Sergey Nivens - Fotolia

BlackHat 2015: 2FA key to defence against cyber espionage groups

Abuse of credentials and watering-hole attacks are main tactics used by cyber espionage group TG-3390 or Emissary Panda, research reveals

Two-factor authentication (2FA) for all remote access services is key to defending against industrial and government cyber espionage groups, according to Dell SecureWorks.

This is one of the main strategies recommended by the firm’s Counter Threat Unit (CTU), which has unveiled a report at the BlackHat USA 2015 security conference in Las Vegas detailing the operations of one particular espionage group.

For more than two years, CTU researchers have been monitoring a China-based cyber espionage group, which they have dubbed Threat Group 3390 (TG-3390).

Operations of the group, also referred to as Emissary Panda, are very well planned, very well funded and every step its members take is very calculated, according to Aaron Hackworth, senior distinguished development engineer of the Dell SecureWorks CTU.

“This report provides an unprecedented level of detail about the group and its operations,” he told Computer Weekly.

The main tactic used by TG-3390 is to use strategic web compromises or watering-hole attacks to infect their targets, although in one case it has been seen to use a spear phishing attack.

The CTU believes it is seeing just a fraction of TG-3390’s activity, but even in this limited view, it has discovered that the group has infected the websites of 100 organisations across the globe to ensnare its targets.

These compromised websites include a defence manufacturing firm based in Spain, large manufacturing companies, energy companies, embassies, non-governmental organisations focused on international relations, and defence and government organisations.

The researchers said TG-3390 knows exactly which websites their targets are visiting and, as a result, have specifically targeted and compromised 50 entities based in the US and the UK, including auto, electronic, aircraft, pharmaceutical, and oil and gas manufacturers. The group has also compromised educational institutions, law firms, defence contractors and political organisations.

The group placed code on each site that redirected visitors to a malicious site, and if the visitor had an IP address that was of interest, the computer user would be served an exploit kit the next time they returned to the compromised site.

To avoid detection, these compromised sites were not always used to serve code, with the attackers withdrawing from sites for a period of time to stay under the radar.

The CTU’s long-term monitoring of TG-3390 has enabled researchers to detail the group’s actions, including what tools it is using to compromise its victims, how it spreads throughout the victim’s network, how it sneaks the data out of networks, and what steps the hackers take to re-enter the victim’s network once they have been detected.   

Significantly, the researchers found that, to date, TG-3390 has relied on exploits of old vulnerabilities to compromise its targets and has not used any zero-day vulnerabilities. “By keeping all operating system and application software up to date with the latest security patches, organisations can block many known exploits,” said Hackworth.

However, the researchers said TG-3390 has many tools in its toolbox. Some of them are exclusive, while others are shared among a small group of Chinese threat groups.

The researchers found that malware used by the threat group can be configured to bypass network-based detection, and the group’s obfuscation techniques in watering-hole attacks complicate detection of malicious web traffic redirects.

Two of the tools used by the attackers – ASPXTool and the OwaAuth web shell – appear to be exclusive to the group, the researchers said.

According to the report, OwaAuth is a web shell and credential stealer deployed to Microsoft Exchange Servers and is installed as an ISAPI filter, while ASPXTool is a modified version of the ASPXSpy web shell that is used on internally accessible servers running Microsoft Internet Information Services (IIS).

The researchers found that once inside the targeted network, the attackers go for the domain controller, which gives them access to credentials for a variety of users.

As well as going after the domain controller, the attackers also move to install a keylogger and backdoor on Microsoft Exchange servers. 

To compromise the Exchange Server, the attackers obtain credentials for a privileged account and map a network share to the server. “This group likes to use stolen credentials as a way of getting into networks and moving around once inside but, by using two-factor authentication, organisations can ensure that even if credentials are stolen, they will be useless without access to the second factor required for authentication, such as security token,” said Hackworth.

The servers make attractive targets because their criticality to business operations means they have high availability, the researchers said. Also, the backdoor guarantees the attackers a way to steal credentials and get back into the network if they are detected and removed.

Read more about cyber espionage

TG-3390 also uses the PlugX remote access tool, which the researchers described as the “new Poison Ivy” because it is a full-featured backdoor used by many threat groups and is delivered countless ways to the host, persists using a variety of techniques, and is challenging to detect when relying on signatures from traditional security controls.

In addition to PlugX, the group uses multiple tools used by other threat groups, such as HttpBrowser, a web-based executable script known as the ChinaChopper web shell, and a web application scanning tool known as Hunter.

According to the researchers, TG-3390 attackers were observed moving laterally to other hosts in as little as two hours after penetrating the network. Data exfiltration has been observed almost four weeks after the initial compromise and continuing for two more weeks.

The CTU found that not only was TG-3390 very selective about which website visitors it compromised, but it was also very discriminating about the intellectual property it stole from its victims. The CTU observed that TG-3390 typically targets a particular project or projects that the victim organisation is working on, and then steals every file relating to the project or projects, but will not extract any other files in order to stay undetected for as long as possible.

“While other groups tend to mass-collect data, TG-3390 is efficient and methodical about the way it operates and tends to take only very specific data,” said Hackworth. This indicates that the group may have some of the most sophisticated hacking tools that enable it to locate specific data, he said.

The researchers warned that getting TG-3390 out of an environment requires a co-ordinated plan to remove all access points, and that within weeks of eviction, the threat actors typically attempt to access their ChinaChopper web shells or backdoors from previously used IP addresses.

If the web shells are inaccessible, the attackers typically attempt to re-enter the environment by brute forcing credentials for remote access solutions that do not require two-factor authentication. After re-entering an environment, the threat actors focus on obtaining the active directory contents, and have been able to regain a foothold in a network in just five hours, the researchers said.

“There is a long list of standard security practices that should be followed, but there are a few key strategies that organisations can use to reduce the time to detection and reduce the effort required to respond,” said Hackworth.

In addition to using two-factor authentication for all remote access services, including webmail, he advised that to defend against espionage groups such as TG-3390, organisations should remove all local administrator rights, audit ISAPI filters on Microsoft Exchange servers to look for TG-3390’s OwaAuth or similar tools, and keep third-party software up to date.      

“A lot of the exploits and lateral movement tactics require some level of privilege on the system that normal users do not have, so limiting administrator rights for users is a way of disrupting or slowing down attackers,” said Hackworth.

Organisations can defend against watering-hole attacks by ensuring browsers and other content- or document-handling software is configured securely and kept up to date, he said.

Hackworth said organisations should also ensure they have the capability to detect and respond to network intrusions when traditional security controls fail, such as activity logging capabilities on all endpoints to track intruders to scope the response more tightly and more accurately.

“This kind of adversary is typically determined and, if one route is blocked, they look for another, so organisations need to be ready not only for prevention, but where defences fail, they need to have the right kind of instrumentation on the inside of the network to detect things that have slipped past traditional security controls,” said Hackworth.

Few, if any, organisations are immune from this kind of targeted attack, he said. “If an organisation is doing anything of interest or value, it is very likely to be targeted. We have seen groups go after organisations ranging from building supply manufacturers to the largest defence contractors.

“We also see attacks on smaller organisations that contribute pieces of larger projects that are of interest. Instead of going after a larger, well-protected defence contractor, espionage groups often go after smaller, less well-resourced organisations contributing to the same project or with relationships with organisations that are of interest to use them as stepping stones into the target organisation,” said Hackworth.

As an overall strategy, he said it is important for organisations to aim to get a thorough view of everything attackers are doing to find all the ways they could use to access the network.

“It is pointless closing one door when they are able to come through another,” said Hackworth. “Just wiping malware without understanding the true nature of the threat just leads to a false sense of security and does not really address the problem and allows the adversary to continue operating.”

Read more on Hackers and cybercrime prevention