APT41已從塵埃中崛起.pdf

《APT41已從塵埃中崛起.pdf》由會員分享，可在線閱讀，更多相關《APT41已從塵埃中崛起.pdf（19頁珍藏版）》請在三個皮匠報告上搜索。

1、APT41 Has Risen from the DUST SANS Cyber Threat 2024Chris Eastwood,MandiantSebastian Demmer,MandiantProprietary&ConfidentialProprietary&ConfidentialMandiantGoogle CloudContents01Introductions02APT41 Overview03Edge Device Exploitation04Historical Campaigns05Rise from the DUST06Key Takeaways2MandiantG

2、oogle CloudProprietary&ConfidentialIntroductions3MandiantGoogle CloudProprietary&ConfidentialAPT41 Overview4APT41 is a Chinese state-sponsored group that conducts both espionage and cybercrime operations.This dual focus makes them unique compared to other threat actorsThey utilize custom malware and

3、 tools,demonstrating a high level of sophistication and resources.Some of their known tools include DEADEYE,LOWKEY,MURKYTOP,and now DUSTRAPAPT41 targets a wide range of industries,including healthcare,logistics,technology,and video games,for both intellectual property theft and financial gainThey ha

4、ve been observed exploiting vulnerabilities in popular software and services to gain initial access to target networks.APT41 has a history of targeting individuals of interest,even using malware to compromise their personal devices.MandiantGoogle CloudProprietary&ConfidentialWhat is interesting abou

5、t APT41?5Duality of state-sponsored and independent cybercrime operationsConsistent interest in targeting the Video Game industryOperations motivated simultaneously by intelligence gathering and financial gainSuite of custom non-public malwareEspionage operations activity matches Chinas“996”work sch

6、edule,but financial gain(video game targets)operations occur overnightSome overlap with samples used for both targetsMandiantGoogle CloudProprietary&ConfidentialVictimology6Targeted Countries:USAUnited KingdomFranceItalyTurkeyTaiwanThailandJapanMandiantGoogle CloudProprietary&ConfidentialHistorical

7、Campaigns(not exhaustive)7Cloudflare&Cloudflare WorkersC2 and data exfiltrationMandiantGoogle CloudProprietary&ConfidentialEdge devices-Exploitation8Increasingly popular targetLack of security monitoring on deviceExposed to the Internet by designExploitation without user interactionExamples of other

8、 China-nexus attackers targeting edge devicesUNC4841 using DEPTHCHARGE passive python backdoor against Barracudas Email Security GatewayBOLDMOVE backdoor used by UNC3886 against Fortinet devices:remained undetected for a longer period by disabling logging on the device UNC3886 overcoming remediation

9、 efforts by using TABLEFLIP for network traffic redirection on FortiManagerdevicesMandiantGoogle CloudProprietary&ConfidentialEdge devices-Response9Reduce attack surface and hardeningFollow Vendor guidanceRestrict access to known good sources if possiblePatching might not be enough for already compr

10、omised devicesThreat actors might have grabbed credentials or placed malwareFollow vendor guidelines for full remediationAssume compromise and investigateUse publicly available IOC scanners for edge devicesSearch for abnormal logins or internal traffic from edge devicesThreat hunt for post-exploitat

11、ion TTPs Additional reading:M-Trends 2024 Special ReportMandiantGoogle CloudProprietary&ConfidentialRise from the DUST10Mnemonic collaborated with FLARE for reversing DUSTTRAPIdentified through a tipoff from MicrosoftSuspected APT41MalwareMay 2024 Mandiant IR case with logistics company with DUSTTRA

12、PDUSTPAN also found,which is attributed to APT41March 2023 initial intrusionCollaboration with Google TAG,Mnemonic and othersLeading to 11 Victim NotificationsIdentified stolen code signing certificates from gaming companiesHistorically targeted gaming industry,with one certificate seen in a 2020 UN

13、C3914 intrusion MandiantGoogle CloudProprietary&ConfidentialTypical Attack Path11APT41 used a combination of ANTSWORD and BLUEBEAM web shells for the execution of DUSTPAN to execute BEACON backdoor for command-and-control(C2)communication.Later in the intrusion,APT41 leveraged DUSTTRAP,which led to

14、hands-on keyboard activity.APT41 used publicly available tools SQLULDR2for copying data from databases and PINEGROVE to exfiltrate data to Microsoft OneDrive.MandiantGoogle CloudProprietary&ConfidentialIntrusion Timeline case-study12Unsuccessful EradicationData ExfiltrationExfiltration of Oracle dat

15、abase content using SQLULDR2 and PINEGROVEMandiant engagedLSASS dump and more reconnaissanceFurther Lateral MovementDUSTTRAP deployed on more servers,continued reconnaissance activitiesPersistence&ExpansionCompromised credentials,DUSTTRAP deployed on multiple serversInitial Compromise&FootholdWebshe

16、lls dropped,DUSTPAN installed,lateral movement begins,and initial reconnaissance conductedSuccessful EradicationMandiant Engaged14 monthsMandiantGoogle CloudProprietary&ConfidentialDUSTPAN and BEACONDUSTPAN is an in-memory dropper that decrypts and executes an embedded payload.Inject the decrypted p

17、ayload into another process or create a new thread and execute it within its own process space.Previously used by APT41 in several 2021 and 2022 breachesIn this intrusion,disguised like Windows binaries such as c:windowsw3wp.exe,c:windowssystem32conn.exe orC:WindowsSystem32PrintWorkflowUserSvc.dllPe

18、rsistence through Windows services;Windows_Defend or PrintWorkflowUserSvcDropped Payload was Cobalt Strike BEACONBEACON C2 communications were using either self-managed infrastructure hosted behind Cloudflare,or utilized Cloudflare Workers13MandiantGoogle CloudProprietary&ConfidentialDUSTTRAP 14Mult

19、i-stage execution:DUSTTRAP uses a four-stage process to infect systems,decrypt its components,and execute its malicious payload.Plugin-based framework:DUSTTRAP employs a modular architecture with various plugins responsible for different malicious activities,making it highly adaptable and extensible

20、.In-memory execution and DLL Trojanizing:It operates primarily in memory and trojanizes legitimate DLLs to hide its malicious code and bypass security tools.Anti-analysis techniques:DUSTTRAP uses encryption,process hollowing,and DLL search order hijacking to make analysis and detection more difficul

21、t.MandiantGoogle CloudProprietary&ConfidentialData Theft15SQLULDR2C/C+command line utilityExtract contents of a remote Oracle databaseC:ProgramDataluldrluldrsqluldr.exe user=:1521/charset=utf8 safe=yes head=yes text=csv rows=50000000 batch=yes query=file=.csvC:ProgramdataOne.exe-c C:ProgramDataauth.

22、json-s PINEGROVEGo command-line utilityCollect and upload files to OneDrive via OneDrive APIMandiantGoogle CloudProprietary&ConfidentialStolen Code Signing Certificates16DUSTTRAP was signedPresumably stolen code signing certificatesCertificate related to companies operating in the gaming industryAPT

23、41 have historic record of abusing stolen certificates(20+)MandiantGoogle CloudProprietary&ConfidentialStolen Code Signing Certificates17Different DUSTTRAP sample on VirusTotalKR gaming companySame certificate as an UNC3914 intrusion in 2020Interesting Reddit discussion on potential intrusionsMandia

24、ntGoogle CloudProprietary&ConfidentialKey Takeaways18Threat actors are increasingly targeting edge devicesPay attention to your external attack surface and edge devicesAPTs develop complex custom malwareUnderstand your threat profile and who will be targeting you with which TTPsRemediation is difficultBe diligent with remediation of vulnerable devices or intrusionsThank you 2024 Google LLC.All rights reserved.Mandiant and Google are trademarks of Google LLC.All other trademarks are owned by their respective owners.Thank you