Resources | Picus Security

PICUS LABS MONTHLY #March 2021

Written by Picus Labs | Mar 24, 2021 10:36:00 AM

MARCH'S THREAT: HAFNIUM THREAT GROUP

The Rise of State-Sponsored Threat Groups

HAFNIUM is a state-sponsored group that primarily targets entities in the United States across many industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

 

You can test the effectiveness of your security controls against the HAFNIUM threat group with '719575 HAFNIUM Threat Group Exchange Server Post-Exploitation Scenario" in Picus Threat Library. You can also validate your defenses against malware samples used by HAFNIUM with Picus ThreatID 3719270 and webshell samples with Picus ThreatIDs 510920 and 349535 in Picus Threat Library.

 

     In this article, we analyzed Tactics, Techniques, and Procedures (TTPs) utilized by the HAFNIUM threat actor to understand their attack methods and the impact of this breach.

MARCH'S THREAT ACTORS

HAFNIUM

  • Picus Threat ID: 719575, 3719270, 349535, 510920
  • Target Regions: North America
  • Target Industries: Government, Education, Healthcare

MuddyWater

  • Picus Threat ID: 396146, 843253, 752295
  • Aliases: Seedworm, TEMP.Zagros
  • Target Regions: Europe, Middle East, North America
  • Target Industries: Government, Education, Healthcare
  • Malware: PassDump, RemoteUtilities trojan dropper , RemoteUtilities trojan
     Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used in the Earth Vetala attack campaign of the MuddyWater. For more information, check the blog post Earth Vetala Campaign of MuddyWater APT Group

Mustang Panda

  • Picus Threat ID: 680904, 312114, 408602, 232031
  • Aliases: Bronze President, TEMP.Hex, HoneyMyte, and Red Lich
  • Target Regions: Asia, Europe, and North America
  • Target Industries: Telecom., aviation, government, NGOs, and think tanks.

Our world-class red team analyzed 500.000 TTPs to identify the top 10 most common ATT&CK techniques.

Download Now: The Red Report: Your Handbook to Utilize MITRE ATT&CK Framework

ATTACK SCENARIOS

Atomic Attacks

Windows Kernel Win32k Elevation of Privilege Scenario

  • Picus Threat ID: 671282
  • CVE: CVE-2021-1732
  • ATT&CK Technique: T1134 Access Token Manipulation
  • ATT&CK Tactics: Defense Evasion, Privilege Escalation

Shellcode Execution via EnumChildWindows Callback Function

  • Picus Threat ID: 222204
  • ATT&CK Technique: T1055 Process Injection
  • ATT&CK Tactic: Defense Evasion, Privilege Escalation

Watch our webinar, we dig down into T1055 Process Injection as the no. 1 technique in the Picus 10 Critical MITRE ATT&CK Techniques list.

 



Credential Dumping via RtlReportSilentProcessExit API Call

  • Picus Threat ID: 611239
  • ATT&CK Technique: T1003 OS Credential Dumping
  • ATT&CK Tactic: Credential Access

For more information on MITRE ATT&CK T1003 Credential Dumping, here is the blog post you can read:
    MITRE ATT&CK T1003 Credential Dumping

 

MALICIOUS CODE

HAFNIUM

  • Picus Threat ID: 372862, 260828, 701507
  • Signature ATT&CK Technique: T1486 Data Encrypted for Impact
  • Target Regions: ALL
  • Target Industries: Logistics, Entertainment, Real Estate, Media

HelloKitty Ransomware

  • Picus Threat ID: 282623
  • Signature ATT&CK Technique: T1486 Data Encrypted for Impact
  • Target Regions: ALL
  • Target Industries: ALL

DEWMODE Dropper used by UNC2546 Threat Group 

  • Picus Threat ID: 728133, 238722, 208936
  • Target Regions: North America
  • Target Industries: Telecommunication

 

WEB APPLICATION ATTACKS

Microsoft Exchange Server Unauthorized SSRF Vulnerability Variant-1

  • Picus Threat ID: 520680
  • CVSS 3 Base Score: 9.8 Critical
  • CVE: CVE-2021-26855
  • Affected Product: Microsoft Exchange

VMware View Planner Remote Code Execution Vulnerability Variant-1

  • Picus Threat ID: 395919
  • OWASP Top 10: A1 - Injection
  • CVSS 3 Base Score: 9.8 Critical
  • CVE: CVE-2021-21978
  • Affected Product: VMware

GitLab Path Traversal Vulnerability

  • Picus Threat ID: 673135
  • OWASP Top 10: A5 - Broken Access Control
  • CVSS 3 Base Score: 5.5 Medium
  • CVE: CVE-2020-10977
  • Affected Product: GitLab

VULNERABILITY EXPLOITATIONS

Microsoft Appx Deployment Service Elevation of Privilege Vulnerability

  • Picus Threat ID: 619884
  • CVE: CVE-2019-0841
  • CVSS 3 Base Score: 7.8 High
  • Affected Product: Windows Appx Deployment Service

Win32k Denial of Service Vulnerability .EXE File Download Variant-5

  • Picus Threat ID: 859973
  • CVE: CVE-2021-1732
  • CVSS 3.1 Base Score: 7.8 High
  • Affected Product: Win32k Graphics Service

Windows Installer Service Privilege Escalation Vulnerability

  • Picus Threat ID: 740070
  • CVE: CVE-2021-1727 CVSS 3.1
  • Base Score: 7.8 High
  • Affected Product: Windows Installer Service

SIGMA RULES

Credential Dumping From Keepass Database

  • Picus Sigma ID: 3985
  • Technique: T1055.005 Process Injection: Thread Local Storage
  • Tactic: Defense Evasion, Privilege Escalation
Our research has found that Process Injection was the most prevalent MITRE ATT&CK technique used by adversaries in their malware. For more information on MITRE ATT&CK T1055 Process Injection, here is the blog post you can check.

Data Collection with 7z.exe via Commandline

  • Picus Sigma ID: 5178
  • Technique: T1560.001 Archive Collected Data: Archive via Utility
  • Tactic: Collection

Credential Dumping via Procdump

  • Picus Sigma ID: 3929
  • Technique: T1003.001 OS Credential Dumping: LSASS Memory
  • Tactic: Credential Access
View full post