As we start 2022, it’s time to take a good look back at the year we’re leaving behind us. At Sygnia, we’ve always been dedicated to the cyber security community, uncovering intelligence and then sharing the information with other organizations, bringing real-time insights to our clients on how to hunt down threats, and publishing our expertise on how to defend complex environments.
So, join us as we take a journey back through the year, and provide an overview of what we’ve learned from 5 major attacks that took place in 2021 as well as 2 new threat actors that were identified by Sygnia.
May 2021: Revisiting the Golden SAML Method
Supply chain attacks have been big news in recent years, and the ripples from the SolarWinds disclosure keep on coming. One attack strategy that has been put in the spotlight is Golden SAML, an ADFS bypass technique. Once the hackers have gained admin rights to the ADFS server, they can then steal the private key and the signing certificate, which allows them to reroute ADFS requests, and forge the SAML response. With these credentials, attackers have full and persistent access, and will keep this until the ADFS private key is replaced While ADFS servers are usually well protected, the approach of attacking the Managed Service Provider is a smart one by the attackers, recognizing that they will have highly-privileged access to the customer environment.
We covered 4 detection techniques for Golden SAML on-premises, and provided this, alongside advice for detecting SAML attacks on cloud and in hybrid architectures in the full write up.
July 2021: Kaseya 'Supplied' Us With Plenty to Talk About
On the topic of supply chain attacks, Kaseya hit the headlines in July as their customers began reporting a widespread ransomware attack that was exploited via a vulnerability in Kaseya’s endpoint monitoring software. Kaseya shut down its SaaS servers as a precaution, and told customers to shut down on-premises VSM servers. In the end, around 60 customers were affected by the ransomware, with a continuing impact downstream on around 1,500 businesses in total – a warning to all of us to be aware of the supply chain impact and how connected we are to third-party vendors and customers.
At Sygnia, we shared the known Indicators of Compromise and provided focused hunting recommendations for anyone who felt they may be impacted by this attack.
June 2021: PrintNightmare Vulnerability is a Dream for Attackers
If you thought a paper jam or an unreliable WiFi connection was your biggest printer-related problem, then June’s critical Windows Print Spooler vulnerability probably changed your mind for good.
Dubbed “PrintNightmare”, what was first assumed to be a minor vulnerability was two weeks later upgraded to the status of Remote Code Execution. In fact, the print service allowed attackers to add printers and related drivers, which meant any attacker could run code with system privileges as long as they had the credentials of any authenticated user. By July 6th, Microsoft had released an out-of-band security patch, but due to the complexity and legacy nature of this challenge – there were immediate gaps uncovered in the “fix”. While our general recommendation is to ensure all security patches are implemented immediately – even with the patch deployed, there is still reason to be cautious.
You can use Windows Event Log or your own Endpoint Detection and Response technology to find PrintNightmare, or you can try some of these advanced hunting techniques that we published at the time.
August 2021: Systematic Detection Evasion from the Lazarus Group
In August, we published new research that highlights a previously undocumented variant of the MATA malware, the original of which was reported on in the past by Kaspersky and Netlab. However, this MATA variant was used to distribute and execute the TFlower ransomware. As a result, there is reason to believe that there is a connection between the Lazarus Group and TFlower. In fact, over 95% of the functions in the .DLL loader used during TFlower’s malware execution match functions in the MATA malware framework. There’s either a definite connection, or TFlower would like us to think there’s one.
Our recommendations, as well as current Indicators of Compromise can be found in the original report, here.
October 2021: Sygnia Uncovers Targeted High-Profile Attacks by Praying Mantis
In October, we uncovered an advanced and persistent threat actor we dubbed Praying Mantis, or TG1021.
The attackers targeted Windows internet-facing servers to load custom malware for Windows IIS, and could then use this access to perform additional tasks, anything from making lateral moves across the network, to credential harvesting and reconnaissance. Rather than take a broad sweep, Praying Mantis seems to target specific high-profile commercial entities, probably for financial gain. In addition, the attack can interfere with logging and reporting, making it much harder to detect and mitigate.
You can read more about what we discovered about Praying Mantis, and also follow our guidelines on defending against this in-memory threat in the full report.
December 2021: Log4Shell Puts Millions of Devices at Risk
Many organizations are still reeling from the Log4Shell RCE vulnerability, found in Java logging library Apache Log4j and announced last month. Attackers can use this vulnerability to gain control over affected servers, which means they could entirely compromise a business environment, leveraging this foothold to launch ransomware, engage in crypto-mining, and steal sensitive customer data. While an initial patch was provided quickly, a second vulnerability was published for the patched version of Log4j.
The severity of this attack is down to the sheer number of Java applications in use, for anything from iCloud to Twitter, enterprise security solutions or even physical IoT devices like CCTV cameras. It can also be exploited using just a single HTTP request. In order to successfully implement patches, organizations need to be aware of how to identify all vulnerable locations without business disruption, a process that may take weeks or months. We therefore recommended a phased approach to mitigation, while quickly reducing exposure as far as possible.
December 2021: Elephant Beetle in Search of a Payout
Finally, just when you may have thought we could call 2021 a wrap, Sygnia uncovered a LATAM-focused organized threat group operating against the financial and eCommerce sectors. Primarily targeting legacy Java applications on Linux machines to gain a foothold, the threat group uses a robust assortment of more than 80 tools and scripts to make lateral moves and expand its visibility and control. Once the group has an understanding of the financial systems, fraudulent transactions are injected amongst regular activity, each too small to raise alarm, but over time amounting to millions of dollars.
You can learn how to hunt and defend against Elephant Beetle in the full report.
Is that a wrap from Sygnia for 2021?
We can’t leave the year behind us without giving a shout out to our people! At Sygnia, we’re surrounded each day by experts in their field, who take on the highest level of research, and provide the most detailed analysis to show results every single time. We’re proud to have you all as part of our team!
If you’re looking to proactively build your cyber-resilience for 2022, let's schedule a call.
Sygnia is a Team8 and Temasek company, part of the ISTARI Collective. Sygnia provides incident response and cyber security consulting services, helping organizations worldwide to quickly contain and remediate attacks and proactively enhance their cyber resilience. The proven track record, commitment, and discretion have earned Sygnia the trust of security teams, senior executives, and management boards at leading organizations worldwide including many of the Fortune 500 companies.