Protecting Chicagoland Organizations From Cybercrime and RansomwareTogether
As previously announced, Dura-Tech has joined with LeadingIt! Starting in 2023 the Dura-Tech branding will be phased out as we unite under the LeadingIT name, including forwarding this website to GoLeadingit.com. Everything you have come to know and love as a client and partner of Dura-Tech remains in tact, with more resources than ever to provide you with the Best Cybersecurity and Fastest Response Times you will find in all of Chicagoland (and soon beyond)!
Existing Clients
Support
Use the same phone number and email address you're used to! Any updates to this process will be directly communicated to you.
Source: Federal Bureau of Investigation, Cyber Division
Targeted victims in these 9 market segments:
· education.
· computer hardware.
· software, including video gaming.
· government.
· healthcare.
· hospitality.
· social networking.
· non-governmental organizations.
· telecommunication
Capabilities:
The group uses a wide range of tactics in order to gain Initial Access [TA0001]. Spear phishing emails with malicious files [T1566.001] is a common tactic for the actors.
Spear phishing themes frequently target HR departments with malicious archive files masqueraded [T1036.002] as applicant resumes.
The group historically used Microsoft Compiled HTML Help (CHM) [T1218.001] files within their spear phishing messages. In addition, the group conducted supply chain compromises resulting in the victimization of third party customers throughout the world [T1195.002]. .
These actors typically obtain means of identification, such as login credentials belonging to individuals with administrative access to victim computer networks, to expand their unauthorized access.
Additionally, the actors may deploy legitimate third-party VPN software such as SoftEther on victim networks to facilitate follow-on access to the victim network.
The group has also deployed “Skeleton Key” malware to create a master password that will work for any account in the domain. During early 2020, the group conducted a massive campaign to rapidly exploit publicly identified security vulnerabilities.
This technique allowed the group to gain access into victim accounts using publicly available exploit code against VPN services [T1133] or public facing applications [T1190] – without using their own distinctive or identifying malware – so long as the group acted before victim companies updated their systems.
This campaign targeted organizations that did not yet patch against security vulnerabilities such as CVE-2019-19781, CVE-2019-11510, CVE-2019-16920, CVE-2019-16278, CVE-2019-1652/CVE-2019-1653, and CVE-2020-10189.
These compromises typically resulted in the installation of widely available remote access tools like Cobalt Strike.
In all cases in this campaign, the exploit code used by the group was typically several months old.
Tactics:
(TTPs) associated with the group can be mapped to the MITRE1 Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK2 ) for Enterprise framework, Version 7.0.
The group has used the following malware: gh0st, 9002, Zxshell, HK Door, XSLCMD, PlugX/Sogu, Derusbi, HiKit, Crosswalk/ProxIP, Winnti/Pasteboy/Stone/Treadstone, Azazel, PoisonPlug/Barlaiy/ShadowPad, metasploit-meterpreter, and Cobalt Strike.
The group also uses numerous webshells including China Chopper.
One common persistence technique the group has used is DLL side-loading [T1574.002].
The group frequently implanted malware in “%WINDIR%\Windows\System32\wbem\loadperf.dll” to side-jack of the proper “loadperf.dll” file located in the “%WINDIR%\Windows\System32\” directory.
This abuse of the loadperf DLL used the “WMI Performance Adapter Service” (wmiAPSrv).
A similar technique is used with the “winmm.dll” file when it is not in “%WINDIR%\System32\winmm.dll”.
This technique has been used to launch HK Door, Crosswalk, and other malware.
Defense:
Patch and Vulnerability Management:
· Install vendor-provided and verified patches to all systems for critical vulnerabilities, prioritizing timely patching of Internet-connected servers for known vulnerabilities and software processing Internet data, such as web browsers, browser plugins, and document readers.
· Ensure proper migrating steps or compensating controls are implemented for vulnerabilities that cannot be patched in a timely manner.
· Maintain up-to-date antivirus signatures and engines.
· Recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors’ operations and protect organizations’ resources and information systems. Protect Credentials:
· Strengthen credential requirements and implement multi-factor authentication to protect individual accounts, particularly for webmail and VPN access and for accounts that access critical systems. Regularly change passwords and do not reuse passwords for multiple accounts. · Audit all remote authentications from trusted networks or service providers.
· Detect mismatches by correlating credentials used within internal networks with those employed on external-facing systems. · Log use of system administrator commands, such as net, ipconfig, and ping. · Audit logs for suspicious behavior. · Enforce principle of least privilege. Network Hygiene and Monitoring:
· Actively scan and monitor internet-accessible applications for unauthorized access, modification, and anomalous activities.
· Actively monitor server disk use and audit for significant changes. · Log DNS queries and consider blocking all outbound DNS requests that do not originate from approved DNS servers. Monitor DNS queries for C2 over DNS.
· Develop and monitor the network and system baselines to allow for the identification of anomalous activity. Identify and suspend access of users exhibiting unusual activity.
· Use whitelist or baseline comparison to monitor Windows event logs and network traffic to detect when a user maps a privileged administrative share on a Windows system.
· Leverage multi-sourced threat-reputation services for files, DNS, URLs, IPs, and email addresses.
· Network device management interfaces, such as Telnet, SSH, Winbox, and HTTP, should be turned off for WAN interfaces and secured with strong passwords and encryption when enabled. Identify and suspend access of users exhibiting unusual activity.
· When possible, segment critical information on air-gapped systems. Use strict access control measures for critical data.