Fidelis’ Threat Research Team (TRT) currently monitors various spaces for new and developing threats, and how it may impact a large group of our customers. However, in addition to staying current with new threat campaigns and techniques, our intelligence team feels it’s also imperative to ensure we don’t lose focus on previously identified and existing threats. We are proponents of this approach because we are keenly aware that threat actors continue to leverage older and pre-existing exploits and vulnerabilities, not only from external observations but also though our customer telemetry and data.
The TRT maintains this visibility into pre-existing threats and trends through workflows established between the intelligence team, our crimeware and nation-state malware research teams, and our countermeasures team. We identify new variants and builds of common remote access trojans (RATs; often referred to as “remote administration tools” by their authors, a clichéd attempt at plausible deniability) and exploit kits (EKs) that have been around for several years but may have been refreshed or had new capabilities added to drive content and detection development for our customers.
By keeping tabs on new patterns and tactics while maintaining visibility and situational awareness of older threats, we ensure our threat intelligence operations adhere to the core intelligence fundamentals of being timely and relevant.
Based off observed data from telemetry data as well as external sources, Fidelis TRT Intelligence assesses with moderate confidence that while threat actors and campaigns will adapt and adjust to newly discovered attack vectors and vulnerabilities, while continuing to leverage popular existing tools, exploits, and older vulnerabilities to compromise their targets. As a result, we recommend security operations personnel, in addition to existing measures, establish terrain-based threat modeling (e.g.: identifying key assets, systems, and personnel) and to prioritize patching and remediation against widely publicized and targeted vulnerabilities, especially those that may impact important business assets and functions.
Fidelis Q1 2019 Statistics and Intelligence Support to Telemetry Observations
In reviewing our quarterly statistics and trends research, one of the key findings we identified was that over 27% of the alerts in Q1 2019 were related to exploits, vulnerabilities, or malware that came out in 2017 or earlier. From these, we observed that many of them consisted of old tools and malware families including Conficker, PlugX, H-W0rm, and njRAT. We believe njRAT has been extremely popular since it is customizable, and observations on deepweb forums even suggest a possible collaboration and cooperation between the developers of njRAT and H-W0rm (hence the large number of events for both).
In addition to older tools and kits observed, Fidelis TRT also observed multiple vulnerability compromise attempts and alerts, many from 2017 or earlier. For Q1 2019, the top five (5) vulnerabilities observed to be targeted were:
Going back to our reference on relevance and timeliness, telemetry data allows us to pivot off of events we see in client environments and focus on tracking down threat activity promoting, leveraging, or weaponizing the observed older and pre-existing exploits and vulnerabilities. This ultimately can allow more focused content and use-case creation and detection to serve and support an organization’s security posture.
Dark Web and External Observations
To further supplement our assessment, we turned to indications and observations from external spaces and sources to confirm our assessment that threat actors are keenly aware of tried-and-true exploits, which will continue to be effective against the vulnerabilities of yesteryear.
According to Recorded Future’s annual report of the top vulnerabilities exploited by kits and tools used by cyber-criminals, seven of the 10 most commonly exploited vulnerabilities are from 2017 or earlier. By comparison, four of the five top vulnerabilities observed in Fidelis’ Q1 2019 statistics are from 2017 or earlier, two of which also appeared on Recorded Future’s 2018 Top 10 list (CVE-2017-8570 and CVE-2017-11882).
Deep and dark web observations* also showed a continued interest by threat actors and vendors to offer services, tools, or exploits that target popular “older” vulnerabilities. In November 2018, a reputable Chinese-speaking actor on an underground forum was observed offering a lease for the RIG EK. Capabilities included the targeting of 13 vulnerabilities, 11 of which were pre-2017. In February 2019, Fidelis TRT Intelligence observed, via our cyber-intelligence partner, a Russian-speaking actor selling re-written and refreshed code for a DirtyCow (CVE-2016-5195) exploit. These were amongst several other examples of how threat actors and campaigns not only are able to adjust to current trends and update capabilities, but also highlights the continued focus on pre-existing vulnerabilities and recurring tactics to carry out their campaigns and activity.
Filtering Noise and Potential Distractions from Relevant Issues
Another key issue related to ensuring relevant and timely threat intelligence operations is filtering out pertinent issues and trends from distractions and noise that often emanates from media outlets and other sources. In our case, “noise” refers to announcements or events that oftentimes may be uncorroborated, do not suggest any practical solutions, or discuss threat or vulnerabilities whose complexity and barrier for entry do not justify losing focus in order to chase after the newest trend, which in my military deployments were jokingly referred to as “the flavor of the week”. These distractions can further be amplified because of a lack of terrain visibility and asset inventory.
Recent examples of this type of media “hype” include the 2018 Supermicro espionage controversy, in which media reporting suggested motherboards produced by Supermicro and delivered to major US technology companies like Apple and Amazon were embedded with malicious hardware for espionage, which was neither confirmed nor corroborated following the release of the report. Another example of this type of potential distraction and hype came in the form of a “social experiment” in January 2018, which emerged with the posting on a website announcing two vulnerabilities dubbed “Skyfall” and “Solace”, following the announcement of the Meltdown and Spectre speculative-execution CPU vulnerabilities. Although this was exposed as not credible within days, for a short while it demonstrated how such releases can cause distractions in day-to-day operations and potentially take time away from providing relevant support and solutions for customers. During both events, I remember being called or receiving multiple messages by both leadership and customers to discuss these reports and what we were doing to respond to these “threats”.
Focusing on threats or activity that may impact a specific organization or vertical starts with terrain visibility and asset inventory. A core component of a mature defensive strategy, which in turn can influence proactive and counter-threat operations, is being familiar with your own capabilities and gaps, which was previously discussed in a previous article. This, coupled with an intelligence-based preparation of the battlespace, can allow an organization to prioritize which threats or actors pose the highest or critical risks against those that are of interest. An organization can use this assessment to identify and prioritize whether Magecart or a newly discovered Iran-nexus threat group poses a bigger threat and respond and act accordingly.
In Part 2 of this blog, we will discuss identifying and assessing threat actor risks, potential metrics to measure these risks, and predicting future threat activity.
*Part of Fidelis’ TRT deep/dark web intelligence effort leverages information collected by our partners at Intel471.