defenses: Disable or Modify System Firewall |
T1562.001 | Impair Defenses: Disable or Modify Tools | T1070.004 | Indicator Removal on Host: File Deletion |
T1105 | Ingress Tool Transfer | T1070.006 | Indicator Removal on Host: Timestomp |
T1056.001 | Input Capture: Keylogging | T1112 | Modify Registry |
T1036.004 | Masquerading: Masquerade Task or Service | T1571 | Non-Standard Port |
T1027 | Obfuscated Files or Information | T1003.001 | OS Credential Dumping: LSASS memory |
T1027.002 | Software Packing | T1566.001 | Phishing: Spearphishing Attachment |
T1566.003 | Phishing: Spearphishing via Service | T1057 | Process Discovery |
T1542.003 | Pre-OS Boot: Bootkit | T1055.001 | Process Injection: Dynamic-link Library Injection |
T1090.002 | Proxy: External Proxy | T1021.002 | Remote Services: SMB/Windows Admin Shares |
T1012 | Query Registry | T1496 | Resource Hijacking |
T1021.001 | Remote Services: Remote Desktop Protocol | T1489 | Service Stop |
T1218.001 | Signed Binary Proxy Execution: Compiled HTML File | T1016 | System Network Configuration Discovery |
T1218.005 | Signed Binary Proxy Execution: Mshta | T1033 | System Owner/User Discovery |
T1082 | System Information Discovery | T1529 | System Shutdown/Reboot |
T1124 | System Time Discovery | T1047 | Windows Management Instrumentation |
T1204.002 | User Execution: Malicious File |
MITRE-ID | Software | MITRE-ID | Software |
S0347 | AuditCred | S0108 | netsh |
S0245 | BADCALL | S0238 | Proxysvc |
S0239 | Bankshot | S0241 | RATANKBA |
S0498 | Cryptoistic | S0364 | RawDisk |
S0497 | Dacls | S0263 | TYPEFRAME |
S0181 | FALLCHILL | S0180 | Volgmer |
S0246 | HARDRAIN | S0366 | WannaCry |
S0376 | HOPLIGHT | S0271 | KEYMARBLE |
S0431 | HotCroissant | S0002 | Mimikatz |