ICIT Fellow: 'Fake News' is 'Old News' for advanced cyber threats
(NOTE:The Institute for Critical Infrastructure Technology is a non-profit next-generation cybersecurity think tank that brings together the private sector, federal agencies and lawmakers to exchange ideas in support of protecting the country's vital IT infrastructure. This piece originally appeared on the ICIT Blog on Jan.4. Reprinted here with the author's permission. - Editor)
By James Scott
Senior Fellow ICIT
Regardless of your partisan persuasion, your opinion of mainstream media or your opinion of the ‘alt-right,’ one thing is for certain, ‘fake news’ is ‘old news’ when it comes to the weaponization of information by nation states and cyber mercenaries. Cyber adversaries tailor spear phishing and malvertising lures to stimulate cyber-hygienically inept users’ insatiable need to ‘click’ on everything and anything that momentarily ensnares their attention. Lures range in complexity from precise, error-free custom tailored spear-phishing emails that leverage the target’s LinkedIn profile, to typo-filled mass-spam; however, the focus of every social engineering campaign is to entice a target demographic of users to share information, to open an email, to download an attachment, to visit a watering-hole site, etc. For cyber adversaries, social engineering campaigns are low risk, high probability of success, low investment, and high reward. Since the attacker only needs one user, out of hundreds or thousands of potential targets within an organization, to respond to the lure, social engineering remains the dominant attack vector used by sophisticated and unsophisticated cyber adversaries alike. In this manner, a single click can deliver a devastating malicious payload that will haunt an organization for years to come.
Advanced Persistent Threat (APT) groups are sophisticated adversaries with access to significant resources that are capable of launching sustained dedicated attack campaigns. APTs have been a prevalent category of cyber-adversary since at least the early 2000s; however, the widespread analysis of APTs did not become prevalent until around 2014, and mainstream media did not discuss APTs until after the late 2014 hack of Sony Pictures .
Social engineering campaigns require interaction with the victim and depend on tempting the target to neglect cyber-hygiene best practices. These attack vectors, which include spear-phishing emails, watering-hole sites, malvertising, etc., aim for the target to either communicate sensitive information via interaction with the adversary or their malware, or via the download and execution of a malicious payload that installs malware on the victim system and establishes a beachhead that the adversary can leverage to laterally move throughout the organizational network and thereby compromise additional systems. Adversaries prefer social engineering campaigns that require the lowest investment of time, attention, and other resources; as a result, attack vectors that utilize un-cyber-hygienic user activities to automatically install malware onto victim systems are typically favored over attack vectors that require the constant attention of the attackers. APTs, cybercriminals, and other cyber threat actors (such as the sample described below) often bait their social engineering lures with news and fake news, which is tailored to their target demographic because news and current events articles are relevant to the widest victim pool across the most sectors. Further, a lure based around real or fake news has a significant chance of undermining targets’ mental defenses and cyber-hygiene training.
Victims are Predisposed to Interact with News Lures
Victims interact with news lures for several reasons, which include a drive to be “up-to-date” or current; a sense of urgency; socio-political polarization; curiosity; or fear. The most effective lures either incorporate a real news article as an attachment, as a malicious link to a compromised site, or as a tantalizing banner bordering an article tailored to the potential victims.
High-Profile Lures Entice Global Victim Pools
News was the most common social engineering lure in 2014. Cyber-adversaries capitalized on high-profile natural disasters, global events, celebrity gossip, and buzz-worthy headlines. The Sochi Olympics, the World Cup, the death of Robin Williams, the leak of celebrities’ private photos from the iCloud, and other stories were used by APTs and cybercriminals to spread malware to victim systems via email, watering-hole sites, and malicious advertisements . For instance, in 2014 the APT known as Naikon or APT 30, beguiled victims with a spear phishing email titled with topics relevant to both the Malaysian Airlines flight 370 and MH17 crash. The emails contained articles loaded with malicious droppers or with a fake video attachment that installed a remote access Trojan (RAT) onto victim systems .
The Naikon group is one of the most active APT groups in Asia. Since 2010, it has launched spear phishing campaigns into organizations surrounding the South China Sea, intent on harvesting geo-political intelligence from civilian and military government organizations in the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, Nepal, Thailand, Laos, and China. The actors speak native Chinese. Based on the choice of targets, the operating language, and the sophistication of the toolkit, there is a distinct possibility that Naikon is a Chinese state sponsored threat group .
Naikon’s Microsoft Word email attachments leveraged “a CVE-2012-0158 exploit, an executable with a double extension, or an executable with an RTLO filename”. Upon opening/ execution, the malicious payload, an 8kb encrypted file and configuration data, was injected into the browser memory where it decrypted the ports and paths to the C2C server, a user agent string, filenames and paths to relevant components, and hash sums of the user API functions. The malicious code downloaded the main malware from the C2C server over an SSL connection, and then it loaded independently of the operating system functions without saving to the hard drive, by assuming control of the XS02 function and then handling the installation in memory .
The Naikon platform focused around the RARSTONE backdoor (BKDR_RARSTONE.A), which obfuscated itself by “decrypting and loading a backdoor ‘executable file’ directly into memory without the need to drop the actual ‘executable file.’” The backdoor installed like a Plug X backdoor, injecting code into hidden instances of internet explorer. The module established a connection to the C2C server to receive and execute any of an estimated 48 commands from the adversary on the host. These commands were capable of profiling the system, uploading and downloading data, executing arbitrary code, installing other modules, or executing commands via the command line. The backdoor routine also granted adversaries the ability to get installer properties from Uninstall Registry key entries, which allow them to silently uninstall applications that interfered with the malware. The espionage malware collected email messages, monitored victims’ keystrokes and screens in real time, and monitored network traffic .
Naikon’s command and control infrastructure were minimalistic and organized according to locations of victims and targets. Communication protocol varied according to the target. Some systems connected directly to the C&C servers while other systems were routed through dedicated proxy servers. The proxy servers were victim hosts running the XSControl software, which accepted incoming connections and routed them to relevant C&C servers. The proxy server application also offered a GUI administration utility, logged client and operator activity, and transmitted logs to an FTP server. The operator logs contained an XML database of downloaded files (including a timestamp, the remote path, and the local path), a database of filenames and victim registry keys, and a history of executed commands .
Real News may be Weaponized
Individuals feel compelled to pay attention to prolific headlines, trending stories, and major outlets. Interest is increased when the news coverage features stories that are alarming or tragic. By either compromising a legitimate news outlet and transforming it into a watering-hole site or by purchasing banner space on the site and directing the users who click to malicious sites, cyber adversaries can capitalize on society’s natural proclivity to follow media coverage of major events . Legitimate news sites may have been some of the earliest targets of APT campaigns, and legitimate news articles may have been some of the earliest lures used to spread malware.
From November 2008 until summer 2010 the PinchDuke APT targeted political organizations in Georgia, Turkey, Uganda, and the United States. The political nature of the targets suggests that the campaigns may have been state-sponsored. The selection of targets closely mirrors those of the later APT 28/ Sofacy campaigns, which is widely believed to be a Russian state-sponsored threat actor. The PinchDuke malware was delivered via phishing emails containing spoofed news articles from the BBC website or articles concerning NATO. The malware consists of multiple loaders and an information stealer trojan. The trojan is based around the source code of the information stealing malware, LdPinch, which has been available on underground forums since the early 2000s. PinchDuke’s information stealer targets system configuration files, user credentials, and user files that were created within a predefined timeframe or whose file extension corresponds to a predefined list. PinchDuke communicated with its C&C servers through HTTP(s). In early 2010, PinchDuke campaigns decreased as other Duke campaigns began. Afterwards, PinchDuke or its components were absorbed into other campaigns. Notably, its loaders were later associated with CosmicDuke and occasionally the newer malware would install PinchDuke in its entirety on a victim system as a redundancy infection .
The Syrian Electronic Army (SEA) has also attacked media sites as part of its campaigns. It has compromised the websites and/or social media accounts of: “60 Minutes,” Al-Jazeera, Associated Press, BBC News, CBC News, CNN, The Daily Telegraph, Financial Times, The Guardian, The Onion, National Public Radio, The New York Times, Reuters, Time, and The Washington Post. Once it has control, The SEA posted fake stories or news and collected any confidential information that could be useful in future attacks, such as contact names. SEA attacks begin with phishing through spam or spear-phishing using detailed information obtained from previous campaigns. The SEA attempt to gain user credentials, which it then uses to seize control of the websites and social media accounts of prominent organizations. When phishing attempts fail, SEA may resort to malware, website defacement through web exploits, or denial of service attacks leveraging botnets. If no attack vector succeeds, then the SEA resorts to bombarding the social media accounts of its target with pro-Syria messages. The SEA is a public online political group that emerged in 2011 to support Syrian President Bashar al-Assad and his regime. The SEA conducts attacks to garner global attention rather than to steal data or financial information. The SEA primarily targets media outlets and journalists, political groups that oppose al-Assad’s regime, human rights groups, and Western organizations. Most SEA attacks target the websites and social media accounts of United States news organizations because it argues that the outlets spread anti-Syria propaganda. The SEA uses malware and phishing campaigns to actively monitor Syrian rebels and members of Human Rights groups. Most attacks amount to a banner ad or redirection to a site that supports al-Assad; however, the attacks can have tangible impacts. When the SEA hacked the Associated Press Twitter account in 2013, they posted a message that the White House had been bombed and that President Obama was injured. The post resulted in a noticeable impact on the DOW Jones and the S&P 500 Index (~$136.5 billion). In their attack on the New York Times, the SEA demonstrated the ability to breach a major domain registrar, Melbourne IT, using stolen credentials and redirect internet traffic or seize ownership of domains, such as Twitter .
Most recently, the Dropping Elephant APT has been infecting victims through geo-political news lures. Dropping Elephant infected at least 2,500 victims in the seven months prior to its discovery in December 2015. Evidence suggests that the group has been active since at least 2014. Patchwork targets government, energy, and other related organizations present in Asia and the South China Sea. Rather than develop their own malware or toolset, the APT uses copy-paste source code from GitHub and hacking forums. Patchwork could be state-sponsored; however, its lack of dedicated resources and its reliance on open source code, suggests that it may be a criminal organization. The group spreads the hijacked malware through either malicious PowerPoint attachments which exploit Sandworm’s exploit (CVE-2014-4114) or CVE-201406352, through malicious Word attachments that exploit CVE-2012-0158, or through watering-hole sites that are disguised as political news portals focusing on Chinese affairs in the South China Sea. The group uses an assortment of various copy-pasted code from malware and malware kits such as Powersploit, Meterpreter, Autolt, and UACME and then uses Meterpreter to carry out a reverse shell attack to gain total device access. In some attacks, an UPX packed AutoIT executable is dropped, which in turn downloads additional components to facilitate data exfiltration .
Even News of Cyber Threats may be Weaponized
Immediately following the 2013 release of Mandiant’s report “APT1: Exposing One of China’s Cyber Espionage Units,” Symantec discovered a social engineering lure that distributed a version of the report loaded with Trojan.Pidief that exploited the CVE-2013-0641 in Adobe Reader and Acrobat and dropped Trojan.Swaylib or Trojan.Dropper and then dropped the Downloader malware . The incident demonstrated how rapidly adversaries adapted to cybersecurity response. At the time of disclosure, Symantec believed that the campaign may have been launched by APT1 in retaliation for the publishing of the report .
Social Media Platforms are Weaponized Against Cyber-Hygiene
Many Millennials do not frequent news sites, read newspapers, or watch televised news as much as their elders. Adults aged 18-34 predominantly receive daily news via one or more social media platforms that are accessed via mobile devices. Studies indicate that many Millennials actively pay attention to news feeds on a daily basis and are civically interested in current events. Rather than seek or curate news, most Millennials incidentally and passively, absorb and attend to the coverage of societal, economic, and political events that populate their social media feeds . Social media, by its nature, categorizes users according to their preferences and interests; consequently, cyber threat actors can leverage the publicly available information about Millennial sub-populations when crafting news and fake news social engineering lures. Consequently, the hyper-tailored lures are significantly more effective, are virally propagated by the victims within social circles, and enable the adversary the ability to influence large portions of an entire generation of the workforce. One notable Facebook and Twitter campaign exploited popular hashtags to lure users to posts that featured malicious links that allegedly offered celebrity videos and pictures disclosed in the aforementioned iCloud hack. Victims were redirected to a download page for a “video converter,” which as actually the ADW_BRANTALL malware. The malware could install backdoors or additional droppers on victim systems and some variants spammed victim social media pages with malicious links .
Many social media users self-impose a mental disconnect from cyber-hygiene when they access social media, and many polarized users are willing to open news or fake news articles that they disagree with, solely for the purpose of assessing opposing viewpoints or arguing in the comments sections. These behaviors increase the adversary’s victim pool because the lure is accessed both when the target agrees or disagrees with the content of the lure. The victim pool available by developing lures around polarized topics, such as politics, are thereby enormous. Adversaries, who may be ambivalent towards the actual topic, act quickly to capitalize on current events in order to infect the greatest number of systems, while targets are focusing on their own polarized opinions or on expressing their viewpoints in heated arguments. For example, in as little as six hours after the conclusion of the 2016 Presidential election, APT 28 and APT29 allegedly launched social engineering campaigns using fake news lures. One attack vector was an email campaign that proceeded in five waves of attacks that targeted individuals focusing on national security, defense, international affairs, public policy, and European and Asian studies, at U.S.-based think tanks and non-governmental organizations (NGOs). Some of the emails were from either spoofed or compromised accounts from organizations like Harvard’s Faculty of Arts and Sciences (FAS), the Clinton Foundation, the International Institute for Strategic Studies (IISS), the Council on Foreign Relations, and others. The content of the lures varied between infected legitimate content and spoofed content. The email attachments were most often infected with macros that installed a malware downloader onto the victim system. The lure emails contained malicious Microsoft Word attachments or malicious links to PDFs, with topics such as:
- “The “Shocking” Truth About Election Rigging”
- “Elections Outcome Could Be Revised [Facts of Elections Fraud]”
- “Why American Elections Are Flawed”
- “Clinton Foundation FYI #1”
- “Clinton Foundation FYI #2”
The adversary likely designed the lures so that regardless of the outcome, the lures could be distributed to a substantial number of targets .
APT 28 is believed to be a Russian state-sponsored group that has been active since 2007. APT 28 is known for gathering geopolitical information specifically relevant to Russia interests, and it uses the information to leverage future attacks. APT 28 relies on spear-phishing campaigns, sophisticated malware, and zero-day exploits to infiltrate systems belonging to European governments, NATO affiliates, militaries, security organizations, and media organizations with the intent of exfiltrating state information that could be used to influence policy decisions, public opinion, or geopolitical issues .
APT28 spear phishing emails often originate from a typo-squatted mail server, and they typically contain either a decoy document relevant to the target or the link to a typo-squatted malicious domain. Decoy documents are tailored to the target often contain a user specific title, to entice the user to open the attachment, or confidential information, likely obtained through previous breaches, to lend credibility to the document. The group often uses the Sednit platform, which consists of the SOURFACE/ CORESHELL downloader, the EVILTOSS backdoor, and the CHOPSTICK modular implant. SOURFACE (also known as Sofacy) or CORESHELL performs runtime checks and reverse engineering counter operations before verifying that the infected machine matches the system profile of the target. If the target is verified, then the SOURFACE/CORESHELL dropper obtains a second stage backdoor from the C2 server and installs it on the victim’s system. The backdoor, EVILTOSS, is used to steal credentials and execute shellcode. EVILTOSS uploads an RSA public key and encrypts the stolen data. Then the data is sent via email as an attachment. EVILTOSS then delivers CHOPSTICK to the victim’s system and installs it. CHOPSTICK is comprised of custom implants and tools that are tailored to the target system. CHOPSTICK actively monitors the victim’s system by logging keystrokes, taking screenshots, and monitoring network traffic .
APT29 targets government organizations in an attempt to collect geopolitical data that could be of interest to Russia; however, it remains unclear whether APT29 is a cyber-mercenary or nation-state sponsored threat actor. APT29 employs anti-forensic techniques, monitor analysis and remediation efforts, and rely upon compromised C2C infrastructure. Apt29 embeds the Hammertoss commands into images using steganography. APT29 programs Hammertoss to blend into normal target network traffic and normal target network traffic patterns. The group preconfigures Hammertoss to activate after a predetermined date and only communicates during specified hours. The group may also be affiliated with the Duke APT family .
There are two variants of Hammertoss, Uploader and tDiscoverer. Both variants receive their instructions from an embedded image. Uploader goes to a hard-coded C2C server address and downloads an image of a specific file size. tDiscoverer generates and visits a new Twitter handle every day from a preconfigured algorithm. It attempts to visit that page. If the actor has registered the handle, then it visits the page and looks for a tweet with a URL that indicates the location of its instructions and a hashtag that specifies the minimum size of the image file. After the number of bytes, the hashtag may also contain a string that the malware adds to its encryption key so that it can decrypt the data. If the actor has not registered the handle, then the malware waits until the next day and repeats the process with the next handle generated by the algorithm. The malware fetches the image from the URL. Uploader or tDiscoverer, decrypts the data hidden in the image, and processes the attackers’ command. Commands include conducting reconnaissance on the victim system, executing commands via PowerShell, or uploading stolen data to a cloud storage service .
Cyber-Terrorists are beginning to Leverage News and Fake News Lures
The Moonlight APT (also known as the Gaza cyber-gang) is believed to have ties to Hamas and has begun utilizing news and social media lures to spread malware to spread the H-Worm malware as of June 2016. H-Worm is a backdoor Trojan that is used to further compromise victim networks and to spread the njRAT Remote Access Trojan. Most victims are individual users who are located in Palestine, Egypt, the United States, Jordan, Libya, Iran, Israel, and China. The group lacks much of the technical expertise observed in other cyber-espionage groups, such as the use of zero-day exploits. Instead, the threat actor spreads malware solely through socio-political lures (websites and malicious attachments) with titles related to political affairs in the Middle East .
This extremely brief introduction to the reality of the adversarial usage of news and “fake news” in social engineering campaigns is intended to stimulate the reader to delve deeper into this aspect of the hyper-evolving cyber threat landscape. Cybersecurity is a non-partisan issue and the current attribution disputes and attempts to assign blame, between the mainstream media, the “Alt Right” and other parties, distracts from the reality that cyber threat actors are actively and aggressively weaponizing information in order to deliver malicious payloads that parasitically infest networks and that lead: to the theft of Intellectual Property, to nation state surveillance on critical infrastructure, and to the exfiltration of PII, etc. The cyber adversaries within this space, that are adopting this methodology range from nation state and mercenary APTs, to self-radicalized cyber lone wolves, to cyber-criminal gangs, to hacktivists, and to countless other varieties.
The evolution and progression of these adversaries are not hindered by unproductive and distracting retroactive feuds over blame and attribution. Make no mistake, cyber adversaries will continue to utilize news and fake news lures in their social engineering campaigns. As an increasing number of adversaries begin to capitalize on news and fake news, the lures will continue to become more sophisticated and more convincing, the malicious payloads attached to them will become more multifunctional and complex, and the impact on individuals and critical infrastructure systems will increase in frequency and severity. The Information Security community, the media, legislative partners, and critical infrastructure sectors cannot afford to divert their already limited resources to partisan theater instead of taking immediate actions to mitigate the onslaught of emerging cyber threats.
 “5 advanced persistent threat trends to expect in 2016,” in F-Secure, Business Security Insider by F-Secure, 2016. [Online]. Available: https://business.f-secure.com/5-advanced-persistent-threat-trends-to-expect-in-2016/. Accessed: Jan. 2, 2017.
 The Most Popular Social Engineering Lures Used in 2014,” in Trend Micro USA, 2015. [Online]. Available: http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-most-popular-social-engineering-lures-used-in-2014. Accessed: Jan. 2, 2017.
 K. Baumgartner and M. Golovkin, “The Naikon APT,” in Securelist, 2015. [Online]. Available: https://securelist.com/analysis/publications/69953/the-naikon-apt/. Accessed: Jan. 3, 2017.
 “The Dukes: 7 Years of Russian Cyberespionage,” in F-Secure. [Online]. Available: https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf. Accessed: Jan. 3, 2017.
 A. Greenberg, “How the Syrian electronic army hacked us: A detailed Timeline,” in Forbes, Forbes, 2014. [Online]. Available: http://www.forbes.com/sites/andygreenberg/2014/02/20/how-the-syrian-electronic-army-hacked-us-a-detailed-timeline/#5b8cfadb52f9. Accessed: Jan. 3, 2017.
 T. Spring, M. Mimoso, and A. Saita, “Dropping elephant APT targets old windows flaws,” Threatpost | The first stop for security news, 2016. [Online]. Available: https://threatpost.com/dropping-elephant-apt-targets-old-windows-flaws/119123/. Accessed: Jan. 3, 2017.
 J. Hamada, “Malicious Mandiant report in circulation,” Symantec Security Response, 2013. [Online]. Available: https://www.symantec.com/connect/blogs/malicious-mandiant-report-circulation. Accessed: Jan. 3, 2017.
 “How Millennials Get News: Inside the habits of America’s First digital generation,” mediainsight, 2014. [Online]. Available: http://mediainsight.org/Pages/how-millennials-get-news-inside-the-habits-of-americas-first-digital-generation.aspx. Accessed: Jan. 3, 2017.
 “iCloud hacking leak now being used as social engineering lure,” in Trend Micro, TrendLabs Security Intelligence Blog, 2014. [Online]. Available: http://blog.trendmicro.com/trendlabs-security-intelligence/icloud-hacking-leak-now-being-used-as-social-engineering-lure/. Accessed: Jan. 3, 2017.
 S. Adair, “PowerDuke: Widespread post-election Spear Phishing campaigns targeting think tanks and NGOs,” 2016. [Online]. Available: https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/. Accessed: Jan. 3, 2017.
 “APT28: A Window into Russia’s Cyber Espionage Operations?,” in FireEye, FireEye, 2014. [Online]. Available: https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html. Accessed: Jan. 3, 2017.
 “HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group,” in FireEye. [Online]. Available: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf. Accessed: Jan. 3, 2017.
 C. Doman, “Moonlight – targeted attacks in the middle east,” 2016. [Online]. Available: http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks. Accessed: Jan. 3, 2017.