Weekly Comments

4 - 11 December 2018

While some APT groups have been avoiding the use of custom malware and adopting off-the-shelf tools to minimise suspicion and attribution of attacks, still there are prominent groups that continue to invest heavily in developing and refining custom backdoors, as well as hunting for zero-days.
While some APT groups have been avoiding the use of custom malware and adopting off-the-shelf tools to minimise suspicion and attribution of attacks, still there are prominent groups that continue to invest heavily in developing and refining custom backdoors, as well as hunting for zero-days.

The APT group responsible for the attack on one of the polyclinics of the Presidential Administration of Russia is a case in point. The attackers exploited a previously unknown and unpatched vulnerability in Adobe Flash (CVE-2018-15982) to deliver a customised backdoor with self-destruction capabilities. In addition, the MuddyWater APT group has been developing new variants of its customised backdoor dubbed POWERSTATS and using them alongside open-source tools such as LaZagne and Crackmapexec.

The use of customised malware and zero-days may not be the most effective way to compromise victims, but the flexibility to incorporate unique capabilities that threat actors envision and the potential delay of detecting and patching zero-days are alluring factors. The average time between the initial private discovery and public disclosure of zero-days vary around 6.9 years, according to RAND research. This extensive period gives threat actors prolonged time to perform highly-targeted and strategic espionage attacks to maximise theft of valuable data and funds. 

References:
[1] Operation Poison Needles - APT Group Attacked the Polyclinic of the Presidential Administration of Russia, Exploiting a Zero-day
[2] Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms
[3] RAND Study Examines 200 Real-World 'Zero-Day' Software Vulnerabilities
 

More Weekly Cyber Newsanalysis and insights

Ensign Consulting

Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.​

Ensign Solutioning

Architecting and implementing cybersecurity solutions that bolster defences

Ensign Managed Security Services

Managing your security operations for advanced threat detection, continuous monitoring, and triage services

Ensign Labs

Performing deep research to analyse vulnerabilities, deploy advanced threat hunting and provide cyber threat intelligence