The Department of Homeland Security is warning IT services providers, healthcare organizations and three other business sectors about a sophisticated cyberattack campaign that involves using stolen administrative credentials and implanting malware, including PLUGX/SOGU and RedLeaves, on critical systems.
The alert notes that DHS’ National Cybersecurity and Communications Integration Center “has become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including information technology, energy, healthcare and public health, communications and critical manufacturing.”
Mac McMillan, president of the security consulting firm CynergisTek, says the threat is serious. “These attacks could lead to full network compromise, long-term undetected attacks, and compromise/exploitation of systems and data, essentially putting both operations and patient safety at risk,” he says.
The April 27 alert, which was updated on May 2, says preliminary analysis has found that threat actors appear to be leveraging stolen administrative credentials – local and domain – and certificates.
“Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments,” the alert notes. “Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.”
DHS says the activity is still under investigation. “The threat actors in this campaign have been observed employing a variety of tactics, techniques, and procedures,” according to the alert. “The actors use malware implants to acquire legitimate credentials then leverage those credentials to pivot throughout the local environment. NCCIC is aware of several compromises involving the exploitation of system administrators’ credentials to access trusted domains as well as the malicious use of certificates.”
Additionally, the adversary makes heavy use of PowerShell and the open source PowerSploit tool to enable assessment, reconnaissance, and lateral movement, the alert notes.
“Command and control primarily occurs using RC4 cipher communications over port 443 to domains that change IP addresses. Many of these domains spoof legitimate sites and content, with a particular focus on spoofing Windows update sites. Most of the known domains leverage dynamic DNS services, and this pattern adds to the complexity of tracking this activity.”
In addition to leveraging user impersonation via compromised credentials the attackers are using malware implants left behind on key relay and staging machines, the alert states. “In some instances, the malware has only been found within memory with no on-disk evidence available for examination. To date, the actors have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures. The observed malware includes PLUGX/SOGU and RedLeaves.”
The attackers have modified the malware to “improve effectiveness and avoid detection by existing signatures,” the alert notes.
DHS warns successful network intrusion involving these attacks could result in temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files and potential harm to an organization’s reputation.
The DHS alert follows a blog posted in early April by researchers at BAE Systems and PwC about the firms’ investigation into a campaign of intrusions against several major managed services providers.
“These attacks can be attributed to the actor known as APT10 – a.k.a. CVNX, Stone Panda, MenuPass, and POTASSIUM,” the blog states. “Their activity seems to have increased in mid-2016, and has focused on compromise of MSPs as a stepping stone into victim organizations.”
APT10 is a Chinese cyber espionage group that the security firm FireEye has been tracking since 2009.
The blog from BAE and PwC notes that the current campaign linked to APT10 can be split into two sets of activity: Attacks targeting MSPs, engineering and other sectors with common as well as custom malware, and attacks targeting Japanese organizations with the ‘ChChes’ malware.
The attacks linked to APT10 targeting managed services providers use a custom dropper for their various implants, the researchers note. “This dropper makes use of dynamic-link library side-loading to execute the main payload.” The researchers write their analysis shows the attackers have used several payloads, including:
- PlugX, a well-known espionage tool in use by several threat actors;
- RedLeaves, a newly developed, fully-featured backdoor, first used by APT10 in recent months.
“Whilst these attackers have skill, persistence, some new tools and infrastructure – there is nothing about the techniques themselves that should make this hard to detect or mitigate. The lessons learned from these incidents should be used as an opportunity for security improvements for both MSPs and their customers,” the blog says.
DHS in its alert notes: “All organizations that provide IT services as a commodity for other organizations should evaluate their infrastructure to determine if related activity has taken place. Active monitoring of network traffic for the indicators of compromise … as well as behavior analysis for similar activity, should be conducted to identify command and control traffic.”
In addition, DHS notes, “Frequency analysis should be conducted at the lowest level possible to determine any unusual fluctuation in bandwidth indicative of a potential data exfiltration. Both management and client systems should be evaluated for host indicators provided.”
McMillan suggests that healthcare entities take steps to prevent falling victim to these attacks.
“Healthcare organizations should ensure that their service provider is actually looking for the indicators,” he says. “Within their own network they should be assessing for the presence of the detailed indicators in the NCCIC report. If an indicator of compromise is detected they should take appropriate action to remediate and reach out to NCCIC for assistance and further details. Secondarily, they should be reviewing the service provider contracts to ensure the vendor is monitoring actively.”
About the Author:
Marianne Kolbasuk McGee
Executive Editor, HealthcareInfoSecurity
Marianne Kolbasuk McGee is executive editor of Information Security Media Group’s HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek’s healthcare IT media site.