Threat Hunting beyond the Edge – APT 29 COVID-19 Hacking Example
For most of us, the last few months have been a time of adjustment. From the playful ZOOM backgrounds to cope with work-from-home orders, to the serious monetary and health challenges in our communities, we’ve all been figuring out how to maintain some balance between safety and productivity. Interestingly, staying safe digitally while being productive had its own set of challenges.
In April, the WHO reported a 5x increase in cyber attacks, and Interpol noted upwards of 48,000 malicious URLs related to COVID-19 during that same Q1 timeframe. At face value, we saw an initial spike in new social engineering schemes and public confusion being exploited. We have also seen growth in the exploitation of remote productivity tools such as ZOOM, as well as VPN credential theft which are just now making headlines. Last, and likely the most impactful, has been the overnight re-definition of the network “edge”. Work that historically occurred withing a single network or building, is often now dispersed across tens to thousands of homes and a mix of CORP and BYO-Devices. Many organizations are finding that the tools once effective due to centralization and localization at their office network(s), are failing to provide the same insight and protection beyond their edge.
But with our global shift in business operations, did the game effectively change for our adversaries in Cybersecurity?
No, not really.
These groups are still utilizing the same or similar TTPs, jumping between the same VPS Providers and public clouds, utilizing the same botnets, and pwning the same CVEs that have gone unpatched for days, often years (oof). Obviously, the threat landscape is ever evolving, but there was not a paradigm shift in the way most groups operate, and this is a good thing. This means that tools well-suited to provide visibility and investigative insights beyond your edge are more useful than ever.
-enter Augury stage right-
In the last few months I’ve worked with Augury to gain visibility into Remote-Site attack surfaces and network traffic, investigate new ransomware campaigns like Maze and Avaddon, identify shifting infrastructure for groups like Winnti and APT29, and find new campaigns and CIDRs spun up for botnets like Phorpiex.
One interesting use-case has been the identification of 3 unreleased nodes linked to WELLMESS\WELLMAIL, an APT29 effort to breach Covid-19 vaccine research targets. We started with a NCSC paper published last month, where IOCs and TTPs were listed. Great! The world now knows what NCSC knows about this threat today.
Interestingly, there was a callout to an x509 Subject and SubjectKeyIdentifier fields APT29 was re-using to stand up new C2 hosts:
We quickly threw those parameters into an Augury query. In a few minutes, we could validate over 90% of the IPs in this paper from datapoints within Augury. The fun starts when we exclude all known IOC IPs from the paper.
Turns out we have visibility of unidentified hosts not mentioned in the paper.
Great! Looks like those hosts aren’t using the :443 service port most of the other IPs from the article are. Let’s validate their SKI:
Matches the article, great! This isn’t coincidence. If I’m an analyst or cybersecurity professional using Augury, I can hit the “Schedule” button on my x509 query, and set daily/weekly checks where this query will repeat and return new hits if anything else is stood up. This is the proactive approach many of our clients take, with minimal time invested. It allows them to stay ahead of these APTs and prevent incident recurrence.
Now, the keen users of Augury may be thinking, “Ok, x509’s are just one of your 50+ datasets… what else can we see about those IPs?”
“What have these hosts been doing on the internet?”
“Who has been talking to them, and who have they been talking to?”
“Are any of my static or remote assets being hit?”
Lets drop those three IPs into a new query:
Netflow, SSH Info, Beacons, Open Ports… lots of good data to dig deeper and answer these questions. Alas, I think here is a good stopping point for this blog.
Note how quickly we got here. 2 Queries in Augury. Any host or domain on the internet can be investigated with similar ease. We even have an API to automate this process if desired.
No need to host anything, no deployment of software / agents / scanners. Instant-on. Always-on.