Advanced Persistent Threat (APT) Strategies

#ASD and international partners have released an advisory on the tradecraft of a #PRC-backed threat actor named #APT40, and it's well worth a read, whether you are in Government or the private sector. APT40 is code for a group backed by the PRC's Ministry of State Security (#MSS). The MSS is engaged in intelligence gathering and foreign interference activities, including cyber warfare. APT40, based in Haikou, Hainan Province, has been targeting Government and private sector entities around the world since 2017. Their objectives appear to be maintaining persistence in order to exfiltrate data. How does APT40 go about their activities? 🔴 Exploit small office / home office (SOHO) routers as proxies to hide their origins among normal traffic 🔴 Target vulnerable systems on the edge of networks, such as MS Exchange, Atlassian Confluence, and Log4j (commonly found in Java applications), 🔴 Deploying web shells - uploaded code snippets that allow commands to be executed on the remote host, eg. a malicious .aspx file dropped in a public directory on an OWA server 🔴 Conduct internal recon to enumerate victim hosts and accounts 🔴 Move laterally, stealing credentials, then exfiltrating data via existing Command and Control (C2) channels None of the TTPs described in the report are "top shelf" exploitation. This is clever use of well-known exploits against well-known vulnerabilities. Why expose clever TTPs if you don't need to? The advisory contains a few indicators, detection rules, and recommended mitigations. Here is a summary of mitigations: 🔵 Look for process executions in unusual directories or world-writable locations, eg. why is there a process running from C:\WIndows\Temp? (Allow listing would probably prevent this.) 🔵 Implement logging in a centralized location with a suitable retention period 🔵 Patch! The common factor in the listed vulnerabilities (CVE 2021 44228, CVE-2021-31207, CVE-2021- 26084, CVE-2021-31207, CVE-2021-34523; CVE-2021-34473) is that they were all discovered (and presumably patched) in 2021! 🔵 Segment your network - impose costs by forcing the adversary to conduct recon and lateral movement on hard mode. Use jump servers to access sensitive hosts such as auth. 🔵 Other strategies covered in the Essential 8, eg. MFA, restricting admin privs and office macros I for one am glad to see a return to Mandiant-style "APT" codenames rather than the new-fangled monikers like "Electric Tempest". But I would like to see structured threat intelligence released with these reports, eg. STIX JSON format, and hopefully someday soon, structured hunting and response playbooks in CACAO JSON! But I will have more to say about CACAO another day...

THREAT CAMPAIGN: APT43 USING DROPBOX FOR PAYLOAD DISTRIBUTION AND DATA EXFILTRATION ℹ️ Researchers published a multi-stage cyber operation campaign dubbed DEEP#DRIVE that was attributed to APT43 (aka Kimsuky, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima) against South Korean businesses, government entities, and cryptocurrency users. ℹ️ KEY FEATURES: 📍 ATTACK VECTOR ■ The attack initiates with tailored phishing lures written in Korean, disguised as legitimate documents, such as work logs, insurance documents, and crypto-related files. ■ These lures were presented in trusted file formats (.hwp, .xlsx, .pptx) and distributed via Dropbox links to blend into normal user behavior. ■ A .lnk file masquerading as a document (e.g., 종신안내장V02_곽성환D[.]pdf[.]pdf) was used to execute malicious scripts. 📍 PAYLOAD DELIVERY AND EXECUTION ■ PowerShell scripts were critical in delivering payloads, performing reconnaissance, and executing next-stage malware. ■ The script (temp[.]ps1) downloaded, modified, and decompressed a Gzip-compressed .NET assembly (system_drive[.]dat), which was loaded directly into memory to invoke the Main method for payload execution. ■ The campaign relied heavily on Dropbox for payload distribution and data exfiltration. 📍 PERSISTENCE AND STEALTH: ■ Persistence was achieved by creating a scheduled task named ChromeUpdateTaskMachine, ensuring periodic execution of malicious scripts. ■ Code obfuscation techniques were employed to evade detection, including meaningless variable names, irrelevant assignments, and string concatenation. 📍RECONNAISSANCE AND DATA EXFILTRATION ■ Reconnaissance scripts like system_first[.]ps1 were used to gather detailed system information, including IP addresses, OS details, antivirus products, and running processes. The collected data was exfiltrated to Dropbox. 📍 C2 INFRASTRUCTURE AND ATTRIBUTION ■ Dropbox served as the C2 platform for hosting payloads and exfiltrating data. ■ The rapid takedown of critical Dropbox links suggests the infrastructure was either short-lived or actively monitored. ■ The TTPs used in this campaign closely align with those historically used by APT43. Report: https://lnkd.in/dj8YCWiY #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

⚡ Volt Typhoon APT Infiltrating U.S. Infrastructure Volt Typhoon continues to pose a significant threat to U.S. critical infrastructure, operating since 2021 with sophisticated stealth tactics targeting communications networks, particularly in strategic locations like Guam. This APT group uses "living-off-the-land" techniques, leveraging legitimate tools like PowerShell and WMIC instead of traditional malware. They typically breach networks through compromised Fortinet devices, steal credentials for lateral movement, and use SOHO routers as proxy cover. Unlike typical cybercriminals seeking immediate gains, Volt Typhoon pre-positions within infrastructure systems, creating dormant capabilities for potential future activation during geopolitical conflicts. Essential Defenses: - Monitor legitimate system tools for suspicious activity - Implement zero-trust architecture and strong credential controls - Secure and regularly audit network devices, especially Fortinet equipment - Deploy behavioral analytics to catch LOTL techniques Traditional signature-based detection won't stop these advanced techniques. Organizations must adapt their monitoring capabilities to identify subtle behavioral anomalies rather than relying solely on malware signatures. Click and follow Thomas Pike today. #ThreatIntelligence #APT #CriticalInfrastructure

New research from Google Threat Intelligence Group (GTIG) details how PRC-nexus 🇨🇳 APT41 is leveraging innovative tactics, including the use of Google Calendar for command and control (C2). In late October 2024, we discovered APT41 exploiting a government website to deliver a novel malware family TOUGHPROGRESS. TOUGHPROGRESS utilizes Google Calendar to exfiltrate data and receive commands, an evolution in APT41's misuse of cloud services to blend in with legitimate traffic. The malware uses several obfuscation techniques, including memory-only payloads and intricate control flow obfuscation. GTIG has taken action to disrupt this campaign by terminating attacker-controlled infrastructure, updating Safe Browsing, and providing detection signatures. Our report also discusses APT41's broader use of free web hosting tools for malware distribution. Full report available here: https://lnkd.in/gPv7bPQj

Living Off the Land techniques continue to be a primary choice for sophisticated threat actors. Why? Because they use legitimate system tools like PowerShell and WMI to conduct attacks while bypassing security controls. Here's what you need to know 👇 ➡️ Major APTs including Fancy Bear and Volt Typhoon (Chinese nation state responsible for the recent telcom breaches and the ISP compromise in Guam) use trusted system binaries to blend malicious activity with legitimate processes ➡️ Traditional signature-based detection fails since the tools being used are approved system utilities ➡️ Effective defense requires behavioral analytics and improved EDR that can detect unusual patterns in otherwise legitimate tool usage For Red Teams: ✅ Incorporate LotL techniques in simulations to help enterprises identify detection gaps ✅ Focus on demonstrating how approved tools can be weaponized ✅ Help validate behavioral analytics and EDR configurations For Security Leaders: ✅ Implement detailed logging and centralization for system tools ✅ Establish behavioral baselines for administrative tool usage ✅ Validate EDR can detect abnormal patterns in legitimate processes Even with all our fancy new AI-powered tools, attackers are still walking right through the front door using the keys we gave them. Curious to hear how your team tackles detecting these Living-off-the-Land attacks. #Cybersecurity #ThreatIntelligence #RedTeaming

Kaspersky recently released a research report on Tactics, Techniques, and Procedures (TTPs) employed by Asian Advanced Persistent Threats (APTs). The study offers extensive #cyberthreatintelligence derived from investigations into five significant APT campaigns. The report on victimology highlights the active involvement of Asian APT groups, particularly targeting government and military organisations. The report provides a guide for defending against these attacks, suggesting protection mechanisms such as SIGMA rules. Despite the perception of their sophistication, many attacks involve simple steps and the use of well-known tools, with success attributed to the weak information security processes in victim organisations. Read on https://lnkd.in/ghy-27RV Asian APT groups prioritise avoiding system disruption and aim to remain undetected while engaging in cyber-espionage to collect sensitive information and technological data. Their disciplined approach allows them to persist within a victim's infrastructure for extended periods, sometimes years. The primary motive appears to be obtaining information for political manipulation or intelligence purposes. They aim to acquire intellectual property, trade secrets, and patents, pursue political and military objectives through information capture, and target specific industries for economic interests, such as finance, energy, and telecommunications. To reduce the risk of being targeted by threat actors, it is vital to enhance asset visibility and prioritize vulnerability management, along with implementing effective detection engineering. Within the domain of detection engineering, continual enhancements are implemented and showcased, focusing on identifying a range of threats with a particular emphasis on those most relevant to the organisation. Being well-informed about potential threats is an integral component of the intelligence driven detection engineering process, seamlessly integrated into the #purpleteaming approach. The ultimate objective is to evaluate, measure, and improve overall security in the most efficient manner, underscoring the rationale behind the adoption of Purple Teaming. Feel free to reach out if you're interested in understanding how we can assist you with Purple Teaming. Let's enhance your #cybersecurity together!

🚨 Russian GRU Targets Western Logistics and Tech Firms: What You Need to Know On May 21, 2025, the Bundesamt für Verfassungsschutz (BfV), alongside international partners, issued a Joint Cybersecurity Advisory (JCSA) detailing a sustained cyber-espionage campaign orchestrated by Russia’s military intelligence unit, GRU Unit 26165—also known as APT28, Fancy Bear, or Forest Blizzard . Who’s Being Targeted? Since early 2022, this campaign has focused on: • Logistics and transportation sectors: Including air, sea, and rail transport, as well as ports and airports. • Technology companies: Particularly those involved in IT services and infrastructure. • Defense industry entities: Organizations supporting military operations and aid delivery to Ukraine. Notably, the attackers have also targeted IP cameras at Ukrainian border crossings to monitor aid shipments, potentially facilitating sabotage or military actions . Tactics and Techniques Employed The GRU’s cyber actors have utilized a combination of known and novel tactics, including: • Credential attacks: Password spraying and brute-force attacks to gain unauthorized access. • Spear-phishing campaigns: Crafting targeted emails to trick recipients into revealing credentials or downloading malware. • Exploitation of vulnerabilities: Leveraging known flaws in Microsoft Outlook (CVE-2023-23397), Roundcube Webmail, and WinRAR to infiltrate systems. • Abuse of small office/home office (SOHO) devices: Exploiting vulnerabilities in routers and other devices to proxy malicious activity and evade detection . Recommended Mitigations To defend against these threats, organizations should: • Enhance monitoring and threat hunting: Focus on detecting known tactics, techniques, and procedures (TTPs) associated with APT28. • Implement multi-factor authentication (MFA): Strengthen access controls to prevent unauthorized entry. • Regularly update and patch systems: Ensure all software and devices are up-to-date to mitigate known vulnerabilities. • Secure IP cameras and SOHO devices: Change default credentials, disable unnecessary remote access, and apply firmware updates . Here‘s the link to the full paper. https://lnkd.in/ej_zNB5J For a detailed analysis and further recommendations, reach out to the water IT Security & Defense Team.

APT41's Latest Campaign: A Deep Dive into Detection Strategies Ever wondered if threat reports could double as superhero comics? Names like #BlueBeam, #AntSword, #DustPan, and #PineGrove might just fit the bill. These are the tools APT41 used in a recent wave of #cyber activities targeting diverse industries from shipping to technology. ->Targeted Sectors: Industries hit include global shipping, media, and automotive sectors across regions like Italy, Spain, Taiwan, and more. The attack chain involved deploying web shells, using tools like BlueBeam and AntSword, and ultimately exfiltrating data via PineGrove to OneDrive. ->Key Detection Techniques: 1. Web Shell Detection: Focus on Zeke logs for suspicious URIs like JSP, PHP, etc. 2. Suspicious Child Processes in Atlassian Confluence: Watch for unusual child processes like command.exe or powershell.exe. 3. File Creation Alerts: Monitor for unauthorized file creations in Confluence directories. 4. Cobalt Strike Activity: Detect potential Cobalt Strike traffic by scrutinizing URI patterns and service creations. ✅ Pro Tip: Always cross-check tools and paths for anomalies. For instance, detection of tools like SQLULDR or unusual data exfiltration patterns (.json to CSV) can signal an attack. Watch the Threat SnapShot to lear more here: https://lnkd.in/d7BpQ8G4 For a comprehensive walkthrough, explore the detailed threat session logs in #SnapAttack. We’ve replicated the attack to fine-tune our and your detection strategies. P.S. What are your go-to methods for detecting advanced persistent threats? Share below! #threathunting #threatdeteciton #detecitonengineering #cybersecurity #infosec #APT41 #siem

A joint cybersecurity advisory, involving a dozen allied agencies including France’s ANSSI, has documented a large-scale cyber-espionage campaign led by Russia’s #GRU🇷🇺🐻 Unit 26165 (APT28/Fancy Bear). Active since 2022, the operation targets Western logistics and tech firms involved in coordinating and delivering military aid to Ukraine. * What is happening? The campaign seeks to obtain sensitive logistical data—such as shipment contents, routes, and identities of senders and recipients. * How is it being conducted? APT28 uses spearphishing, brute force, credential theft, and software exploits (e.g., Outlook, Roundcube, WinRAR), as well as hacked IP cameras. Once access is gained, they leverage native tools (Impacket, PsExec, RDP), abuse Active Directory, and exfiltrate data via IMAP or EWS. Mailbox permissions are manipulated for prolonged espionage. IP cameras, particularly near the Ukrainian border and in countries like #Romania and #Poland, are exploited for real-time surveillance using default or brute-forced credentials. * Who is being targeted? The campaign impacts #NATO members and Ukraine, affecting both government and private entities across defense, transportation, maritime, and IT sectors. Critical infrastructure like air traffic systems, ports, and industrial control systems are among the main targets. Why it matters: This advisory underscores the need for increased vigilance among #Ukraine🇺🇦-supporting entities. It highlights a sophisticated, persistent threat actor aiming to undermine Western logistical and military support through targeted cyber intrusions.

𝗛𝗼𝘄 𝘁𝗵𝗲 𝗣𝗮𝗸𝗶𝘀𝘁𝗮𝗻-𝗕𝗮𝘀𝗲𝗱 𝗦𝗶𝗱𝗲𝗖𝗼𝗽𝘆 𝗔𝗣𝗧 𝗶𝘀 𝗘𝘃𝗮𝗱𝗶𝗻𝗴 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗶𝗻 𝟮𝟬𝟮𝟱 The Pakistan-linked SideCopy APT group has significantly upgraded its tactics since late December 2024. Now targeting critical infrastructure; including railways, oil & gas, and ministries of external affairs. The group is becoming increasingly sophisticated and evasive. 𝗞𝗲𝘆 𝗗𝗲𝘃𝗲𝗹𝗼𝗽𝗺𝗲𝗻𝘁𝘀: Shift in Staging Mechanism: Transition from HTA files to MSI packages Advanced Techniques: DLL side-loading, reflective loading, AES decryption via PowerShell 𝗡𝗲𝘄 𝗧𝗼𝗼𝗹𝘀𝗲𝘁: > Customised Xeno RAT, > Spark RAT > Debut of a new malware: CurlBack RAT 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲: Use of compromised domains and fake websites for phishing and payload delivery 𝗪𝗵𝘆 𝗶𝘁 𝗺𝗮𝘁𝘁𝗲𝗿𝘀: SideCopy's evolving tactics are designed to bypass many traditional security controls, posing a serious risk to organisations that lack multi-layered defences. Our experts at Seqrite Labs have published a detailed technical analysis covering: ✅ Their new modus operandi 🔒 Malicious domains and indicators you need to block immediately 🎯 Targeted sectors and organisations 🧩 Why current protections may be failing to detect this threat 📄 Complete IOCs: Domains, IPs, Files, C2s, Windows/Linux artifacts 👉 Read the full blog for actionable insights: https://lnkd.in/dRWNixTe #ThreatIntel #SideCopyAPT #CyberSecurity #SeqriteLabs #APTAnalysis #RATmalware #IOC #DefendBetter Quick Heal Seqrite