{"id":7413,"date":"2022-04-14T12:38:15","date_gmt":"2022-04-14T19:38:15","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7413"},"modified":"2023-04-05T12:33:57","modified_gmt":"2023-04-05T19:33:57","slug":"prevent-falling-victim-to-apt-groups-using-securins-ai-based-vulnerability-and-threat-intelligence","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/prevent-falling-victim-to-apt-groups-using-securins-ai-based-vulnerability-and-threat-intelligence\/","title":{"rendered":"Securin\u2019s AI-Based Insights into APT Groups and Their Arsenal"},"content":{"rendered":"

The only way for organizations to stay safe from today\u2019s state-of-the-art threats is to secure the exposures in their attack surfaces. Securin\u2019s predictive warnings, combined with years of threat research experience, can help identify and address possible attack vectors, before they can be exploited.\u00a0<\/strong><\/p>\n

 <\/p>\n

The last couple of years have seen heightened activity in terms of cyber attacks, website hacks and network outages. This has also brought to the forefront a variety of threat actors who are constantly scouting for exposures to exploit; their intentions varying from disinformation, propaganda, espionage, to destructive cyber attacks. This blog calls attention to a specific category of threat actors, the Advanced Persistent (APT) Groups.<\/p>\n

 <\/p>\n

Advanced Persistent Groups can be nation-state or state-sponsored threat actors, or actors who attack with motives like identity theft or financial gain, stealthily invading networks and causing cumulative damage over extended periods. As they do not demand ransoms or claim attack victims on leak sites, they usually remain undetected for prolonged periods, thus compounding the damage – a classic example being the Elephant Beetle group<\/a>. This makes it all the more critical to ward off such threats by proactively monitoring the exposures in organizational attack surfaces and addressing the ones that could give rise to network compromises.<\/p>\n

 <\/p>\n

In this blog, we probe deeper into the findings from Securin\u2019s continued research on APT groups and the vulnerabilities they are after.<\/strong><\/p>\n

 <\/p>\n

\n

Our research has identified 117 distinct APT groups with vulnerability associations, cumulatively using 235 vulnerabilities to invade victim networks.<\/p>\n<\/blockquote>\n

\"\"<\/p>\n

 <\/p>\n

State-Sponsored APT Groups<\/h2>\n

Of the APT groups identified, 89 groups are backed by 18 nation states. State-sponsored groups are known to target intellectual property and critical industry sectors in order to establish a competitive advantage over the target nation. China, Russia and Iran are linked to the most number of threat groups, with the former two nations together accounting for almost 63% of all known groups.<\/p>\n

 <\/p>\n

<\/p>\n

Most Dangerous APT groups<\/h2>\n

We analyzed the top APT groups by the number of vulnerabilities associated. Unsurprisingly, the top position goes to the Russia-based Nobelium<\/a>, or the APT 28 group, best known for the Solarwinds incident<\/a> that brought a whole new dimension to supply chain attacks.<\/p>\n

 <\/p>\n

Interestingly, a North Korean group, APT 37 (Kimsuky, InkySquid, Reaper and ScarCruft) bags the 3rd spot, with 20 vulnerabilities in its arsenal. The group\u2019s primary targets are China, Hong Kong, India, Japan, Kuwait, Nepal, Romania, Russia, South Korea, UK, USA, Vietnam and the Middle East. APT37 is also known to have waged attacks against the Ministry of Unification, Sejong Institute, Korea Institute for Defense Analyses, and Republic of Korea\/South Korea. APT37 was highly active in the latter half of 2021, with many small campaigns across multiple industries.<\/p>\n

 <\/p>\n\n\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n
\n

APT Group<\/p>\n<\/th>\n

\n

Popular Aliases<\/p>\n<\/th>\n

\n

Origin Country<\/p>\n<\/th>\n

\n

Year of Origin<\/p>\n<\/th>\n

\n

Count of Vulnerabilities<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

\n

APT29<\/p>\n<\/td>\n

\n

Yttrium, Nobelium, Dukes, APT 28, APT 29, Fancy Bear<\/p>\n<\/td>\n

\n

Russia<\/p>\n<\/td>\n

\n

2008<\/p>\n<\/td>\n

\n

53<\/p>\n<\/td>\n<\/tr>\n

\n

Winnti Group<\/p>\n<\/td>\n

\n

Earth Baku,\u00a0 APT 41, APT 22<\/p>\n<\/td>\n

\n

China<\/p>\n<\/td>\n

\n

2010<\/p>\n<\/td>\n

\n

25<\/p>\n<\/td>\n<\/tr>\n

\n

Kimsuky<\/p>\n<\/td>\n

\n

APT 37, Thallium, Operation Daybreak, TA406, ScarCruft, InkySquid<\/p>\n<\/td>\n

\n

North Korea<\/p>\n<\/td>\n

\n

2012<\/p>\n<\/td>\n

\n

20<\/p>\n<\/td>\n<\/tr>\n

\n

Threat Group-3390<\/p>\n<\/td>\n

\n

APT 27, Iron Tiger<\/p>\n<\/td>\n

\n

China<\/p>\n<\/td>\n

\n

2010<\/p>\n<\/td>\n

\n

17<\/p>\n<\/td>\n<\/tr>\n

\n

PittyTiger<\/p>\n<\/td>\n

\n

Keyhole Panda, APT24, APT 12, APT 5<\/p>\n<\/td>\n

\n

China<\/p>\n<\/td>\n

\n

2011<\/p>\n<\/td>\n

\n

16<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/p>\n

Going by the age of threat actors, Turla, the oldest APT group, was first identified in 1996. The last decade between 2011 and 2020 observed 80 new threat groups in operation, including popular groups such as Wizard Spider, FIN7, FoxKitten, Kimsuky and Mustang Panda. Hafnium (China), Chamel Gang, DEV-0322<\/a> (China) and Lone Wolf are the latest groups to have joined the fray, in the year 2021.<\/p>\n

 <\/p>\n

APT Groups Deploying Ransomware<\/h2>\n

Time and again, APT Groups have been noted for deploying a variety of sophisticated tools and techniques as part of their weaponry. Most popular among these are Cobalt Strike, Beacon, Sogu, BazarLoader, and many remote access trojans. Furthermore, 29 APT groups also favor the use of ransomware in order to amplify the intensity of their attacks.<\/p>\n

 <\/p>\n

\n

A noteworthy observation is the continued adoption of new trojans, and amp-up of old malware capabilities, in order to wage devastating attacks on unsuspecting establishments; MuddyWater<\/a>, Kimsuky<\/a>, Molerats<\/a>, Sandworm<\/a> groups- to name a few.<\/p>\n<\/blockquote>\n

 <\/p>\n

Maze ransomware is the most in demand, with links to five different APT groups, including the recently active APT41<\/a> group which was involved in campaigns against the airline industry and US state governments<\/a>. The TA505 group and Sandworm groups from Russia, and China-based DEV-0401 utilize ten, seven and four ransomware codes respectively in their attacks. The new Exotic Lily joins the ranks of Wizard Spider, the player behind the ravenous Conti<\/a> and Ryuk<\/a> ransomware, with the addition of Conti and Diavol to its arsenal.<\/p>\n

 <\/p>\n

Most Used Vulnerabilities by APT Groups<\/h2>\n

As part of our analysis, we also researched the 235 vulnerabilities used by APT groups and identified the ones that were most in demand amongst threat actors.<\/p>\n

 <\/p>\n\n\n\n\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n
\n

Vulnerabilities<\/p>\n<\/th>\n

\n

Vendor<\/p>\n<\/th>\n

\n

Product<\/p>\n<\/th>\n

\n

CVSS Severity<\/p>\n<\/th>\n

\n

Exploit Type<\/p>\n<\/th>\n

\n

Count of APT Groups using the vulnerability<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

\n

CVE-2017-11882<\/p>\n<\/td>\n

\n

Microsoft<\/p>\n<\/td>\n

\n

Microsoft Office<\/p>\n<\/td>\n

\n

High<\/p>\n<\/td>\n

\n

RCE<\/p>\n<\/td>\n

\n

22<\/p>\n<\/td>\n<\/tr>\n

\n

CVE-2012-0158<\/p>\n<\/td>\n

\n

Microsoft<\/p>\n<\/td>\n

\n

MSCOMCTL.OCX<\/p>\n<\/td>\n

\n

Critical<\/p>\n<\/td>\n

\n

RCE<\/p>\n<\/td>\n

\n

20<\/p>\n<\/td>\n<\/tr>\n

\n

CVE-2017-0199<\/p>\n<\/td>\n

\n

Microsoft<\/p>\n<\/td>\n

\n

Windows, Windows Server, Microsoft Office<\/p>\n<\/td>\n

\n

High<\/p>\n<\/td>\n

\n

RCE, WebApp<\/p>\n<\/td>\n

\n

18<\/p>\n<\/td>\n<\/tr>\n

\n

CVE-2018-0802<\/p>\n<\/td>\n

\n

Microsoft<\/p>\n<\/td>\n

\n

Microsoft Office<\/p>\n<\/td>\n

\n

High<\/p>\n<\/td>\n

\n

NA<\/p>\n<\/td>\n

\n

13<\/p>\n<\/td>\n<\/tr>\n

\n

CVE-2021-26855<\/p>\n<\/td>\n

\n

Microsoft<\/p>\n<\/td>\n

\n

Microsoft Exchange Server<\/p>\n<\/td>\n

\n

Critical<\/p>\n<\/td>\n

\n

RCE, WebApp<\/p>\n<\/td>\n

\n

11<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

Securin\u2019s Prediction of High Exploitability of the APT Vulnerabilities<\/h2>\n

 <\/p>\n

Securin\u2019s experts continuously analyze trending threats and would-be exposures based on hacker chatter, dark web activity and exploitation trends. Backed by this, our researchers classify 92.7% of these vulnerabilities as having maximum likelihood of exploitation, and warn users to patch these 218 APT vulnerabilities, or upgrade to the latest product versions, without delay.<\/p>\n

 <\/p>\n

Securin has called out 73% vulnerabilities in its blogs, reports and patchwatch sections. Our research also shows that 43% of the APT vulnerabilities are also being used by ransomware groups, and were warned about in our yearly Ransomware Spotlight Reports<\/a> and its quarterly updates.<\/p>\n

 <\/p>\n

Interestingly, 56% of the APT vulnerabilities also feature in CISA\u2019s recently released directive<\/a> that mandates federal agencies and public sector organizations to patch a list of Known Exploited vulnerabilities. The repeated warnings are a definite indication for organizations that have not yet addressed these vulnerabilities to sit up and take immediate notice.<\/p>\n

 <\/p>\n

Recent Spurt of APT activity<\/h2>\n

 <\/p>\n

The role played by APT groups has become increasingly evident in the recent past. Long standing APT campaigns, and shorter unsuccessful attempts are in the news every other week. Here is a look into some of the APT campaigns that have come to light in early 2022.<\/p>\n