New Sophisticated Malware

Mandiant is reporting on a new botnet.

The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims’ networks with unusual stealth. In cases where the group is ejected, it wastes no time reinfecting the victim environment and picking up where things left off. There are many keys to its stealth, including:

  • The use of a unique backdoor Mandiant calls Quietexit, which runs on load balancers, wireless access point controllers, and other types of IoT devices that don’t support antivirus or endpoint detection. This makes detection through traditional means difficult.
  • Customized versions of the backdoor that use file names and creation dates that are similar to legitimate files used on a specific infected device.
  • A live-off-the-land approach that favors common Windows programming interfaces and tools over custom code with the goal of leaving as light a footprint as possible.
  • An unusual way a second-stage backdoor connects to attacker-controlled infrastructure by, in essence, acting as a TLS-encrypted server that proxies data through the SOCKS protocol.

[…]

Unpacking this threat group is difficult. From outward appearances, their focus on corporate transactions suggests a financial interest. But UNC3524’s high-caliber tradecraft, proficiency with sophisticated IoT botnets, and ability to remain undetected for so long suggests something more.

From Mandiant:

Throughout their operations, the threat actor demonstrated sophisticated operational security that we see only a small number of threat actors demonstrate. The threat actor evaded detection by operating from devices in the victim environment’s blind spots, including servers running uncommon versions of Linux and network appliances running opaque OSes. These devices and appliances were running versions of operating systems that were unsupported by agent-based security tools, and often had an expected level of network traffic that allowed the attackers to blend in. The threat actor’s use of the QUIETEXIT tunneler allowed them to largely live off the land, without the need to bring in additional tools, further reducing the opportunity for detection. This allowed UNC3524 to remain undetected in victim environments for, in some cases, upwards of 18 months.

Tags: , , ,

Posted on May 4, 2022 at 6:15 AM16 Comments

Comments

Andy May 4, 2022 8:58 AM

Looks like Mandian wants to justify why the malware has gone undetected for up to 18 months

Ted May 4, 2022 9:08 AM

This is so interesting. Ars reports that UNC3524’s activity overlaps with that of two Russian state hacker groups: APT28/Fancy Bear and APT29/Cozy Bear.

However Mandiant isn’t yet linking UNC3524 to an existing group. The level of sophistication in the malware is pretty remarkable. This seem an odd mismatch to what we’ve seen in Russia’s kinetic activities.

I’m curious what companies were targeted, but I’m sure this won’t percolate for a while, if ever. Since, the actors were targeting the mailboxes of exec teams and employees working in corp dev, m&a, and IT security it does make me think of corporate espionage.

Does this kind of thing make it into SEC public disclosures or is just par for the course?

RealFakeNews May 4, 2022 9:32 AM

UNC3524’s high-caliber tradecraft, proficiency with sophisticated IoT botnets, and ability to remain undetected for so long suggests something more.

Not really…it just means it wasn’t detected for a while.

What is so remarkable about re-purposing a proxy server to transmit data? The entire point of deep-packet inspection is to catch payloads and not only the TCP wrappers.

Hacking IoT is not exactly a new idea, either. It seems they know their target and acted accordingly. Just because someone bothers to do a bit of research (heck – do they have someone on the inside?) doesn’t make them uber hackers; just better than the majority that just stab everything they see until they get a hit.

Clive Robinson May 4, 2022 10:03 AM

@ ALL,

Colour me unsurprised by,

“…runs on load balancers, wireless access point controllers, and other types of IoT devices that don’t support antivirus or endpoint detection. This makes detection through traditional means difficult.”

We’ve known for two decades this is the exact reason the NSA, GCHQ and other SigInt agencies did their thing on the routers 1 step removed from the target.

It’s why we say,

If you don’t own it you don’t control it…

An expression that has morphed and extended it’s meaning in that time…

As few these days “own what they have purchased”… Google “owns” your Android OS, the consumer electronics manufacturers own not just your “Smart Devices” and “Smart meters” but your TV’s, cars and medical implants…

You are now getting plump and ripe to be “rent payers” exploited to the maximum…

Hey you think it bad when you can not buy your insulin, how are you going to feel when you can not pay the monthly rent on your pacemaker?

That is the society we are being moved into and this malware is just the leading edge of much worse to come…

We can stop it happening but will we?

Don’t be daft, most will dumbly sleep walk into the guilded trap, then bleat as they are sacrificed…

Ted May 4, 2022 1:20 PM

@RealFakeNews

Not really…it just means it wasn’t detected for a while.

Please tell me Zero Trust addresses this. Can you believe that default credentials in IoT devices may have been involved here? Argh! Also from Mandiant:

These cameras were directly Internet exposed, possibly through an improper UPnP configuration, and may have been running older firmware.

The inability to monitor certain devices has got to be a pea under the mattress of many a CISO. To the chagrin of the sec team, the attackers may have also been familiar with incident response and how to avoid triggering detection. See how their C2 traffic was feathered up?

lurker May 4, 2022 3:41 PM

“After gaining initial access by unknown means,…”

Ooops… A nice glossy report about what they did once inside, and how to clean up after them, but to echo @Clive again
If they can’t get in, they can’t do much…

The first O’reilly book I purchased was (1st edn.) Building Internet Firewalls. It was very easy reading and should be understandable even to a CIO

Clive Robinson May 4, 2022 4:56 PM

@ lurker, ALL,

RE : If they can’t get in…

It’s why almost my first question is,

“What is the business case for this computer to be externally connected?”

The general reply once the waffle and arm waving is chopped, is,

“Err we don’t have one…”

If you listen to the arm waving waffle it gets down to some MBA mantra they got taught…

That kind of boils down to,

“We missed SMS, and it was a major success. We missed Email, and that was a major success. So we are not going to miss XXX”

Only they do, as they have not a clue.

The reality is we all missed both SMS and Email they peaked and were gone before we recognised them…

But now of both we can say,

“They first got to be a major success for E-Crims”

Which is kind of funny in a way, the cyber-crooks are better at spoting “major successes” that work for crime long before business finds it’s “Missed the boat”…

Do MBA lecturers have to have communications from Nigerian Princes/Colonels or similar befor they spot a communications potential?

Boris May 6, 2022 1:56 AM

@Clive, @Lurker: It’s not that simple of course – supply chain attacks, remote updates, ‘telemetry’ built into many IoT devices means that a network perimeter includes the perimeters of the IoT manufacturers too. (Which includes their suppliers, ad infinitum)

In the companies I work at the focus is now very much more about damage limitation, containment and MTTR after an inevitable breach.

Ignoring the ‘zero-trust’ hype, a lot of companies would be well advised to do the same and redo their threat modelling on the basis that their perimeter defenses are not nearly as effective as the vendors say.

SpaceLifeForm May 6, 2022 2:25 AM

@ lurker

It was very easy reading and should be understandable even to a CIO

After mulling this over and sleeping on it also, I still believe there is a flaw in your argument.

Not the very easy reading part.

Not the understandable part.

Just that some CIO actually care to read.

SpaceLifeForm May 6, 2022 3:04 AM

@ Boris, Clive, lurker

Ignoring the ‘zero-trust’ hype, a lot of companies would be well advised to do the same and redo their threat modelling on the basis that their perimeter defenses are not nearly as effective as the vendors say.

If an org is relying upon a vendor for perimeter defense, they have lost.

If you can not secure your perimeter without outside help, you are not managing your network properly.

You are either being cheap, or stupid. Probably both.

Clive Robinson May 6, 2022 12:50 PM

@ Boris,

… supply chain attacks, remote updates, ‘telemetry’ built into many IoT devices means that a network perimeter includes the perimeters of the IoT manufacturers too.

It’s actually worse than that…

Increasingly IoT devices are just “instrumentation heads”. That is the only functionality on the devices is to send the sensor output to some server in China or elsewhere.

Many of Amazon’s products are like this just take a look behind “Ring” for instance, do you realy want “nany-cam” type images of your children being sent to a bunch of “boys in blue” who are known to have purverts and rapists in their numbers?

Nope me neither but that is what can happen with those Amazon CCTV devices.

But that potential horror aside, not only does Amazon get to sell all the images your home CCTV collects, Amazon decides how and when you use the system you’ve purchased…

It’s not just Amazon who see the benifit of such IoT devices, that,

1, You buy but don’t own.
2, That they control and you don’t.
3, They can use to force you into endless “rent aggrements”.
4, They can use to spy on you, your family, your friends, your neighbours, and strangers walking past your home/office etc.
5, Collect and sell any and all the data without compensating you or anyone else they have spied upon.

And this is just the start of it…

Have a think about having to pay rent on your pacemaker or other implanted medical device…

ResearcherZero May 11, 2022 5:12 PM

Many of these institutions don’t even have a response plan in place before an incident takes place.

Simple physical access to cabling, using USB, or a wireless access point. The equipment in many of these networks is easily accessed, populated by unsecured devices, or equipment containing firmware which can be exploited. The follow-up on such intrusions is often lacking, with no formal procedure and without any interviews.

Any original plans of having a security policy are quickly dashed when the minister, or sometimes department head, makes budget cuts and replaces a bunch of equipment with cheap s**t. Often logging is poor and the access trail is even worse. No one knows who did what, to limit accountability, and provide unfettered internal access for financial transfers, otherwise it would be significantly more difficult to embezzle finances. When the department head spends $10M on his house, everything the department touches likely has crap security.

Fortunately ransomware operators are limited by hours of the day awake and spoiled for choice. I imagine they do read the audits.

The vast majority of espionage is unreported. If you are in view of a camera you should probably be wearing underwear at the very least.

Chris Drake May 15, 2022 7:39 PM

I registered an expired botnet domain, and achieved thousands of incoming connections daily. Scanning them, I discovered they were all modems and other IoT gadgets, and ALL with default logins. Within about 2 minutes of them connecting, someone else had logged in and change the password.

I wrote a script to beat them, effectively locking out the attackers, on the top 10 or so brands of equipment that was connecting.

I contacted the federal police to ask them to do something about this. They told me to stop doing what I was doing because I was breaking the law by locking out the hackers. I tried REALLY hard to get them to do something, they refused and blocked me at every turn.

Updating the firmware was one of the available options in all those devices.

There really needs to be a better (or any at all) way for the “good guys” to get law-enforcement to actually do their job.

JonKnowsNothing May 15, 2022 8:10 PM

@Chris Drake, @All

re: Helping out when Help is not wanted

IANAL, ymmv

There are many stories of people who “tried to help” and ended up on the wrong end of the handcuffs. It is hazardous to venture beyond the point of simple curiosity to active or reactive actions.

You might well spend a few moments considering what happened to some who did historically and what is happening to some that are still in the “mists of legal miasma”. The big headliners with deep pocket friends may have a chance, the ordinary person doesn’t have any at all. Even the “professional grade” folks run the risks of offending someone, in some jurisdiction, somewhere on the planet who might have triggered their rendition red card to InterPol.

A curious story over on Marcy Wheeler’s site, one that has been rotating over the spit slowly for 3 years, involves a person who alerted the FBI to a potential tech attack by a foreign state. The alert gave the FBI time to kill a MSM journalist’s report about the incident (which no one seems bothered by) but focuses on whether the person told the FBI because of “true blue honesty and integrity, wanting to help foil a foreign plot” or whether “there was an ulterior motive to divert FBI resources for some undisclosed personal and commercial profit”.

As Griphook said “It’s complicated ….”

===

Search

note: you may need to read backwards on the threads to match the names with the players:

ht tps://www.e mptywheel.net/2022/05/15/will-kleptocapture-catch-john-durham-along-with-the-russian-spies-and-oligarchs/

(url lightly fractured )

&ers May 15, 2022 8:38 PM

@Chris Drak

In history there’s lot of examples where
desire to help causes bigger problems.
One classical example is Welchia.

hxxps://en.wikipedia.org/wiki/Welchia

I still remember those days, ICMP flood
was enormous!

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.