2023-06-30

Revealing Behaviors: The Key to Foiling Stealthy Threat Actors

Unveiling the unseen pathways of elusive threat actors

Threat monitoring in a vast cyber landscape poses difficult challenges as malicious actors, driven by various motives, continuously seek to exploit vulnerabilities and infiltrate systems while remaining undetected. However, beneath their cloak of anonymity, there exists a crucial opportunity for defenders. A window of opportunity opens when a threat actor’s stealthy maneuvers are closely monitored and analyzed, enabling us to uncover their behaviors, tactics, techniques, and procedures (TTPs). In recent days, the Chinese cyberespionage group “Volt Typhoon” (aka BRONZE SILHOUETTE) has been uncovered as a significant threat, targeting critical infrastructure organizations in the United States and Guam for intelligence collection and potential service disruption. Initial reports from US defense agencies and Microsoft highlighted the operators’ ability to achieve stealth and rely heavily on living-off-the-land binaries (LOLBins) to evade system defenses. Whilst Volt Typhoon poses a challenge for security monitoring capabilities, further analysis of their operational behaviors reveals repetition and patterns for threat detection to hone in on.

Lighting the Path

Using detailed community intelligence, we can identify behavioral patterns associated with Volt Typhoon to develop sequenced-based alerting based on their TTPs. The insights offered by Secureworks Counter Threat Unit (CTU) during their IR engagements attributed to Volt Typhoon in June 2021, September 2021, and June 2022 were notable due to similar patterns of behaviors. Although there were discrepancies with initial access, Volt Typhoon operators demonstrated a pattern of initial reconnaissance, credential access frequently through the export of active directory services, and ending with data collection. As described by Secureworks, "CTU analysis of the direct observations from BRONZE SILHOUETTE intrusions reveals a threat group that favors web shells for persistence and relies on short bursts of activity primarily involving living-off-the-land binaries to achieve its objectives. For example, the June 2021 IR engagement determined that the threat actors were inside the compromised network for only 90 minutes before obtaining the ntds.dit AD database."

The earliest reported intrusion from SecureWorks occurred in June 2021, as threat actors obtained initial access with Citrix using compromised credentials that were not reinforced with multi-factor authentication (MFA). With a foothold on the network, these attackers dropped a Java-based web shell and ran reconnaissance commands from CMD, queryings users and groups within the environment. Certutil was used to decode another ASPX web shell bolstering the threat actor’s arsenal and persistence on the network. From there, the threat actors created a replica of the Active Directory (AD) database, ntds.dit, and stored the database within a password-protected zip archive. The export of active directory services like NTDS and LDAP is one of the recurring themes/patterns within their intrusions.

In another Secureworks IR engagement in September 2021, the activity was slightly briefer. This time the attackers exploited a public-facing application to obtain initial access. Secureworks surmised that it was likely to have been an exploitation of CVE-2021-40539 against a ManageEngine ADSelfService Plus server. Like the previous campaign, Volt Typhoon used a web shell to run native Windows reconnaissance commands. Whilst we can attribute this reconnaissance activity to be a vital step for any attacker and system administrator, the subsequent behavior is a standout with another attempt to copy AD objects. This time, the threat actors used a renamed executable of the Windows csvde.exe command-line tool to complete the task. Once exported, they ran the ‘makecab’ command to archive and compress the data.

This pattern persisted in the last two intrusions: reconnaissance activity with a native scripting interpreter, export of AD service objects, and data archive. In June 2022, the threat actors again exploited a public-facing application leading to a web shell being dropped. The attackers acquired credentials by leveraging WMI to create a volume shadow copy and, from the shadow copy, extract both the ntds.dit AD database and the SYSTEM registry hive. The collected data of interest was archived with 7-zip. Secureworks noted the attackers returned several days later and pivoted to a ManageEngine ADSelfService Plus server where they ran additional discovery commands.

Unlocking the Pattern

*Anvilogic Threat Scenario: Recon/Share Access for Decoding/Service Export & Data CollectionType image caption here (optional)*

Through the use of this intelligence, we now have a better understanding of the threat actor behaviors. As a result, we can build a threat scenario that reconstructs the attack chain into a sequenced-based alert. Reconnaissance commands, although typically noisy, can be chained with other threat identifiers based on the MITRE ATT&CK matrix, Cyber Kill Chain, or other methodologies to help create a high-fidelity alert. Although variances exist in the methods the attackers used to carry out their tasks, the behaviors leading to the completion of the actions on objectives remained consistent. Our sequenced-based alert is flexible to accommodate variances, and it is reliable since it’s based on attack techniques and backed by cyber intelligence.

By closely monitoring and analyzing threat actor behaviors, organizations and cybersecurity professionals gain invaluable insights into their methods of operation. Whilst singular attack techniques are noisy and difficult to discern from malicious activity, assembling attacker’s activity in sequence helps us produce high-fidelity detections. The study of threat actor behaviors and utilizing them for our defense will allow us to close the gap between detection and response. An attacker’s arsenal is broad; however, our armory for defense is ample enough to counter them. How we use our defensive options will make the difference in how we guard against those threats.

About the Forge Author

Kevin Lo is a threat researcher for the Anvilogic Forge team based in Albany, NY, where he is responsible for threat research and intelligence.

Prior to Anvilogic, Kevin was a cybersecurity analyst at a US financial institution serving roles in digital forensics, cybersecurity operations, and detection engineering. He holds a Bachelor's degree from Syracuse University in Information Management & Technology with a concentration in Information Security. Kevin holds several cybersecurity certifications with GIAC and MITRE ATT&CK.

Happy to connect with you on LinkedIn!

References: