Ransomware, insider threats, phishing, and various other security concerns have long been recognized and documented. However, a new challenger has emerged in the realm of cyber threats – software vulnerabilities. To truly understand these evolving risks, it becomes crucial to shift our focus from the end result – getting one’s data encrypted – to the underlying causes that allow such incidents to happen. After all, in order for a ransomware to start doing harm, it needs to get on the device first, which requires some sort of compromise. A compromise that usually abuses a recently published vulnerability.
According to a comprehensive survey conducted by Bitdefender, involving over 400 IT and security professionals, a staggering 53% of respondents were most concerned about software vulnerabilities. And their fears are based on real threats.
The problem with known vulnerabilities
Researchers at Bitdefender recently reported a highly sophisticated campaign targetting critical infrastructure in Europe, United States and Middle-east. In one of their most recent campaigns, hackers infiltrated devices in Austria, Italy, Israel, Turkey, and India. Bitdefender attributed this campaign to APT35 (also known as Mint Sandstorm/Charming Kitten), a group believed to be associated with Iranian Revolutionary Guard.
The Charming Kitten hacker group specializes in abusing known vulnerabilities and tries to implement an exploit as soon as a vulnerability is published. Sure, most devices get patched quicker than the hackers can implement the exploit at scale, but there are always some devices that are left unprotected. But how does this group operate?
Modus operandi
Charming Kitten first has to choose a new vulnerability that allows them to perform remote code execution attacks. The bigger the impact, the better, so they are focusing on the most popular technologies from Apache, Microsoft, VMware, and the like.
After everything is ready, they start looking for vulnerable systems using automated scanners. The moment a vulnerable device is detected, it is automatically compromised, enabling the deployment of a malicious payload for remote administration access. After that, this group of hackers performs manual actions to determine how valuable their latest catch is.
Most of the time, a significant amount of time elapses before any manual intervention occurs. Reasons for this vary, but the most probable ones are that the hackers are only doing it to gain access – which they then sell, so they are waiting for a buyer, or they simply compromised more devices than they can handle at the moment.
Not your ordinary spray-and-pray
Charming Kitten's notoriety stems not only from the fact that they are efficient at implementing exploits and infecting many victims, but that they are capable of using personalized payloads for every single target. This personalized approach significantly enhances their chances of both compromising the device and evading detection. Some of the personalized information they include serve the purpose of enabling communication with their Command-and-Control (C&C) infrastructure.
Their newly identified malware used in this campaign, dubbed BellaCiao, introduces an innovative technique that blends C&C communication with legitimate traffic using fake DNS responses. The attacker's DNS server awaits a domain query that is specific for each victim to identify it. The hackers devised a system where they encode the commands into a string that looks exactly like valid IP addresses. Anyone who looks at the response sees something that, at first glance, looks valid, but in reality is a command from the C&C server.
DNS comes to save the day
Fortunately, the hackers heavily rely on DNS requests for their malicious endeavors, and this is where our expertise lies. In today’s ever-changing world, you have to implement the Defense in Depth concept. The more security layers you get, the more secure you are – at least in theory. In practice, this means that where one security solution is blind, the next one spots the threat and acts accordingly.
You cannot solely rely on traditional security measures to address all threats, just as you cannot expect all your devices to be patched the moment a vulnerability is published. There are always exceptions to the rule, and that is where an additional layer of protection comes into play. Luckily, Whalebone is here to help.
