We are amid a bit of what can be described as a perfect storm for cybersecurity. As we’ve covered before, the threat landscape is expanding at a rapid pace, particularly with the growth in reliance on connected technologies like IoT. Meanwhile, cybercriminals are becoming increasingly prevalent and sophisticated with a sense for navigating this evolving environment. A series of newly uncovered attacks are demonstrating how these trends are colliding to create potentially widespread risk.
As described by Scott Ikeda for CPO Magazine, “A new threat actor is aptly demonstrating the risks that improperly secured Internet of Things (IoT) devices can pose.” That threat actor has been named UNC3524 by Mandiant, the security firm researching it, and has carried out what has been referred to as a “mass cyber espionage campaign.” With an apparently keen interest in corporate mergers and acquisitions, evidence shows that the group has been sorting through emails for up to a year in order to pull information. Although the actions of the hackers are similar to those executed by some Russian entities, their exact identity has yet to be determined. But what is known are details around how they went about gaining such access.
Essentially, Ars Technica explained that UNC3524 “used a novel backdoor, top-notch tradecraft, and software engineering” to unknowingly infiltrate networks and re-enter when encountering situations that kicked them out. The backdoor used by the group has been dubbed Quietexit by Mandiant and reportedly takes advantage of IoT devices such as load balancers and wireless access point controllers that aren’t compatible with antivirus or endpoint detection, making it more difficult to expose. They’ve also utilized what is known as the SOCKS protocol to compromise control servers associated with the victim-owned networks. By targeting protocols connected to Windows, the hackers were able to maintain their lower profile. In summarizing the great stealth behind these actions, researchers analyzing the attacks stated, “Using the example of an infected load balancer, the C2 domains contained strings that could plausibly relate to the device vendor and branded operating system name. This level of planning demonstrates that UNC3524 understands incident response processes and tried to make their C2 traffic appear as legitimate to anyone that might scroll through DNS or session logs.”
By creating malware that mimicked details like timestamps of files that allowed them to be legitimized in the systems, the cybercriminals were then granted the credentials needed to get through the services leading to email inboxes. Additionally, TechRepublic reported that UNC3524 was successful at breaking into conference room camera systems that researchers believe may have been operating on outdated firmware or “default credentials.” Considering all of this, it seems overwhelming to address. However, there are suggestions being released, including implementing multi-factor authentication for emails, changing passwords that have been set for network appliances and patching systems for any ongoing vulnerabilities.
Although unique in execution and intent, CPO Magazine pointed out that UNC3524’s cyber campaign is not the first to go after business dealings like M&As. Others have been revealed to target companies such as venture capital and private equity firms. While these were often set up as ransomware events, some went a step further with intent to tamper with stock prices. Gangs including REvil and Darkside were taken down for this type of criminal activity.
Winnti and BIG-IP
On top of the campaign developed by UNC3524, another recently discovered cyberattack is proving that espionage infiltrations geared toward stealing business information are on the rise. Based on TechRadar’s coverage, researchers from Cybereason have revealed a hacking effort created by Chinese state-sponsored actor, Winnti, that has been victimizing technology and manufacturing companies in North America, Europe and Asia for at least three years. Sort of like UNC3524, Winnti’s methods also depend on new malware approaches focused on Windows features. In this case, the hackers were looking to extract data related to intellectual property, blueprints, manufacturing information and more.
Unfortunately, that’s not it. Reports around a vulnerability with a 9.8 severity rating are also arising. Ars Technica’s Dan Goodin shared that the vulnerability “affects F5’s BIG-IP, a line of appliances that organizations use as load balancers, firewalls, and for inspection and encryption of data passing into and out of networks.” Part of what makes this case so concerning is F5’s estimate that the appliances are used by 48 of the Fortune 50. Since BIG-IP is characterized by such widespread existence in conjunction with web servers, compromising it puts “decrypted contents of HTTPS-protected traffic at risk,” according to the article. By exploiting the vulnerability, attackers can put themselves in the position of administrator for such management interfaces. While F5 has issued a patch for the flaw, organizations are still encouraged to continue investigating their potential exposure to this attack.
- “Corporate M&A Under Attack by Cyber Espionage Gang That Enters via Unsecured IoT Devices, Quietly Monitors Emails” – Scott Ikeda, CPO Magazine
- “Botnet that hid for 18 months boasted some of the coolest tradecraft ever” – Dan Goodin, Ars Technica
- “UNC3524: The nearly invisible cyberespionage threat sitting on network appliances” – Cedric Pernet, TechRepublic
- “Chinese hackers have been running riot on unsecured Windows devices” – Sead Fadilpašić, TechRadar
- “Hackers are actively exploiting BIG-IP vulnerability with a 9.8 severity rating” – Dan Goodin, Ars Technica