Today Kaspersky announced its discovery of a
unique, long-running operation, called GhostEmperor. The campaign used Microsoft Exchange
vulnerabilities to target high-profile victims with an advanced toolset and
bore no similarity to any known threat actor. The findings are part of
Kaspersky's APT
Trends Q2 2021 report.
GhostEmperor is a Chinese-speaking threat actor that
has mostly focused on targets in Southeast Asia, including several government
entities and telecom companies. The group stands out because it uses a formerly
unknown Windows kernel-mode rootkit. Rootkits provide remote control
access over the servers they target. Acting covertly, rootkits are notorious
for hiding from
investigators and security solutions. To bypass the Windows Driver Signature
Enforcement mechanism, GhostEmperor uses a loading scheme involving a component
of an open-source project named "Cheat Engine." This advanced toolset is unique
and Kaspersky researchers see no similarity to already known threat actors.
Kaspersky experts have surmised that the toolset has been in use since at least
July 2020.
"As detection and protection techniques evolve, so do
APT actors," said David Emm, security expert at Kaspersky. "They typically refresh and update their toolsets. GhostEmperor is a clear example
of how cybercriminals look for new techniques to use and new vulnerabilities to
exploit. Using a previously unknown, sophisticated rootkit, they brought new
problems to the already well-established trend of attacks against Microsoft
Exchange servers."
In addition to the growth of attacks against Microsoft
Exchange servers, Kaspersky experts also highlighted the following trends in
the APT landscape in Q2:
- There has been a rise in APT threat actors
leveraging exploits to gain an initial foothold in attacked networks. This
included the zero-days developed by the exploit developer "Moses" and
those used in the PuzzleMaker, Pulse Secure attacks, and the Microsoft
Exchange server vulnerabilities.
- APT threat actors
continued to invest in refreshing their toolsets: this included not only
the inclusion of new platforms but also the use of additional languages,
as seen by WildPressure's macOS-supported Python malware.
- While some of
the supply-chain attacks were major and have attracted worldwide
attention, Kaspersky experts also observed equally successful low-tech
attacks, such as BountyGlad, CoughingDown, and the attack targeting
Codecov, which signaled that low-key campaigns still represent a
significant threat to security.
To learn more about GhostEmperor and other significant discoveries
of the quarter, read the APT trends report Q2 2021 on Securelist. The
report summarizes the findings of Kaspersky's subscriber-only threat
intelligence reports, which also include Indicators of Compromise (IoC) data
and YARA rules to assist in forensics and malware hunting. For more
information, please contact: intelreports@kaspersky.com
In order to avoid falling victim to a targeted attack by a known or
unknown threat actor, Kaspersky researchers recommend implementing the
following measures:
- Provide your SOC team
with access to the latest threat
intelligence (TI). The Kaspersky Threat Intelligence Portal is a
single point of access for the company's TI, providing cyberattack data
and insights gathered by Kaspersky spanning over 20 years. Free access to
its curated features, allowing users to check files, URLs, and IP
addresses, is available here
- Upskill
your cybersecurity team to tackle the latest targeted threats with Kaspersky online training
developed by GReAT experts
- For endpoint-level
detection, investigation, and timely remediation of incidents, implement
EDR solutions such as Kaspersky
Endpoint Detection and Response
- In addition to
adopting essential endpoint protection, implement a corporate-grade
security solution that detects advanced threats on the network level at an
early stage, such as Kaspersky
Anti Targeted Attack Platform
- Since many targeted
attacks start with phishing or other social engineering techniques,
introduce security awareness training and teach practical skills to your
team - for example, through the Kaspersky
Automated Security Awareness Platform