Attackers using computer operating systems to install malware
A satellite communications operator and a defence contractor are among the targets of a cyber-security breach identified by Symantec.
Symantec a cyber-security organisation have exposed what they believe is cyber espionage activities by a group called Thrip, located in mainland China.
The breaches were identified by Symantec’s AI based Target Attack Analytics (TAA) software. It was the TAA that highlighted oddities last January in a large telecommunication operator in Southeast Asia.
Outlining the results of their investigation in a blog post, Symantec shed light on how the TAA runs through “Symantec’s data lake of telemetry in order to spot patterns associated with targeted attacks. Its advanced AI automates what previously would have taken thousands of hours of analyst time.”
The TAA spotted an attacker using PsExec to move laterally through computers within the telecommunication operator’s company network.
“PsExec is a Microsoft Sysinternals tool for executing processes on other systems and is one of the most frequently seen legitimate pieces of software used by attackers attempting to live off the land,” noted Symantec.
Living off the Land refers to the practice of attackers using a computers’ own operating systems to compromise computers with malware.
Speaking to Computer Business Review Scott Walker, Senior Solutions Engineer at Bomgar told us: “In this attack the hackers needed two things, insecure access and a privileged account that let them move laterally in their systems.”
“It’s common for businesses to have antivirus and intrusion detection tools in place to protect their networks, and these state-sponsored attacks take note of what solutions businesses typically employ and use them to identify the vulnerabilities in an organisations’ defence.”
In their investigation Symantec found an updated version of Trojan.Rikamanu malware. This particular malware is associated with Thrip, a group Symantec have been monitoring since 2013.
Not only did the TAA flag the malicious use of the PsExec, it also informed Symantec that the attackers were attempting to remotely install the above Trojan.
Upon further investigation they uncovered a new piece of malware called Infostealer.Catchamas which is designed to syphon off information from a compromised computer.
Four Targets Discovered
Starting with the telecommunication company, Symantec have gone on to identify three more targets of Thrip, these are an organisation involved in geospatial imaging and mapping, a defence contractor and a satellite communications operator.
Symantec believe that the attack on the satellite communications operator was aimed at the operational side of the organisation and that the attackers were: “looking for and infecting computers running software that monitors and controls satellites.” This could mean that the greater intention was not just to monitor information, but was aimed at disruption as well, stated Symantec.
“We’d be naïve to say that these types of attacks aren’t going to happen,” Scott Walker told Computer Business Review.
When your organisation is under attack it is about reducing how much access and ground the attackers can take: “employing a tool that can rotate privileged credentials en-masse in the event of a breach can shut down any further access or lateral movement from a threat actor.”
“With cybercriminals already understanding that access and identity management is a weakness in today’s organisations, it’s time for businesses to prioritise defending against these methods of attacks.”