MITRE ATT&CK™ and the North Korean Regime-Backed Programmer
September 13, 2018
On 6th September the US Department of Justice (DOJ) unsealed an indictment against a North Korean regime-backed programmer who is a suspect in many significant network intrusions. It is assessed as likely that this programmer is a part of a larger organization, typically referred to as the Lazarus Group. Many attacks are described in detail in the 179-page indictment, including the Sony Pictures Entertainment (SPE) attack, the Bangladesh bank heist and the WannaCry outbreak. You can listen to our podcast from last week on this topic but, for the purposes of this blog, we will dive into the intrusions using the MITRE ATT&CK™ framework and leave WannaCry aside for the time being.
The attackers targeted a wide-range of different types of organizations, including:
- Sony Pictures Entertainment (SPE)
- Lockheed Martin (although it appears they were unsuccessful in this attack)
- Bangladesh Central Bank
- Vietnam Central Bank
- One U.S. university
- U.S. academic researchers
- U.S. energy companies
- Virtual currency exchanges
The indictment also states that “Other evidence indicates that the subjects conducted significant internet reconnaissance for employees of United States and South Korean military entities, including for employees of specific fleets and divisions within each”.
Stage #0: Reconnaissance
- People Information Gathering
- Acquire OSINT data sets and information
- Organizational Information Gathering
- Acquire OSINT data sets and information
- Organizational Weakness Identification
- Analyze business processes
- Analyze organizational skillsets and deficiencies
- People Weakness Identification
- Analyze organizational skillsets and deficiencies
- Analyze social and business relationships, interests, and affiliations
- Assess targeting options
According to the indictment, the attackers spent a considerable amount of time on reconnaissance and “that online reconnaissance included research relating to the victim company or entity that the subjects were targeting, as well as relating to individual employees of the victim company. The subjects have also used the services of websites that specialize in locating email accounts associated with specific domains and companies, and the subjects have registered for business records search services that offer career postings, business searches, and marketing services”. As we will see later in the blog, the attackers relied heavily on spearphishing, which was driven by this reconnaissance phase. In the attack against SPE “one of the pieces of malware contained the names of approximately 10,000 individual SPE hostnames (i.e., the names of specific computer workstations) “hard coded” into the malware”. This implies that the attackers conducted extensive work both inside and outside of the network for them to discover their targets.
The attackers also performed reconnaissance against the third-party services used by their targets. Before the SPE attack, the attackers had signed up to the WatchDox secure collaboration service used by SPE, presumably to identify how the system works and how SPE used it.
For the spearphishing pretexts, the attackers sometimes used names and addresses of legitimate companies and the names of employees who worked at those legitimate companies to make their social engineering attacks more convincing. In some cases, the attackers would reference the personal interests of employees in their spearphishing emails. For targeting some organizations, the attackers would not only attempt to find their employees, but also the generic email and social presence, for example, inboxes or accounts used for general enquiries from the public or prospects, of the organizations in question to use as spearphishing targets. Information was gathered on multiple targets of differing types in order to maximize the success of their operation.
In addition to technical and personal information, the attackers gathered organizational information that would help them in their attacks. For example, “The user of the account also researched the time zone of a correspondent bank that the subjects intended and attempted to use for a fraudulent transfer from a victim bank in 2016, days before the cyber-heist there” and “[t]he user of the account also visited a SWIFT online user guide” as well as BIC (Bank Identifier Code) numbers for the target and destination banks they were planning to use for fraudulent transactions.
PRE-ATT&CK TTP: Compromise 3rd party infrastructure to support delivery
One of the notable TTPs from the indictment was the use of a worm, named Brambul, for gathering credentials from SMB servers. This worm has been in existence since at least 2009 and conducts bruteforce attacks against SMB servers to gain access. Once access had been gained, the worm emailed the credentials and server information back to the attackers, who would then use the compromised servers for hop points and other activities. The worm would then self-replicate and look for additional SMB servers to bruteforce. Having a long-running and autonomous system in place to discover fresh servers to use as deniable operational infrastructure meant that the attackers had a constant supply of infrastructure for future attacks and campaigns.
PRE-ATT&CK TTP: Acquire and/or use 3rd party infrastructure services
In addition to the Brambul-infected servers, the attackers also made use of proxy services to obscure their true originating IP addresses. With only 1,024 IP addresses directly assigned to North Korea, obfuscating the origin of their traffic was a key requirement of the attackers.
PRE-ATT&CK TTP: Dynamic DNS
So that the malware was able to connect back to the attacker-controlled command and control (C2) service, the attackers made use of dynamic DNS services where they could easily control which IP address was returned for a particular DNS hostname. One interesting trick performed was that the IP address that was returned by the Dynamic DNS service was not the IP address used by the malware to connect to the C2 server. The malware transformed the returned IP address with a hard-coded key to produce the correct IP address. This obfuscation technique meant that even if the Dynamic DNS hostname was discovered, the defenders would be unable to derive the actual IP address without the hard-coded key.
PRE-ATT&CK TTP: Map network topology
The indictment states that “one of the pieces of malware contained the names of approximately 10,000 individual SPE hostnames (i.e., the names of specific computer workstations) “hard coded” into the malware. In other words, the subject or subjects who wrote the malware’s code had learned and then written into the malware the names of individual SPE computers”. This indicates that the attackers spent a considerable amount of time learning about the internals of the SPE network. This could have been performed through a preliminary intrusion, a third-party breach or some other unknown method.
DS mitigation advice: much of the information gathered by the attackers was required to be publicly available. However, an OPSEC program, that is, a structured assessment of the risk to an organization of publicly available data, can be useful for understanding the risk profile of an organization. Inform employees that their social media profiles may be of interest to adversaries and provide advice on how to lock down profiles if requested. Ensure that network services are patched and running supported versions of software. Credentials, especially for admin accounts, should use strong passwords and two-factor authentication (2FA) should be enabled wherever possible.
Stage #1: Initial Access
As with many other intrusion groups, the attackers relied heavily on spearphishing as their go-to technique for achieving that initial access into a target environment. One technique used by the attackers was to post links created with a URL shortener to social media that masqueraded as a downloadable screen saver. The link would redirect the target to an executable that would function ostensibly as a screen saver, while dropping a set of malicious files in the background. The attackers used a similar technique of a URL shortener to hide a malicious executable when spearphishing targets via email. The attackers often “will give their malware files names that distract from the fact that the file is an executable file, i.e., a file with an .exe ending that will install a new program on the computer”.
In addition to malicious links, the attackers also sent malware to targets via attachments to spearphishing emails. The attachments were sent as Microsoft Office documents, e.g., .ppsx PowerPoint slideshow files as well as compressed zip files.
The attackers preferred to use well-known webmail providers such as Google’s Gmail and Microsoft’s outlook.com service to send their emails rather than running their own email infrastructure for phishing.
DS mitigation advice: an email filtering service is crucial for mitigating the impact of spearphishing with both malicious attachments and links. Certain file types, such as archives, should be blocked unless there is an explicit business reason to allow them. Risky file types, such as Microsoft Office documents, can be transformed by an email filtering service into file types like PDF that do not contain active content such as macros. Public-facing employees may require dedicated tools to open potentially malicious attachments safely, such as sandboxes or cloud services.
ATT&CK TTP: Drive-by Compromise
In January 2017 the attackers compromised the website of the Polish Financial Supervision Authority (KNF) to target Polish financial institutions. As the KNF was a trusted institution with a website regularly visited by the employees of Polish financial institutions, it made for a compelling target. The attackers had compiled a whitelist of IP addresses that would be served malware, specifically the NESTEGG implant. If an IP address on the whitelist connected to the infected website, it would be redirected away from the legitimate, but infected, website to a compromised site under the attacker’s control that would serve up the malware.
DS mitigation advice: application whitelisting can be used to limit which binaries are executed in an environment. Browser sandboxing solutions can be used to ensure that malware only executes in a low privilege environment without any further access to an organization’s assets. Hardening browsers and operating systems to prevent script execution and reduce the number of plugins and/or extensions can further serve to mitigate this risk.
Stage #2: Execution
ATT&CK TTP: User Execution
The attackers used a variety of pretexts to convince targets to click on the link in their phishing emails, for example, masquerading as Facebook or Google official notification emails. An example from the indictment is shown below:
Figure 1 – Facebook phishing email (page 22 of the indictment)
One specific technique the attackers used was to impersonate security-related emails from Google and Facebook, e.g., the detection of malicious account activity. These emails were likely successful in part because they took advantage of a situation where the target would be concerned about a potential security incident. The victim would be unlikely to pay close enough attention to the email as their priority would be to remediate the security issue.
Impersonation of people seeking employment and recruiters offering jobs was another impersonation tactic regularly used by the attackers. They approached their targets not only by email but also by social media sites such as LinkedIn. They provided a link to their supposed resume or job description, which would be a piece of malware. An example phish taken from the indictment can be seen below:
Figure 2 – Spearphish impersonating a prospective employee
On occasion the attackers also created impersonation accounts for recruiters and high-level employees at certain companies, and used these impersonation accounts to spearphish employees at competitor companies. The attackers often used impersonation accounts that mimicked themes that were contextually relevant to their targets; for example, phishes sent to movie companies had attachments called “MovieShow.zip”. The attackers also made some of these spearphishes very personal. In one example from the indictment, the attackers used a hobby from the target’s publicly available social media profile to create a contextually relevant lure. As the employee mentioned they were interested in art, the attackers sent a fake screensaver to the target that allegedly contained the sender’s own art work.
The attackers also used malicious URLs on social media posts related to actors in the film “The Interview”, which the attackers were attempting to suppress. The URLs impersonated a piece of screensaver software supposedly with nude models that was, in fact, a piece of malware. The ultimate destination of the malicious URL was obfuscated by the attackers through the usage of a URL shortening service.
One technique the attackers used to trick targets into believing that the payload was innocuous was to use the name of established pieces of software, e.g., Adobe Flash, in the file name. An example from the indictment was “[REDACTED NAME OF BUSINESS] Advertising Video Clips (Adobe Flash).exe”. The purpose of this deception is to disguise the true nature of the file, namely, that it is an executable, from the target.
The attackers also used the persona of a journalist from a known TV network to deceive targets into installing malware. The lure was the soliciting of opinion for a TV show, which would be a common task for certain professionals.
DS mitigation advice: specifically educating users about the dangers of URL shorteners alongside general security awareness training may help with mitigating this common technique. Providing avenues for users to report attempting phishing attacks and to seek guidance and support is useful for early detection of phishing campaigns. Specific types of employees who regularly deal with the public and have a business requirement to open attachments from unknown senders may require additional training to educate them about the specific risks that they face.
Stage #5: Defense Evasion
ATT&CK TTP: Deobfuscate/Decode Files or Information
In one attack, the attackers asked the target to “to open an attachment containing a screensaver with the sender’s drawings. The screensaver was password protected, and the sender stated the password was simply ‘1.’”. The purpose of the password protection was to prevent security appliances from having visibility into the contents of the zip file.
DS mitigation advice: some email filtering technologies provide the capability to block password-protected zip files. Where there is no business requirement to allow such attachments, they should be blocked. In other cases, it may be prudent to alert the recipient that a particular attachment type is risky, and that the email has originated from outside of the organization.
ATT&CK TTP: Exploitation for Defense Evasion
Once the attackers had reached their target machine, in the case of the Bangladesh bank heist, “the subjects were able to impersonate bank employees who were authorized to create and transmit messages through the SWIFT system on behalf of that bank, making those messages falsely appear as if they were authorized by employees of the bank” and “the subjects also took measures to conceal their activities and cover their tracks”. The indictment does not go into the details of how this was achieved; however, additional open source reporting from BAE Systems shows that the attackers patched the liboradb.dll file used by the Oracle database server component of SWIFT’s Alliance software suite.
DS mitigation advice: advanced EDR (Endpoint Detection and Response) systems should be deployed to detect in-memory patching attacks being used by malware to manipulate existing code. In general, code should not be attempting to interfere with other processes and this behavior can be considered as suspicious.
ATT&CK TTP: Masquerading
In the attack against the Vietnamese bank, the attackers took a different approach to covering their tracks. The SWIFT system in that bank would create PDF receipts that the employees would review to ensure that the transfers were correct. The indictment states: “The end result was that documents that contained records of the fraudulent SWIFT messages sent by the subjects would be modified so that the bank employee viewing the record would remain unaware of the fraudulent message”. Additional open source reporting from McAfee states that “The malware installs itself in the original Foxit installation directory and renames the original file to FoxltReader.exe”. It appears from the indictment that the malware would check each PDF for certain criteria to see if the PDF was referring to a fraudulent transaction carried out by the attackers. If it was, “the malware would first make certain modifications to the document, then instruct the legitimate FoxIt Reader software to open the modified document so that the user would be unaware that anything unusual had occurred”.
DS mitigation advice: application whitelisting can be used to restrict which code can execute inside an environment. This can be used to detect the attempted installation of malware by an adversary and prevent the execution of this malware.
Stage #8: Lateral Movement
ATT&CK TTP: Windows Admin Shares
The indictment states that “Once a spear-phishing message had been successful and the subjects had gained access to the bank’s computer network, they moved through the bank’s network in order to access one or more computers that the bank used to send or receive messages via the SWIFT communication system”. The indictment does not provide any additional details about how exactly this lateral movement was performed; nevertheless, additional open source reporting from Kaspersky indicates that the attackers abused legitimate admin credentials to create a scheduled task to spawn their malware on a remote host. This process allowed the attackers to spread throughout a compromised environment.
DS mitigation advice: applying the principle of least privilege and restricting admin account access as much as possible can increase the difficultly of attackers in gaining admin privileges in the first place. Once an attacker has admin privileges, detection can be used to uncover malicious behavior. Windows event logs register the creation, updating and removal of scheduled tasks. Application whitelisting can be used to restrict the execution of certain file types in an environment.
Stage #9: Collection
ATT&CK TTP: Automated Collection, Data from Local System
The main target for the Bangladesh bank heist was the SWIFTLIVE system; “That system was the core component of Bangladesh Bank’s SWIFT processing environment. It used the SWIFT Alliance Access application, which was a customer-managed gateway to the SWIFT network that transmitted and received messages from other banks that create and confirm financial transactions“. As part of the Bangladesh bank heist, the attackers “used malware that interfered with each of those processes at the victim banks (presumably to avoid alerting the victims of the subjects’ activities)”. One of these processes was the use of “an Oracle database to retain a record of messages sent using SWIFT”. The data collected by the malware from the Oracle database was then used to delete the record of the fraudulent transactions, thereby assisting the attackers in covering their tracks.
DS mitigation advice: security reviews of log files of critical systems, such as payment systems, is important to detect malicious activity. Specifically, anomalous behavior such as log deletion should warrant closer inspections.
Stage #11: Command and Control
ATT&CK TTP: Commonly Used Port, Custom Command and Control Protocol, Custom Cryptographic Protocol, Data Encoding, Multi-hop Proxy, Remote File Copy
The attackers routinely used a Command and Control (C2) system referred to as FakeTLS in the indictment. This protocol communicated outbound on TCP port 443 to appear like SSL/TLS traffic. However, the indictment states that “The “FakeTLS” signature that is referenced is a protocol that mimics authentic encrypted TLS traffic, but actually uses a different encryption method”. The hypothesis in the indictment is that the attackers used this approach because many security technologies will assume that they cannot decrypt the encrypted communications and will allow the outbound traffic to egress the network. The attackers used a range of leased and/or hacked servers as their C2 servers and in some cases used multiple hops to further obscure their identity.
DS mitigation advice: in certain circumstances, SSL inspection can be used to have visibility into encrypted communications. If SSL inspection is deployed, traffic that cannot be inspected should not be able to egress the network unless explicitly whitelisted.
The intrusions described in the indictment are significant due to their scale and the high-profile nature of the targets. The attackers were motivated, persistent, and used a wide-variety of well-known and reliable techniques to gain initial access in target environments. Once inside, the attackers demonstrated a deep understanding of the business processes in place in the specific environments and used several techniques that were heavily customized for their targets. They were able to not only achieve their goals but also deploy several defense evasion techniques to mask their activities. Organizations should pay close attention to the TTPs used by the adversaries as they are the hallmarks of successful attacks.
To listen to more of our insights on this DoJ complaint, check out our recent podcast: https://soundcloud.com/digitalshadows/episode-40-doj-complaint-charges-north-korean-actor-for-sony-attacks-wannacry-and-more