Trickle-Treat: How Threat Actors Benefit From the Trickle-Down of Capabilities

As in many walks of life, cyber threat actors learn from the best. This means that the toolsets nation states and elite cybercriminals use to compromise high-profile victims are increasingly being dispersed and then used by an army of low-level criminal threat actors, who are much less selective in their targeting. The impact of this trickle-down effect in cyber capabilities is serious for the majority of companies, who now face a high volume of sophisticated attacks, often with basic objectives such as ransomware and cryptocurrency mining.

On 7 May, a new ransomware variant dubbed RobbinHood hit local government offices in the US city of Baltimore. Later that month, the New York Times published claims – disputed by the NSA – that RobbinHood used EternalBlue; an exploit that targets the SMB (Server Message Block) protocol to spread laterally across a network. EternalBlue was developed by the US National Security Agency (NSA), though, in April 2017, was leaked by a group known as The Shadow Brokers as part of a wider cache of tools. The history of the exploit, from nation-state operations to standard malware campaigns is therefore illustrative of the way that TTPs (tactics, techniques and procedures) and tools typically filter down from more sophisticated threat actors to those that are less capable.

Although the debate regarding this potential application of EternalBlue continues, there are many other recent examples of the exploit’s use in mundane cybercriminal activities – evidence, even, that its popularity may be rising still.[1] In April, for example, we reported on its use in a cryptocurrency mining campaign. The broader cybercriminal interest in EternalBlue is further illustrated in the screenshot below – taken from a Russian-language deep web forum – in which the poster explains how fellow users can exploit the Metasploit modules for EternalBlue and DoublePulsar.

The trickle-down of TTPs is not restricted to a flow from nation-state to cybercriminal, however. It is also true that capabilities filter between state actors of varying sophistication. EternalBlue, for example, is most famous for its use in North Korea’s May 2017 WannaCry ransomware attacks which famously cost the NHS an estimated £92 million.

Nor can this trickle-down effect only be illustrated by EternalBlue. DoublePulsar, for instance, was another NSA tool published in The Shadow Broker’s cache. Yet this May, reporting emerged suggesting that a threat actor working on behalf of the Chinese state was using it at least a year before it publicly leaked.[2]

Although this Chinese state group may have been provided with the exploit by a third party, a more likely explanation is that it reversed engineered the exploit, having initially been targeted with it. While China deservedly earns its reputation as a top-tier actor in terms of its offensive cyber capabilities, it is not quite on the same level as the likes of the US or Israel. The Chinese use of its own version of DoublePulsar therefore represents a further example of this trickle-down of capabilities.

Another good example of advanced exploits originally developed and used by sophisticated nation states being deployed in large-scale criminal operations is the increasing use of advanced kernel mode memory attacks by financially motivated criminals. Kernel mode and DLL side-loading, both of which were traditionally hallmarks of advanced nation-state activity, are now becoming commonplace in ordinary cybercriminal campaigns. PowerGhost, for instance, is a cryptocurrency miner which exploits CVE-2018-8120, a vulnerability in Windows’ kernel driver. Gh0st RAT, meanwhile, is an example of malware that uses side-loading, which can enable a threat actor to load malicious code via a trusted executable. Although Gh0st RAT was previously associated with Chinese state activity, its source code is now public, enabling less capable actors to use it in their own operations.

The image below shows a criminal in a Russian language forum selling access to a kernel memory mode exploit for CVE-2018-8120, which could enable an attack that is highly sophisticated, difficult to defend against and, once successful, very hard to mitigate. The use of such attack methods for relatively mundane criminal enterprises makes them a serious issue for most companies.

The threat from criminals exploiting sophisticated and powerful kernel mode memory attacks to deploy ransomware is exemplified by GandCrab. In September last year, we identified that the developer of GandCrab, a ransomware-as-a-service (RaaS) offering sold on cybercriminal forums, had released the latest version of their tool. Version 5 has a few small changes, and also includes an exploit for the aforementioned CVE-2018-8120. By exploiting it, an attacker could locally escalate their privileges, which GandCrab’s developer mentions via dark web forum posts (see below).

As we detail in the rest of this blog, the trickle-down of capabilities can range from precise tactical imitation, involving the reuse of particular tools and exploits, to broader targeting of specific vulnerabilities, to, in the broadest sense, imitating general techniques. Capabilities, as we have alluded to, can also filter between various types of threat actors: from state to state, from states to cybercriminals or from criminals to other, less sophisticated criminals.

Two Streams: How capabilities trickle-down via tools and vulnerabilities

As demonstrated by the examples of EternalBlue and DoublePulsar, capabilities, in the narrowest of senses, can filter down in the form of specific tools and exploits. This was further illustrated in January, when reporting emerged suggesting that former NSA contractors working on behalf of the UAE were using Karma, an NSA-developed spyware variant. Many less sophisticated nation states seek to purchase their capabilities from commercial spyware providers – such as the NSO Group – rather than develop their own. Karma, however, is a rarer instance of a government seemingly obtaining its capabilities from another state.

Capabilities can also trickle-down in the form of broader vulnerabilities. While a tool like DoublePulsar exploits a vulnerability in a particular way, other exploits offer more flexibility in how they are applied. Typically a nation-state or a sophisticated cybercriminal group will initially target a vulnerability shortly after it is publicly disclosed or, in rarer cases, when it is a zero-day, lacking any sort of defensive patch. Once a proof-of-concept for the exploit is publicly available, ordinary cybercriminals will begin exploiting the vulnerability in their own operations.

An example of this is CVE-2018-0802, a vulnerability in Microsoft Office’s Equation Editor which, in early 2018, was being exploited in North Korean state operations. After disclosure of this operation, and the subsequent emergence of proof-of-concept vulnerability code on GitHub (see above), the CVE was by July 2018, among the exploits included in ThreadKit, a cybercriminal service for automatically generating exploit-laden Office documents. As the post below shows, ThreadKit is offered on a Russian language cybercriminal forum, with its seller emphasising its custom functionality and the process by which it operates.

CVE-2019-0604, a remote code execution vulnerability in Microsoft Sharepoint, may yet see a similar journey. Sophisticated cybercriminal groups such as FIN7 appear to be currently targeting this vulnerability, suggesting that once exploit code is publicly available, less capable threat actors may attempt to adopt it into their own operations.

The Trickle Becomes a Downpour: how broader techniques can even become accessible for unsophisticated adversaries

In the broadest of senses, capabilities can also filter down in the form of wider techniques, not tied to particular tools or vulnerabilities. Here is the greatest potential for trickle-down: while ordinary cybercriminals may lack the sophistication to leverage specific exploits or malware variants, broader techniques are typically less restrictive in their technical demands.

This is true for supply chain compromises, which entail compromising an organisation via a trusted supplier or third-party. While traditionally associated with sophisticated state actors, such as China, who often use it to infiltrate hardened targets in the technology sector, ordinary cybercriminals are increasingly using the technique in their own campaigns, as indicated in the graph below, which highlights the increasing number of reports from our database in which supply chain compromise has been flagged as an infection vector.

In February, for example, pro-Palestinian cyber activists compromised a web accessibility plugin to simultaneously infect hundreds of Israeli websites. The fact that supply chain compromise does not require significant technical sophistication was illustrated by the perpetrators’ shortcomings: while they aimed to infect web visitors with ransomware, they instead merely presented them with defaced webpages.

Another broader technique filtering down is “living off the land” through the misuse of native applications and processes. In an atmosphere of increased political fallout following attribution, including public indictments, nation-state actors are increasingly using this technique to avoid detection and identification. Yet cybercriminals, likely seeing how the technique aids evasion and can save costs on developing or purchasing malware, are following suit. The Astaroth trojan, for example, as we reported on in February, is exploiting legitimate Windows features such as WMI (Windows Management Instrumentation) and BTSAdmin.

Conclusion: Locating the Leak at its Source

The trickle-down of TTPs, at all levels, serves to blur the distinction between nation-state and cybercriminal actors, when both are using the same tools, vulnerabilities and techniques. Furthermore, this process illustrates the importance of detecting and analysing new TTPs as they emerge.

While a technique or an exploit may initially seem niche, deployed in a limited fashion against select targets, it can eventually, as we have argued, filter down into the hands of ordinary cybercriminals, thereby becoming a much broader threat to a wider range of companies and organisations. Awareness of these developments can therefore help to pre-empt tomorrow’s threats.

[1] Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak, Symantec

[2] EternalBlue reaching new heights since WannaCryptor outbreak, WeLiveSecurity