One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1017733 |
| Date de publication | 2019-01-31 17:24:00 (vue: 2019-01-31 22:04:18) |
| Titre | APT10 Group Targets Multiple Sectors, But Seems to Really Love MSSPs |
| Texte |
Threat Actors That Don’t Discriminate
When it comes to threat actors and the malware variants they use, let’s talk dating — or rather, the way people date — because one could argue there are marked similarities between the two. You see, there are criminal groups who have a “type,” i.e. using malware that targets specific industries or even organizations — say, financial services (ever-popular and oh-so debonair) or perhaps critical infrastructure (spicy and daring!), or even healthcare for those who prefer staid and demure. Yet other groups are the free lovin’ types who go after multiple sectors using many different malware variants and approaches to accomplish their goal — no discriminating with this bunch.
Let’s look at one such example, APT10 / Cloud Hopper, which is likely the group behind a long running, sophisticated campaign that uses multiple malware variants to target many different sectors in many different countries. You can check out some of the pulses relating to APT10 / Cloud Hopper on the Open Threat Exchange (OTX).
The U.S. National Cybersecurity and Communications Integration Center (NCCIC) reports the campaign started in May 2016, and NCCIC last updated its alert in December 2018 — so it’s not going away yet.
The group known as APT10 / Cloud Hopper has hit quite a few victims over the last few years in many different sectors, such as: information technology, energy, healthcare and public health, communications, and critical manufacturing. However, their “date of choice” seems to be MSSPs due to the fact a that credential compromises within those networks could potentially be leveraged to access customer environments. From OTX pulse “Operation Cloud Hopper”:
The espionage campaign has targeted managed IT service providers (MSSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSSPs and their clients globally. This indirect approach of reaching many through only a few targets demonstrates a new level of maturity in cyber espionage – so it’s more important than ever to have a comprehensive view of all the threats your organization might be exposed to, either directly or through your supply chain.
As any clever serial dater would do, APT10 / Cloud Hopper doesn’t use just one approach. The NCCIC reports they have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures — for example, PLUGX / SOGU and REDLEAVES. And although the observed malware is based on existing malware code, APT10 / Cloud Hopper modifies it to improve effectiveness and avoid detection by existing signatures.
How Can APT10 Group Impact You?
If these free lovin’ bad guys decide to come after you, they’re likely looking for your data (perhaps to steal intellectual property). At a high level, they’re accomplishing this by leveraging stolen administrative credentials (local and domain) and certificates to place sophisticated malware implants on critical systems (such as PlugX and Redleaves). Depending on the defensive mitigations in place, they then gain full access to networks and data in a way that appears legitimate to existing your monitoring tools. Voila! They’ve gone from first date to a home run!
Wired Maga |
| Envoyé | Oui |
| Condensat | “date “operation “type platform 117a 2016 2018 300 660 about access accomplish accomplishing activities activity actors actors—and administrative after alert alerts alienvault all allowing also although among anti antivirus any anywhere appears approach approaches apt10 are argue article: as: associated attack avert avoid away bad barrier based because been behind being between bunch but campaign campaigns can case center cert certificates chain check chinese choice” clever clients cloud code com/pulse/59096495b8eeba365246b24d/ come comes communicated communications community completely complex comprehensive compromise compromises computer conduct constantly content continuous correlation could countries created credential credentials criminal critical currently customer customers customized cyber cybersecurity daring data date dater dating debonair december decide defense defensive demonstrates demure depending deployed depth detected detection different directly discriminate discriminating doesn’t domain domains don’t due easily effectiveness either energy entry environments espionage even ever example exchange existing exposed external fact families financial first following free from full further gain globally goal going gone group groups guys has have have previously health healthcare high hit home hopper hopper”: hosted how however https://otx identified identify ids impact implants implement important improve increase indicators indirect industries information infrastructure instead integration intellectual internal intrusion intrusions investigation iocs it’s its just key known labs last layers legitimate let’s level leveraged leveraging likelihood likely linked to local long look looking love lovin’ made magazine malicious malware managed management manufacturing many marked maturity may members might mitigate mitigations modifies monitor monitoring monitoring; more mostly msp mssps multiple national nccic networks new non not observed one only open organization organizations ossim other otx out over people perhaps place platform plugx popular posed potential potentially prefer programs property pros provide providers public pulse pulses quasarrat quite rather reaching really recommendations redleaves redleaves—which registered regular related relating released remote reported reports research revised rule run running say scans sectors security see seems send sensitive serial service services set shared shared: should siem signatures similarities single sogu some sophisticated source specific spicy staid standing started steal stolen such suggests supply surface suspicious system systems ta17 talk target targeted targets team techniques technology than the alienvault the usm then these they’re they’ve those threat threats through throughout to: tool; tools trojan two types unified unique unprecedented updated updates use uses using usm variants victim’s victims view virus visit voila vulnerabilities vulnerability way what when which who will wired within would years yet your |
| Tags | Malware Vulnerability Threat |
| Stories | APT 10 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.