Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Improve end user experience in VDI, DaaS and physical endpoint environments
GhostEmperor APT targets high-profile victims using unknown rootkit

Today Kaspersky announced its discovery of a unique, long-running operation, called GhostEmperor. The campaign used Microsoft Exchange vulnerabilities to target high-profile victims with an advanced toolset and bore no similarity to any known threat actor. The findings are part of Kaspersky's APT Trends Q2 2021 report.

GhostEmperor is a Chinese-speaking threat actor that has mostly focused on targets in Southeast Asia, including several government entities and telecom companies. The group stands out because it uses a formerly unknown Windows kernel-mode rootkit. Rootkits provide remote control access over the servers they target. Acting covertly, rootkits are notorious for hiding from investigators and security solutions. To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named "Cheat Engine." This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors. Kaspersky experts have surmised that the toolset has been in use since at least July 2020.

"As detection and protection techniques evolve, so do APT actors," said David Emm, security expert at Kaspersky. "They typically refresh and update their toolsets. GhostEmperor is a clear example of how cybercriminals look for new techniques to use and new vulnerabilities to exploit. Using a previously unknown, sophisticated rootkit, they brought new problems to the already well-established trend of attacks against Microsoft Exchange servers."

In addition to the growth of attacks against Microsoft Exchange servers, Kaspersky experts also highlighted the following trends in the APT landscape in Q2:

  • There has been a rise in APT threat actors leveraging exploits to gain an initial foothold in attacked networks. This included the zero-days developed by the exploit developer "Moses" and those used in the PuzzleMaker, Pulse Secure attacks, and the Microsoft Exchange server vulnerabilities.
  • APT threat actors continued to invest in refreshing their toolsets: this included not only the inclusion of new platforms but also the use of additional languages, as seen by WildPressure's macOS-supported Python malware.
  • While some of the supply-chain attacks were major and have attracted worldwide attention, Kaspersky experts also observed equally successful low-tech attacks, such as BountyGlad, CoughingDown, and the attack targeting Codecov, which signaled that low-key campaigns still represent a significant threat to security.

To learn more about GhostEmperor and other significant discoveries of the quarter, read the APT trends report Q2 2021 on Securelist. The report summarizes the findings of Kaspersky's subscriber-only threat intelligence reports, which also include Indicators of Compromise (IoC) data and YARA rules to assist in forensics and malware hunting. For more information, please contact: intelreports@kaspersky.com

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

  • Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company's TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years. Free access to its curated features, allowing users to check files, URLs, and IP addresses, is available here
  • Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts
  • For endpoint-level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
  • Since many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team - for example, through the Kaspersky Automated Security Awareness Platform
Published Thursday, July 29, 2021 8:32 AM by David Marshall
Filed under:
Get This Featured White Paper: Solution Brief: Redefining the Enterprise Endpoint for the Cloud Era with IGEL and Island
You may also be interested in this white paper: Leveraging the Combined Power of Liquit and Microsoft Intune
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Customer Connect
Global Digital
DTX
DTW-NA
innovatrix
GISEC
global-digital-cx
vExpert
Calendar
<July 2021>
SuMoTuWeThFrSa
27282930123
45678910
11121314151617
18192021222324
25262728293031
1234567