Letter From Our Lead Scientist

Welcome to our latest threat report.

When we started the journey with Trellix, we knew merging two major backends would give us a tremendous cyberthreat perspective of what’s happening in the world. This edition includes a new category providing our readers more insights into what kind of threats are being observed from an email perspective.

We enjoyed seeing so many of you at RSA where we released and presented several pieces of our research ranging from an overview of attacks observed in the Ukraine to vulnerabilities we discovered in medical devices and building access control technology. This report highlights this research and other prevalent threats and attacks observed in the wild as well as and our data and findings from the first quarter of 2022.

When we’re at Black Hat, DEFCON, RSA, and other conferences, we appreciate the kind words and feedback we receive for our threat report. Don’t be a stranger between conferences and always feel free to reach out to us on our socials if you have a suggestion or missed information.

Until next time, please check out our Trellix Threat Labs blog page featuring our latest threat content, videos, and research. 

—John Fokker
Lead Scientist

John Fokker Twitter

The Evolution of Russian Cybercrime

Per public attribution, Russian cybercriminal groups have always been active. Their tactics, techniques, and procedures (TTPs) have not significantly evolved over time, although some changes have been observed. Lately, the threat landscape has changed, as multiple domains have partially merged. This trend was already on-going, but the increased digital activity further accelerated and exposed said trend.

Trellix has historically had a significant customer base in Ukraine and when the cyberattacks targeting the country intensified, we coordinated closely with government and industry partners to provide greater visibility into the evolving threat landscape. We have been eager to support the region against malicious cyber activity and have been able to go beyond sharing knowledge to also provide a wide range of security appliances at no cost in the affected region (our special thanks go out to our partners at Mandiant in getting some of the appliances deployed at those organizations who needed protection the most).

To support our customers and the people of Ukraine, Trellix Threat Labs coordinated with multiple government institutions to provide them with the necessary telemetry insights, intelligence briefings and analysis of the malware tools used by Russian actors. A large portion of Trellix's efforts were performed in discretion as protection of our customers is our highest priority.

In coordination with RSA, our Trellix Threat Labs team released our research (Growling Bears Make Thunderous Noise) on the Russian cybercriminal evolutions over time, the impact of a (cyber) war, and observed organization and activity.

The report includes detailed research not only on the impact of post-Russian invasion cyberwar, but also on many cyber groups and campaigns associated with the conflict:

• Phishing The Ukrainian Ministry Of Defense
• Gamaredon
• Wipers
• Targeted Exchange Servers
• UAC-0056
• Apt28
• Double Drop

Read more on the evolution of Russian cybercrime in the full report.

Methodology

Trellix’s backend systems are providing telemetry that we use as input for our quarterly threat reports. We combine our telemetry with open-source intelligence around threats and our own investigations into prevalent threats like ransomware, nation-state activity, etc.

When we talk about telemetry, we talk about detections, not infections. A detection is recorded when a file, URL, IP address or other indicator is detected by one of our products and reported back to us.

Privacy of our customers is key. It also is important when it comes down to telemetry and mapping that out to the sectors and countries of our customers. Client-base per country differs and numbers could be showcasing increases while we have to look deeper into the data to explain. An example: The Telecom sector often scores high in our data. It doesn’t necessarily mean this sector is highly targeted. The Telecom sector contains ISP providers as well that own IP-address spaces that can be bought by companies. What does that mean? Submissions from the IP-address space of the ISP are showing up as Telecom detections but could be from ISP clients that are operating in a different sector.

U.S. Ransomware: Q1 2022

In the beginning of 2022, we were optimistic when news came out that the Russian FSB had arrested several members of the REvil ransomware gang in Russia. Based on our analysis these affiliates played a minor role within the crime group, nevertheless, we were hopeful that this fragile hint of cooperation would lead to more arrests in Russia.

With the Russian invasion of Ukraine at the end of February 2022, we now know that this was wishful thinking. The war became a catalyst for cybercriminals to split up. Historically, politics were often set aside by cyber criminals, and we could see RU and UA ransomware criminals working together for financial gain.

The choosing of sides became most evident with Conti ransomware when they publicly expressed their support for the Russian administration and their actions.

This public statement did not go unnoticed and within a few days an anonymous researcher using the twitter handle @contileaks began publishing Conti’s internal communications online. The chats spanned across several years and consisted of thousands of messages that we dubbed this the “Panama Papers of Ransomware.”

Trellix has examined the leaked chats extensively and published a very extensive blog that is well worth the read. Highlights we found in the chats included their public statement supporting the Russian administration and a possible close relationship between the Conti leadership and the Russian Intelligence services. These ties support the findings from the report; “In the Crosshairs: Organizations and Nation-State Cyber Threats” which we published earlier in collaboration with CSIS. One of the key findings of the report was that the line between state and non-state actors continues to blur.

Initially we expected this communication breach to have a severe impact on the ransomware gang’s operation. However, it seemed that they were doubling down and continued their attacks, to a point that they brought a complete nation, Costa Rica, to a state of emergency. At the end of Q2 2022, we observed Conti-related infrastructure being dismantled. However, this isn’t exactly a reason to celebrate. Given the fact no senior members of this crime group have been arrested, and their connections to the Russian intelligence agencies, we should consider we might be witnessing the formation of a hybrid group, one that can attack targets chosen by the government, but maintaining the plausible deniability of a crime group after financial gain. The ransomware might have a dual purpose, on the one hand being disruptive in nature and on the other hand serving as a distraction for a data exfiltration operation.

Therefore, we highly urge every organization to take close note of ransomware TTPs especially if you have already determined RU state-sponsored groups to be our most likely threat.

Innovation-wise, we are observing Conti Group Targets ESXi Hypervisors With its Linux Variant, seemingly realizing virtualization services play an important role in an organization. This trend has been ongoing for quite some time, but with varied success leading to corrupted VMs due to faulty lockers and or decryptors.

Is it all bad news? Not necessarily. The Q1 2022 statistics from ransomware incident-response company Coveware do show a strong decline in the amount of cases in which victims were forced to pay the ransom amount to the attackers. This gives us hope, because not paying is still the best way to disrupt the criminal business model.

Trellix Researchers Uncover Critical Flaws in Building Access Control System

Critical infrastructure continues to represent one of the most enticing targets for criminals, worldwide, that exists in cyber warfare. This industry is plagued by legacy systems and riddled with trivial hardware and software flaws, configuration issues, and exceptionally sluggish update cycles. Yet, behind this façade, are many of the most essential systems we rely on, from fuel pipelines to water treatment, energy grids to building automation, defense systems and much more. 

One often-overlooked area of industrial control systems is access control, part of the building automation framework. Access control systems are commonplace, de facto solutions which provide automation and remote management for card readers and entry/exit points to secure locations.

According to a study done by IBM in 2021, the average cost of a physical security compromise is $3.54 million and takes an average of 223 days to identify a breach. The stakes are high for organizations that rely on access control systems to ensure the security and safety of facilities.

Trellix Labs recently unveiled breaking research into one such system, a ubiquitous access control panel by HID Mercury. Numerous OEM vendors rely on Mercury boards and firmware to implement their access control solutions. Our team shared our findings at Hardwear.io in Santa Clara on June 9, 2022 and will be featured at BlackHat this summer as well. Their findings highlighted four zero-day vulnerabilities and four previously patched vulnerabilities, never published as CVEs, with the top two leading to remote code execution and arbitrary reboot, completely unauthenticated. This means attackers on a building network could remotely lock and unlock doors, and avoid detection via the management software. The researchers prepared a blog highlighting the findings and will release a multi-part technical deep dive coinciding with BlackHat. Furthermore, they filmed a demonstration video of the attack, using two of the vulnerabilities to compromise a production cloned access control system in their lab.

Watch Our Demonstration Video

Security Updates

Carrier has released a new advisory on its product security page with specifics of the flaws and recommended mitigations and firmware updates. Applying vendor patches should be the first course of action, whenever possible. 

Call To Action: Connected Healthcare Cybersecurity

The medical industry is at unique risk of attack due to the numerous purpose-built devices used, such as anesthesia machines, IV pumps, point of care systems, MRI machines, and numerous others. Many of these devices are not found in other industries nor the average household. Their lack of ubiquity creates a false sense of security and reduced scrutiny from the security research industry.

Medical devices and software are falling short in fundamental security practices such as handling credentials and are ripe with RCE vulnerabilities. This is enticing to cybercriminals and we must be on our guard to prevent further attacks as it won’t be an ignored attack surface forever. All stakeholders must acknowledge that the large selection of authentication vulnerabilities indicates the medical space needs more research, both internally and externally, to harden these devices. It’s not simply management systems and other web-based applications we need to focus on, but any network connected medical device needs to be accessed. Currently it doesn’t appear that these devices are being targeted by malicious actors but this doesn’t mean we can relax. There have been plenty of RCE vulnerabilities to choose from and public exploit code for re-use. While attackers are using other methods to attack hospitals and clinics they will search for easier access when those methods run dry. Society as whole cannot allow medical devices and software to continue to be a weak point for attackers to exploit and therefore should encourage both internal and external security testing across developers and researchers alike.

You can read the details of our research in our recent Connected Healthcare: A Cybersecurity Battlefield We Must Win blog. Using public data such as CVE databases we analyzed the current state of the attack surface in the medical space and evaluated active threats and distribution of discovered vulnerabilities. We believe that more partnerships between medical device vendors, medical care facilities and security researchers in junction with increased security testing is warranted to prevent a growing attack surface from becoming even more attractive to malicious actors.

Living Off the Land

We track threat actors, tactics techniques and procedures as well as malware being used. We have also identified and reported quarterly regarding non-malicious and often necessary default binaries that can and often are abused to conduct various phases in an attack. While it remains necessary to know the custom and commodity malware, as well as living off the land TTPs to defend against, it is also necessary to know the enemy and identify objectives. Diving a little deeper into the LoLBins, the question remains, who is using our tools against us and why? Do they not have the ability to write custom malware that may accomplish the objective at hand? Or is it simply a tool of convenience and an attempt to stay unseen? After all threat actors are often employed much like everyone else, they have meetings with their overlords, they have daily, quarterly, and yearly goals, work on sprints and earn a paycheck. 

If we are going to honor our mission “To Deliver Living Security Everywhere” we must equip ourselves, our customers and our colleagues who are in the day-to-day fight to protect our critical information, infrastructures, and assets from those who seek to profit from the exploitation of vulnerabilities and theft of intellectual and organizational data. 

What binaries have we seen being abused and who did was seen abusing them in Q1 2022? 

Email Security Trends: Q1 2022

Email telemetry analysis from the first quarter of 2022 revealed phishing URLs and malicious document trends in email security.

Most of the malicious emails detected contained a phishing URL used to either steal credentials or lure the victims to download malware. Next in popularity we identified emails with malicious documents such as Microsoft Office files or PDFs attached. These documents contain macros that work as downloaders or exploits that result in the attacker gaining control of the victim system. Lastly, we encounter several emails with malicious executables like infostealers or trojans attached.

Exploits

When we focus on the exploits used, we realize that most of them come packed as malicious RTF files, MS Office documents with weaponized OLE objects, or PDFs infected with Adobe Reader exploits or malicious JS scripts. In the following figure we can see that the top three file formats are the windows rtf, followed by the latest office format and finally we have the legacy role office formats.