Beginning the morning after the presidential election, a series of spear-phishing emails slammed a number of government...
and political targets, while evading detection from antimalware tools.
Security firm Volexity LLC, based in Reston, Va., said the Russian hacker group thought to be involved in the Democratic National Committee hack and known by various names -- APT29, Cozy Bear, The Dukes and others -- began five waves of spear-phishing attacks targeting individuals related to national security, defense, international affairs, public policy, and European and Asian studies in U.S.-based think tanks and nongovernmental organizations (NGOs).
Volexity said in a blog post that The Dukes have a history of sending highly realistic spear-phishing emails that fool victims and evade detection from antivirus and antimalware products.
"The Dukes are known for launching their attacks by sending links to zip files that contain malicious executables, hosted on legitimate compromised web servers. However, each of the email messages from the August attacks contained a Microsoft Office Word or Excel attachment," Volexity wrote. "These attachments, when viewed, contained legitimate report content from each of the organizations they appeared to have been sent from. However, the attackers inserted macros into the documents designed to install a malware downloader on the system."
Igor Volovich, CEO at ROMAD Cyber Systems, based in Herndon, Va., said these attacks weren't a surprise because "nearly every major newsworthy event has generated phishing activity."
"History shows that these types of attacks are highly opportunistic, with little regard for the underlying event, which is simply a vehicle for spreading the threat via social channels, hoping for viral human-driven distribution. The exploit vector here is the human -- the weak link in the security chain," Volovich told SearchSecurity via email. "The targeting of specific entities is a variant of that approach, but neither a particularly inventive nor surprising development."
Ryan Vela, regional vice president for Fidelis Cybersecurity, based in Bethesda, Md., said the bigger surprise is the attacks have been perpetrated by The Dukes.
"If the motivation of The Dukes is to target NGOs, think tanks and universities, then this would be a shift in their motivations from what we know of their previous operations," Vela told SearchSecurity. "If the motivations are there, whether the motivations be financial, activism or just plain mayhem, then there is no deterrence that has been effective in stopping groups such as The Dukes. They will continue until someone finds their infrastructure and shuts their root capability or their [command-and-control server] down."
Better malware detection
Volexity said this Russian hacker advanced persistent threat group has a "quite novel" approach, because its "anti-[virtual machine] macros and PowerShell scripts appear to have drastically reduced the number of sandboxes and bots that the group has to deal with on their command-and-control infrastructure."
Travis Rosiek, CTO at Tychon, said adversaries have become skilled at taking advantage of "cyber laws or lack of laws in countries where certain domains are hosted" when setting up command-and-control infrastructure.
"Adversaries can embed their C&C [command-and-control] traffic inside of normal web application traffic that has high volumes and is normally accepted as good," Rosiek told SearchSecurity. "Implementing best practices, good network hygiene, consolidating views of security and IT across organizations, as well as continually investing in emerging and dynamic technologies are some ways to better enable an organization's success in gaining visibility and limiting impact of these advanced threat actors."
Also concerning about these spear-phishing campaigns were Volexity's findings that the attacks "have had tremendous success evading antivirus and antimalware solutions at both the desktop and mail gateway levels." Experts said this was proof enterprises need a more diverse defensive posture and not depend solely on antivirus (AV) or malware detection.
Michael Covington, vice president of product at Wandera Inc., based in San Francisco, said enterprises should not rely on AV or malware detection dependent on signatures, but these tools do still serve a purpose in an overall security toolkit.
"Attacks that evade detection by widespread security solutions are incredibly dangerous. Not only are those security solutions providing a false sense of security, but the payload that is making it into the enterprise is just the beginning," Covington said. "Once the attacker has found a way past the defenses, it's only a matter of time before they are able to pivot and find an information-rich target. Once they have the information, it's relatively trivial to exfiltrate it beyond the defenses that are most likely looking out, rather than looking in."
Scott Petry, CEO and co-founder of Authentic8 Inc., based in Mountain View, Calif., said AV and malware detection "are an important layer in network security."
"We think what's missing is isolation of code. The web is designed around the concept of downloading code and executing it locally -- whether a webpage or an attached PDF file," Petry told SearchSecurity via email. "Secure, virtual browsers allow access to this information, but at arm's length. All execution can be done off site, delivering only display data to the user."
Rosiek suggested enterprises should design their networks "to better withstand the increased cyberthreat activity globally and employ a robust defense in depth strategy," including AV and malware detection capabilities.
"There is no silver bullet, and only incorporating capabilities that meet compliancy requirements have been shown to not be effective in keeping sophisticated adversaries out of networks, as adversaries can adapt faster than compliance requirements," Rosiek said. "Organizations should also invest in capabilities that allow you to achieve real-time visibility about software and activity on your network, as well as have capabilities to rapidly enable attack diagnosis and root-cause analysis and have tight integration with other capabilities in your enterprise for employing a robust response strategy."
Volovich said "traditional AV is dead," and malware detection was surprisingly easy to evade, "given the largely static nature of most antivirus and antimalware solutions out on the market, which are still rooted in file analysis instead of immutable behavioral characteristics of malware threats."
"Sandboxing has only created another aspect in the constant arms race of offensive and defensive tradecraft. Malware creators simply find ways to detect sandboxing and, voila, another successful evasion and compromise," Volovich said. "We've been locked in an endless reactive cycle with our opponents, who outnumber and outwit us at every turn through the sheer volume of threats. It's time to think of our security portfolios in terms of outcomes -- not features or even capabilities -- the more evolved perspective. What can a product or solution deliver to my business in terms of solid results?"
Learn more about detecting malware that leaves no files on disk.