Blackberry, the company once-known for ultra-secure email via phones with superior keyboards was overtaken by Apple and Android solutions in the market but in an incredible tech turnaround story, they became a solid cybersecurity organization. They provide intelligent security software and services to enterprises and governments around the world. They secure more than 500M endpoints including 150M cars on the road today.
They just released new research that examines how five related Advanced Persistent Threat (APT) groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and mobile devices running Android while remaining undetected for nearly a decade.
The report, titled Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android, provides further insight into pervasive economic espionage operations targeting intellectual property, a subject that the Department of Justice recently said is the focus of more than 1000 open investigations in all of the 56 FBI field offices.
The cross-platform aspect of the attacks is also of particular concern in light of security challenges posed by the sudden increase in remote workers. The tools identified in these ongoing attack campaigns are already in place to take advantage of work-from-home mandates, and the diminished number of personnel onsite to maintain security of these critical systems compounds the risks. While the majority of the workforce has left the office as part of containment efforts in response to the COVID-19 outbreak, intellectual property remains in enterprise data centers, most of which run on Linux.
Linux runs nearly all of the top 1 million websites online, 75% of all web servers, 98% of the world’s supercomputers and 75% of major cloud service providers (Netcraft, 2019, Linux Foundation, 2020). Most large organizations rely on Linux to run websites, proxy network traffic and store valuable data. The BlackBerry report examines how APTs have leveraged the “always on, always available” nature of Linux servers to establish a “beachhead for operations” across a wide swath of targets.
“Linux is not typically user-facing, and most security companies focus their engineering and marketing attention on products designed for the front office instead of the server rack, so coverage for Linux is sparse,” said Eric Cornelius, Chief Product Architect at BlackBerry. “These APT groups have zeroed in on that gap in security and leveraged it for their strategic advantage to steal intellectual property from targeted sectors for years without anyone noticing.”
Other key findings in the report include:
- The APT groups examined in this report are likely comprised of civilian contractors working in the interest of the Chinese government who readily share tools, techniques, infrastructure, and targeting information with one another and their government counterparts.
- The APT groups have traditionally pursued different objectives and focused on a wide array of targets; however, it was observed that there is a significant degree of coordination between these groups, particularly where targeting of Linux platforms is concerned.
- The research identifies two new examples of Android malware, continuing a trend seen in a previous report from BlackBerry researchers, titled Mobile Malware and APT Espionage: Prolific, Pervasive, and Cross-Platform, which examined how APT groups have been leveraging mobile malware in combination with traditional desktop malware in ongoing cross-platform surveillance and espionage campaigns.
- The report also delves into the curious case of a mobile remote access trojan (RAT) that was developed by an APT group nearly two years prior to the commercial availability of a popular remote administration penetration testing tool that has strikingly similar code structure and characteristics, raising questions about the origins of each.
- The report examines several new variants of well-known malware that are getting by network defenders through the use of code-signing certificates for adware, a tactic that the attacker’s hope will increase infection rates as AV red flags are dismissed as just another blip in a constant stream of adware alerts.
- The research also highlights a shift by attackers towards the use of cloud service providers for command-and-control (C2) and data exfiltration communications which appear to be trusted network traffic.
- The research also provides analysis of attacks designed to elude defenders through the use of Windows® malware that uses adware code-signing certificates, a tactic that the attackers hope will increase infection rates as any red flags are dismissed as just another blip in a constant stream of adware alerts.
“This research paints a picture of an espionage effort targeting the very backbone of large organizations’ network infrastructure that is more systemic than has been previously acknowledged,” says John McClurg, Chief Information Security Officer at BlackBerry. “This report opens another chapter in the Chinese IP theft story, providing us with new lessons to learn.”
More details of the report include:
Strategic Intelligence Assessments:
• Targeting Linux: Adversaries assessed to be acting in the interests of the Chinese government have strategically targeted Linux servers for years precisely because the Linux operating system is not typically a primary focus of security solutions. Defensive coverage within Linux environments is immature at best, and robust endpoint protection (EPP) and endpoint detection and response (EDR) products are often inadequately utilized or lack the capabilities to defend them. It was assessed that thegroups examined in this report are using Linux servers as a “network beachhead” for other operations – that is, as a highly available attack vector that is always-on and poorly defended.
• APT Groups Coordinating: Persistent threats rarely operate in a single domain, and thefive groups assessed to be related to the APT originally identified as WINNTI GROUP in previously published research are no exception. Many of the techniques used in one operating environment have been readily translated for use in others. Cross-platform and open-source tools are more readily available now than ever, and the APT groups examined in this report have already exploited this fact.
• Objective Blending and Overlap: BlackBerry researchers observed the continued blending of financially motivated and targeted espionage activity by the five groups under examination in this report. The more traditional criminal approaches to network exploitation are equally effective in their intelligence gathering as they are in generating revenue. Attacks that look like dragnet, “spray and pray” efforts can also yield targeted reconnaissance intelligence for other operations, and strategic platform and supply-chain compromises are becoming increasingly commonplace.
• Attackers for Hire: It is assessed with high confidence that the APT groups examined in this report are likely comprised of civilian contractors working in the interest of the Chinese government who readily share tools, techniques, infrastructure, and targeting information with one another and their government counterparts. This reflects a highly agile government/contractor ecosystem with few of the bureaucratic or legal hurdles that can be observed in Western nations with similar capabilities and provides a level of plausible deniability for the Chinese government.
Tactical Intelligence Assessments:
• The WINNTI Approach: Five APT groups acting in the interest of the Chinese government and assessed to be employing WINNTI-style tooling have taken strategic aim at Linux servers that serve a critical role in enterprise network environments and have done so while remaining relatively undetected for nearly a decade. These groups target Red Hat Enterprise, CentOS, and Ubuntu Linux environments systemically across a wide array of industry verticals for the purposes of espionage and intellectual property theft. The APT groups examined include the original WINNTI GROUP, PASSCV, BRONZE UNION, CASPER (LEAD), and a newly identified group BlackBerry researchers are tracking as WLNXSPLINTER. All five groups are assessed to be related given the distinct similarities in their tools, tactics and procedures (TTPs) employed and referred to in this report as the WINNTI approach.
• The Linux Connection: The APT groups examined in this report have traditionally pursued different objectives and focused on a wide array of targets. However, it was observed that there is a significant degree of coordination between these groups, particularly where targeting of Linux platforms is concerned, and it is assessed that any organization with a large Linux distribution should not assume they are outside of the target sets for any of these groups.
• The XOR DDoS Botnet Connection: It was also observed that the malware used by WINNTI GROUP very closely resembles that used in the massive Linux XOR Dubonnet first identified in September of 2014, to the extent that BlackBerry researchers have judged the botnet to have been a tool developed by this group.
• Code Similarities: A PASSCV Android implant examined in this report very closely resembles code marketed as the penetration testing tool NetWare for Android, yet the malware is shown to have been compiled nearly two years before the commercial Net Wire tool was first made available for purchase.
• Hiding in Plain Sight: The APT groups examined in this report have shifted from signing malware certificates stolen from video game companies to signing malware with certificates stolen from adware vendors, resulting in very low detection rates. Itis assessed that this was being done to bypass network defenders by hiding malware within the high volume of innocuous adware alerts large organizations typically receive in any given day.
• Cloud Migration: It has been observed that there has been a shift in infrastructure hosting towards the more frequent adoption of established, legitimate cloud services, presenting a challenge to defenders’ assumptions regarding the monitoring of trusted network traffic within their organizations’ networks.
This Event has been called the BEST SHOW in 5 YEARS and the Best TECHNOLOGY EVENT of 2020.
2020 participants included: Amazon, Cisco, Google, IBM, ClearlyIP, Avaya, Vonage, 8×8, Comcast Business, BlueJeans, CoreDial, Dell, Edify, Epygi, FreeSWITCH, Grandstream, Granite, Intrado, Frontier Business, Fujitsu, Jenne, West, Konftel, Intelisys, Martello, NetSapiens, OOMA, Oracle, OpenVox, Peerless Network, Phone Sentry, Phone.com, Poly, QuestBlue, RingByName, Sangoma, SingTel, SkySwitch, Spracht, Spectrum, Sprint, Tallac, Tech Data, Telarus, TCG, Teledynamics, Teli, Telinta, Telispire, Telstra, TransNexus, Unified Office, Vital PBX, VoIP Supply, Voxbone, VoIP.MS, Windstream, XCALY, XORCOM, Yealink, Yubox, and ZYCOO. Full List.
Join 8K others with $25B+ in IT buying power who plan 2021 budgets! Including 3,500+ resellers!
June 22-25, 2021, Miami Register now and you could win a Tesla on Feb 12th.