The attack was launched between June and December 2022 and has been targeting countries in the Asia-Pacific, such as Cambodia, Vietnam, Malaysia, Indonesia, and the Philippines. Along with these, one European country, Bosnia and Herzegovina was also targeted.
The attack was first discovered by Albert Priego, a Group-IB malware analyst, and was labeled ‘The Dark Pink.’ This APT group has also been named Saaiwc Group by a Chinese cybersecurity researcher.
Researchers from Group-IB found activity on Dark Pink's GitHub account, which suggests that Dark Pink's operations may be traced as far back as mid-2021. However, from mid to late 2022, the group's activity increased significantly.
In regards to the attack, the Group-IB stated in a blog post that the Dark Pink operators are “leveraging a new set of tactics, techniques, and procedures rarely utilized by previously known APT groups.” Furthermore, Group-IB wrote of a custom toolkit "featuring four different infostealer: TelePowerBot, KamiKakaBot, Cucky, and Ctealer."
These infostealers are being utilized by the threat group to extract important documents stored inside government and military networks.
Group-IB discovered one of Dark Pink's spear-phishing emails that were used to obtain the initial access. In this case, the threat actor purported to be a candidate for a PR and communications intern position. The threat actor may have scanned job boards and used this information to construct highly relevant phishing emails when they mention in the email that they found the position on a jobseeker website.
This simply serves to highlight how precisely these phishing emails are crafted in to appear so dangerous.
Reportedly, Dark Pink possesses the ability to exploit the USB devices linked to compromised systems. Moreover, Dark Pink can also access the messengers installed on the infected computers.
The Dark Pink APT group still remains active. Since the attacks continued until the end of 2022, Group-IB is still investigating the issue and estimating its size.
The company hopes to unveil the operators’ identity, and states in the blog post that the initial research conducted on the incident should "go a long way to raising awareness of the new TTPs utilized by this threat actor and help organizations to take the relevant steps to protect themselves from a potentially devastating APT attack."
A government agency or a business could be the target, and the information could be stolen or used to do additional harm. When attempting to penetrate a high-value target, an APT may be launched against the systems of one entity. APTs have been reported to be carried out by both state actors and private criminals.
Several organizations closely monitor the threat actor groups that pose these APTs. CrowdStrike, a security company that monitors over 170 APT groups, claims to have witnessed a nearly 45% rise in interactive infiltration efforts between year 2020 and 2021. Nation-state espionage activities are now a strong second in frequency, although (financial) e-crime is still the most frequently identified motive.
An APT comprises of mainly three main reasons:
Since the threat is established to both evade detection and acquire sensitive information, each of these steps may entail several steps and be patiently carried out over an extended period of time.
Successful breaches may operate covertly for years; yet, some acts, including jumping from a third-party provider to the ultimate target or carrying out a financial exfiltration, may be carried out very rapidly.
APTs have a reputation for using deception to avoid giving proper, direct credit for their work. An APT for one country could incorporate language from another country into its code to confuse investigators.
Investigating teams may as well have close relationships with state-intelligence agencies, leading some to raise questions pertaining to the objectivity of their findings.
Amidst this, the tactics, techniques, and procedures (TTPs) of APTs are up for constant updates, in response to the continuously changing environment and countermeasures. “This past year, there was a dramatic uptick in APT attacks on critical infrastructure such as the transportation and financial sectors,” says Trellix’s Head of Threat Intelligence.
List of key threats
New APTs based on advanced techniques are, by nature, generally operating yet being undetected. Additionally, quite challenging attacks continue to be carried out against organizations, long after they were first detected (for instance, SolarWinds).
Moreover, fresh common trends and patterns are constantly being identified and duplicated, unless a means is discovered in order to render them ineffective. Listed below are some of the major trends in APTs, identified by a Russian internet security firm ‘Kaspersky’:
• The private sector supporting an influx of new APT players: It is anticipated that more and more APTs will use commercially available products like the Pegasus software from the Israeli company NSO Group, which is marketed to government agencies for its zero-click surveillance capabilities.
• Mobile devices exposed to wide, sophisticated attacks: Although Apple's new Lockdown Mode for the iOS 16 iPhone software update is meant to address the exploitation of spyware by NSO Group, its phones still stand with Android and other mobile devices as the top targets of APTs.
• More supply-chain attacks: Supply-chain attacks should continue to be a particularly effective strategy for reaching high-value government and private targets, as demonstrated by SolarWinds.
• Continued exploitation of work-from-home (WFH): With the emerging WFH arrangements since the year 2020, hacker groups will continue targeting employees’ remote systems, until those systems are potent enough to combat exploitation.
• Increase in APT intrusions in the Middle East, Turkey, and Africa (META) region, (especially in Africa): With the constantly diminishing geopolitical situation, globally, espionage is emerging rapidly in areas where systems and communications are the most vulnerable.
APT Identification and Management Practices:
Since APTs are designed to be covert, facilitated, backed by constant advancement, and illicit traffic in zero-day exploits, it becomes intrinsically challenging to detect them. Attacks, however, frequently follow a pattern, going for predictable targets like admin credentials and privileged data repositories that represent important company assets.
Following are 5 recommendations for avoiding and identifying APT intrusion:
1. Threat modeling and instrumentation: According to Igor Volovich, Vice President of Compliance for Omulos “Threat modeling is a useful practice that helps defenders understand their risk posture from an attacker’s perspective, informing architecture and design decisions around security controls […] Instrumenting the environment with effective controls capable of detecting malicious activity based on intent rather than specific technique is a strategic direction that enterprises should pursue.”
2. Stay alert: Pay closer attention to the operation of security analyst and security community posting, which keeps a check on the APT groups, since they look for activities pertaining to indications of threat group actions, or that of an activity group and threat actors; as well as activities that indicate a potential intrusion or cyber-campaigns.
3. Baseline: It is crucial to understand your own environment and establish a common baseline in order to identify anomalous behavior in the environment and, consequently, spot the tell-tale signs of the presence of APTs. It is easier to identify odd traffic patterns and unusual behavior by using this baseline.
4. Use your tools: In order to identify APTs, one may as well use existing security tools like endpoint protection, network prevention systems, firewalls, and email protection.
5. Threat Intelligence: Threat intelligence sources should be evaluated against data from security tools and information on potentially unusual traffic. Organizations that use threat feeds can describe the threat and what it can signify for the target organisation. These technologies can help a management team identify potential attackers and determine their possible objectives.
Check Point researchers as of late revealed the full degree of Domestic Kitten's broad surveillance operation against Iranian residents that could pose a threat to the security of the Iranian system. The actual operation is linked to the Iranian government and executed by APT-C-50. Started in 2017, this operation comprised 10 unique campaigns, targeted more than 1,200 people with more than 600 effective infections. It incorporates 4 currently active campaigns, the latest of which started in November 2020. In these campaigns, victims are tricked to install a malicious application by various vectors, including an Iranian blog website, Telegram channels, and even by SMS with a link to the noxious application.
Researchers have discovered a new MacOS backdoor that steals credentials and confidential information. As cyber threats continue to rise, the newly discovered malware is believed to be operated by Vietnamese hacking group OceanLotus, colloquially known as APT 32. Other common names include APT-C-00, SeaLotus, and Cobalt Kitty.
Chinese state-sponsored threat actors have been observed exploiting the Zerologon vulnerability in a global campaign targeting businesses from multiple industries in Japan and 17 other regions across the world including the United States and Europe. The attacked industries include engineering, automotive, managed service providers, and pharmaceutical.
"APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer," the Intrusion Truth team said. "We know that multiple areas of China each have their own APT."
"Looking beyond the linked contact details though, some of the skills that these adverts are seeking are on the aggressive end of the spectrum," the Intrusion Truth team said.