Share this article on:
Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) has issued an alert about an emerging sophisticated campaign affecting multiple industry sectors.
The attacks have been occurring for at least a year, with threat actors using stolen administrative credentials and certificates to install multiple malware variants on critical systems. A successful attack gives the threat actors full access to systems and data, while the methods used allow the attackers to avoid detection by conventional security solutions.
While many organizations have been attacked, one of the main targets has been IT service providers. Gaining access to their systems has allowed the actors to conduct attacks on their clients and gain access to their environments. The method of attack allows the actors to bypass conventional monitoring and detection tools and, in many cases, results in the attackers gaining full access to networks and stored data.
NCCIC is still investigating the campaign so full information is not yet available, although an advance warning has been issued to allow organizations to search for signs of a potential system compromise and take appropriate action to mitigate risk.
While multiple tactics, techniques and procedures are used in the campaign, credentials primarily are stolen using malware. Those credentials are then used to gain access to business environments. Once access has been gained, the attackers use PowerShell for reconnaissance, to assess business networks and move laterally within those networks.
Communication with the C2 uses RC4 cipher communications over port 443; however, the domains frequently change IP address, with domains commonly spoofed to make them appear as Windows update sites and other legitimate domains.
While many malware variants are used by the threat actors two of the most common variants are the REDLEAVES remote administration Trojan and the sophisticated remote access tool PLUGX/SOGU, both of which are executed via DLL side-loading.
REDLEAVES is capable of passing a range of information about the user’s system and allows the attackers to run commands on the infected system. PLUGX provides the attackers with complete C2 capabilities including the ability to take screenshots and silently download files with all C2 communications encrypted to prevent detection.
NCCIC has compiled and published indicators of compromise (IOCs) to allow organizations to identify intrusions and malware infections. Organizations have been advised to continuously analyse their systems for those IOCs via their normal intrusion detection systems.
It may not be possible for organizations to prevent their systems from being attacked, but if appropriate defences are put in place it will make it much harder for the threat actors to infiltrate systems and operate undetected. NCCIC says no single set of defensive techniques will avert malicious activity; however, adopting a multi-layered approach to security will allow organizations to construct an effective barrier to prevent attacks.
IOCs, details of the attack methods and suggested mitigations are available for download from NCCIC on this link.