<p>The NTT Group has a long-established tradition of leadership in the cybersecurity space.  A key component of this is through the activities of NTT-CERT, which was established in 2004 with the goal of acting as NTT’s Computer Security Incident Response Team.  The activities of NTT-CERT however go way beyond purely providing incident response, with a significant component of its work being focused on research and development.</p>
<p>Being part of NTT’s Social Informatics Laboratories, a major portion of NTT-CERT’s work is comprised of research which aims to build a body of knowledge which can be used to prevent breaches, more rapidly detect threats which do manage to circumvent controls and aid in performing incident response where this is required. The unparalleled access to security telemetry and malware samples available for analysis as a result of the scale of the NTT Group places NTT-CERT in a unique position in terms of its access to the data required for detailed analysis of the activities of threat actors around the entire globe. The incredibly diverse security requirements of the NTT Group also place NTT-CERT in a privileged position through its work in evaluating the latest security technologies and tools for use in the NTT Group.</p>
<p>In its latest Cybersecurity Report, NTT-CERT provides a window into its research, developments in the cybersecurity space and its own efforts in protecting the security of the NTT Group.  This report is set against a backdrop of growing international tension and conflict.  Conflicts such as the war in Ukraine are increasingly becoming hybrid conflicts where cyber attacks play a significant role.  In a similar way the tensions between the US and China, which are deepening as a result of sanctions on Chinese companies, have also spilled into the cyber domain.  At the same time, technologies such as generative AI are increasingly being used both to perpetrate cyber attacks and to defend against them.</p>
<p>It is against this backdrop that chapter 2 of the report focuses on cybersecurity incidents which occurred over the reporting period, referring to articles, reports and information related to specific incidents.  Special areas of focus include an analysis of the ransomware ecosystem and discussion of software supply chain issues, with specific emphasis on concerns relating to the open source ecosystem and especially risks related to source code hosted in GitHub.  </p>
<p>Chapter 3 of the report focuses on the incident response activities of NTT-CERT, providing an analysis of selected incidents and their resolution. A notable highlight is a review of the cybersecurity services provided for the G7 Hiroshima summit by NTT West.</p>
<p>Chapter 4 rounds up by discussing some of the key trends which are developing in the security space.  This discussion starts with a view of the bleed over into the cyber arena from Russia’s invasion of Ukraine.  Focusing more on technology, chapter 4 analyzes attack methods using Microsoft OneNote and the rapidly developing exploitation of generative AI in cyber attacks.</p>
<p>To secure your own detailed window into the work of NTT-CERT, download your copy of the 2023 Cyber Security Report now.</p>


NTT-CERT's 2023 Annual Cyber Security Report

<p><em>Bad actors are using more aggressive and unscrupulous tactics to acquire personal data and extort ransoms</em></p>
<p>Ransomware and extortion incidents surged by 67% in 2023, according to NTT Security Holdings recently released 2024 Global Threat Intelligence Report.</p>
<p>Created by NTT Security Holdings Global Threat Intelligence Center, the report examines cybersecurity trends, provides insights on the threat landscape, and offers recommendations to help organizations better protect against cyberattacks.</p>
<p>After a down year in 2022, ransomware and extortion incidents increased in 2023. More than 5,000 ransomware victims were detected or posted across multiple social channels up from approximately 3,000 in 2022. These findings are based on NTT Security Holdings Global Threat Intelligence Center’s internal research and by compiling listings on extortion sites, Telegram channels, and public reporting and disclosures. The number of victims is likely higher because the research does not reflect incidents where ransoms were paid before the listing was made public.</p>
<p>“Our 2023 report highlighted the increase in cyberthreats affecting day to day life, economic conditions, and privacy,” said Jeremy Nichols, NTT Security Holdings’ Global Threat Intelligence Center director. “We expect this to soar in 2024 as threat actors create more sophisticated attacks using artificial intelligence to exploit growing attack surfaces and take advantage of limited cyber budgets and staff shortages.”</p>
<img src="/img/blog/GTIR-Press-Release.jpg" class="img-responsive" alt="GTIR 2024 stats" title="GTIR 2024 stats" width="999" height="523" />

<h2 id="key-insights-from-the-2024-report">Key Insights From the 2024 Report:</h2>
<p>Critical infrastructure, supply chain, and financial services face the most risk. The top sectors threat actors are attacking require near perfect uptime because service disruptions can affect lives, making them more likely to pay a ransom to restore access to their vital systems and data. Manufacturing topped the list of attack sectors in 2023 at 25.66% and had the most ransomware victims posted on social channels with 27.75%.</p>
<p>Ransomware operators and affiliates are using less moral and ethical tactics to obtain payments. They are targeting sectors previously considered off limits, including healthcare, non-profits, and energy companies. They have threatened to release sensitive medical photos or patient records if ransoms are not paid.</p>
<p>Small and medium-sized enterprises face the largest challenge combating cyberthreats. More than 50% of ransomware victims had less than 200 employees while 66% had less than 500 employees, according to the research.</p>
<p>Threat actors continue to exploit vulnerabilities and zero days in the most popular software programs. The list of corporate software options and new vulnerabilities continues to increase while malicious software simultaneously evolves, using generative AI to quickly integrate and exploit high and critical severity vulnerabilities. </p>
<p>Humans remain the weakest link in cybersecurity, and it is getting worse. Hybrid cloud environments, bring your own device, and third-party integrations have expanded the attack surface for most organizations. Cybersecurity roles and responsibilities are expanding, cyber budgets are getting slashed, and there are more tools to complete these responsibilities, increasing staff fatigue and burnout.</p>
<p>“Organizations are struggling to defend against routine exploitation, malware, and ransom or extortion threats,” added Nichols. “The predictions and recommendations in our report offer business and technical leaders a roadmap to make quicker and informed decisions to improve their security posture as these threats exponentially escalate.”</p>
<h2 id="access-the-full-report">Access the Full Report</h2>
<p>For a comprehensive understanding of the most frequent cyberattacks, predictions for future attacks, and recommendations for safeguarding organizations against evolving threats, download the complete 2024 Global Threat Intelligence Report at <a href="/global-threat-intelligence-report-2024?utm_source=nttshblog&utm_medium=gtir2024&utm_campaign=gtir2024">https://www.security.ntt/global-threat-intelligence-report-2024</a>.</p>
<h2 id="about-ntt-security-holdings">About NTT Security Holdings</h2>
<p><a href="/global-threat-intelligence-report-2024?utm_source=nttshblog&utm_medium=gtir2024&utm_campaign=gtir2024">NTT Security Holdings</a>, a Group company, provides proactive cyber defense and services that make use of gathered human resources and intelligence to protect our customers and society. For more than 20 years, our company has helped clients protect their digital businesses by predicting, detecting, and responding to cyberthreats, while supporting business innovation and managing risk. Our SOC, R&amp;D centers and security experts deliver unsurpassed threat intelligence and handle hundreds of thousands of security incidents annually. Together, we secure the connected future.</p>
<p><strong>MEDIA INQUIRIES</strong></p>
<p>Contact:<br/>
Jeremy Nichols<br/>
Director, Global Threat Intelligence Center<br/>
NTT Security Holdings<br/>
T: +1 (402) 361-3053<br/>
E: <a href="mailto:jeremy.nichols@global.ntt">jeremy.nichols@global.ntt</a></p>


Ransomware and extortion incidents surged by 67% in 2023, according to NTT Security Holdings 2024 Global Threat Intelligence Report

<h2 id="soc-open-house">SOC Open House</h2>
<h3 id="thursday-09-february-2023">Thursday 09 February 2023</h3>
<h4 id="1000-am--330-pm">10:00 am – 3:30 pm</h4>
<p><strong>Welcome</strong> to our security operation center. Meet our security analysts and get to know how NTT detects and responds to advanced persistent threats. You can take a preview of the SOC here: <a href="/virtual-tour/index.htm" target="_blank" rel="noopener">Virtual SOC Tour</a></p>
<p><strong>Location</strong><br>NTT Security<br>Krokslätts Fabriker 30<br>Mölndal – Göteborg<br>Sweden</p>
<p>For signup and questions, please contact <a href="marcus.silwer@global.ntt">mailto:marcus.silwer@global.ntt</a></p>
<p>Limited number of seats The event is free of charge Travel arrangements at own expence.</p>
<p><strong>Agenda</strong></p>
<ul>
<li>Registration and coffee</li>
<li>Welcome and introduction to NTT Security services</li>
<li>Threat detection: Threat Intelligence, advanced analytics, machine learning</li>
<li>2022 Global Threat Intelligence Report</li>
<li>SOC Operations: How the services are delivered 24/7</li>
<li>Lunch</li>
<li>Live demonstration of an attack: the SOC detects, reports and responds</li>
<li>Coffee and Q&amp;A</li>
</ul>
<p>All visitors needs to sign a Non- Disclosure Agreement (NDA) before visiting the SOC. Will be attached to the confirmation email.</p>


SOC Open House

<div class="iframe-container">
<iframe width="560" height="315" src="https://www.youtube.com/embed/KD2bNmFWtYo" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe></div>

<p>Watch the webinar hosted at our security operation center in Gothenburg. Virtually meet our security analysts and get to know how NTT detects and responds to advanced persistent threats. You can preview the SOC here: <a href="https://www.security.ntt/virtual-tour/index.htm" target="_blank" rel="noopener">Virtual SOC Tour</a></p>
<p><strong>Webinar Recording Agenda</strong></p>
<ul>
<li>Welcome and introduction to NTT Security services</li>
<li>Threat detection - Threat Intelligence, advanced analytics, machine learning</li>
<li>SOC Operations - How the services are delivered 24/7</li>
<li>Live demonstration of an attack and how the SOC detects, reports and responds to it</li>
</ul>
<p>73% of all validated security incidents sent to clients last year were initially detected with tools and methods developed by NTT, while the remaining were alerts from security technology such as firewalls, IPS and EDR. For any questions or to request more info on our services please <a href="/contact">contact us</a>. </p>


Webinar SOC Open House

<h2 id="soc-open-house">SOC Open House</h2>
<h3 id="wednesday-31-may-2023">Wednesday 31 May 2023</h3>
<h4 id="1000-am--330-pm">10:00 am – 3:30 pm</h4>
<p><strong>Welcome</strong> to our security operation center. Meet our security analysts and get to know how NTT detects and responds to advanced persistent threats. You can take a preview of the SOC here: <a href="/virtual-tour/index.htm" target="_blank" rel="noopener">Virtual SOC Tour</a></p>
<p><strong>Location</strong><br>NTT Security<br>Krokslätts Fabriker 30<br>Mölndal – Göteborg<br>Sweden</p>
<p>For signup and questions, please contact <a href="marcus.silwer@global.ntt">mailto:marcus.silwer@global.ntt</a></p>
<p>Limited number of seats The event is free of charge Travel arrangements at own expence.</p>
<p><strong>Agenda</strong></p>
<ul>
<li>Registration and coffee</li>
<li>Welcome and introduction to NTT Security services</li>
<li>Threat detection: Threat Intelligence, advanced analytics, machine learning</li>
<li>2022 Global Threat Intelligence Report</li>
<li>SOC Operations: How the services are delivered 24/7</li>
<li>Lunch</li>
<li>Live demonstration of an attack: the SOC detects, reports and responds</li>
<li>Coffee and Q&amp;A</li>
</ul>
<p>All visitors needs to sign a Non- Disclosure Agreement (NDA) before visiting the SOC. Will be attached to the confirmation email.</p>


<h2 id="soc-open-house">SOC Open House</h2>
<h3 id="thursday-24-november-2022">Thursday 24 November 2022</h3>
<h4 id="1000-am--330-pm">10:00 am – 3:30 pm</h4>
<p><strong>Welcome</strong> to our security operation center. Meet our security analysts and get to know how NTT detects and responds to advanced persistent threats. You can take a preview of the SOC here: <a href="/virtual-tour/index.htm" target="_blank" rel="noopener">Virtual SOC Tour</a></p>
<p><strong>Location</strong><br>NTT Security<br>Krokslätts Fabriker 30<br>Mölndal – Göteborg<br>Sweden</p>
<p>For signup and questions, please contact <a href="marcus.silwer@global.ntt">mailto:marcus.silwer@global.ntt</a></p>
<p>Limited number of seats The event is free of charge Travel arrangements at own expence.</p>
<p><strong>Agenda</strong></p>
<ul>
<li>Registration and coffee</li>
<li>Welcome and introduction to NTT Security services</li>
<li>Threat detection: Threat Intelligence, advanced analytics, machine learning</li>
<li>2022 Global Threat Intelligence Report</li>
<li>SOC Operations: How the services are delivered 24/7</li>
<li>Lunch</li>
<li>Live demonstration of an attack: the SOC detects, reports and responds</li>
<li>Coffee and Q&amp;A</li>
</ul>
<p>All visitors needs to sign a Non- Disclosure Agreement (NDA) before visiting the SOC. Will be attached to the confirmation email.</p>


<h2 id="soc-open-house">SOC Open House</h2>
<h3 id="tuesday-26-april">Tuesday 26 April</h3>
<p><strong>Welcome</strong> to our security operation center. Meet our security analysts and get to know how NTT detects and responds to advanced persistent threats. You can take a preview of the SOC here: <a href="https://ntt.l8h.eu/">https://ntt.l8h.eu/</a></p>
<p><strong>Location</strong>
NTT Security Krokslätts Fabriker 30 Mölndal – Göteborg Sweden</p>
<p>For signup and questions, please contact <a href="marcus.silwer@global.ntt">mailto:marcus.silwer@global.ntt</a></p>
<p>Limited number of seats The event is free of charge Travel arrangements at own expence</p>
<p><strong>Agenda</strong></p>
<ul>
<li>10:00   Registration and coffee</li>
<li>10:15   Welcome and introduction to
  NTT Security services </li>
<li>10:45 Threat detection - Threat
  Intelligence, advanced
  analytics, machine learning </li>
<li>11:30 SOC Operations - How the
  services are delivered 24/7 </li>
<li>12:00 Lunch</li>
<li>13:00   SOC Guided Tour</li>
<li>13:30   Live demonstration of an
  attack and how the SOC detect, report and respond to an incident</li>
<li>15:00   Coffee and Q&amp;A</li>
</ul>
<p>All visitors needs to sign a Non- Disclosure Agreement (NDA) before visit the SOC. Will be attached to the confirmation</p>


<h2 id="soc-open-house">SOC Open House</h2>
<h3 id="tuesday-14-june-2022">Tuesday 14 June 2022</h3>
<h4 id="1000-am---300-pm">10:00 am - 3:00 pm</h4>
<p><strong>Welcome</strong> to our security operation center. Meet our security analysts and get to know how NTT detects and responds to advanced persistent threats. You can take a preview of the SOC here: <a href="https://ntt.l8h.eu/" target="_blank" rel="noopener">Virtual SOC Tour</a></p>
<p><strong>Location</strong><br>NTT Security<br>Krokslätts Fabriker 30<br>Mölndal – Göteborg<br>Sweden</p>
<p>For signup and questions, please contact <a href="marcus.silwer@global.ntt">mailto:marcus.silwer@global.ntt</a></p>
<p>Limited number of seats The event is free of charge Travel arrangements at own expence.</p>
<p><strong>Agenda</strong></p>
<ul>
<li>10:00 Registration and coffee</li>
<li>10:15 Welcome and introduction to
  NTT Security services </li>
<li>10:45 Threat detection - Threat
  Intelligence, advanced
  analytics, machine learning </li>
<li>11:30 SOC Operations - How the
  services are delivered 24/7 </li>
<li>12:00 Lunch</li>
<li>13:00 SOC Guided Tour</li>
<li>13:30 Live demonstration of an
  attack and how the SOC detect, report and respond to an incident</li>
<li>15:00 Coffee and Q&amp;A</li>
</ul>
<p>All visitors needs to sign a Non- Disclosure Agreement (NDA) before visit the SOC. Will be attached to the confirmation</p>


<h2 id="soc-open-house">SOC Open House</h2>
<h3 id="tuesday-06-september-2022">Tuesday 06 September 2022</h3>
<h4 id="1000-am---300-pm">10:00 am - 3:00 pm</h4>
<p><strong>Welcome</strong> to our security operation center. Meet our security analysts and get to know how NTT detects and responds to advanced persistent threats. You can take a preview of the SOC here: <a href="https://ntt.l8h.eu/" target="_blank" rel="noopener">Virtual SOC Tour</a></p>
<p><strong>Location</strong><br>NTT Security<br>Krokslätts Fabriker 30<br>Mölndal – Göteborg<br>Sweden</p>
<p>For signup and questions, please contact <a href="marcus.silwer@global.ntt">mailto:marcus.silwer@global.ntt</a></p>
<p>Limited number of seats The event is free of charge Travel arrangements at own expence.</p>
<p><strong>Agenda</strong></p>
<ul>
<li>10:00 Registration and coffee</li>
<li>10:15 Welcome and introduction to
  NTT Security services </li>
<li>10:45 Threat detection - Threat
  Intelligence, advanced
  analytics, machine learning </li>
<li>11:30 SOC Operations - How the
  services are delivered 24/7 </li>
<li>12:00 Lunch</li>
<li>13:00 SOC Guided Tour</li>
<li>13:30 Live demonstration of an
  attack and how the SOC detect, report and respond to an incident</li>
<li>15:00 Coffee and Q&amp;A</li>
</ul>
<p>All visitors needs to sign a Non- Disclosure Agreement (NDA) before visit the SOC. Will be attached to the confirmation</p>


Analysis of an Iranian APTs “E400” PowGoop variant reveals dozens of control servers dating back to 2020

<p>Emotet is a threat known to use large amounts of command and control servers (C2s) in parallel in order to ensure uptime and bypass blocking.
This first layer of C2s, also called Tier 1 C2s, will in part forward their received traffic to Tier 2 servers. This relationship has previously been observed by Centurylink1.</p>
<p>NTT Ltd. Threat Detection decided to explore the malware infrastructure of Emotet deeper, with multiple goals in mind:</p>
<ul>
<li>ensure our long-term detection capabilities for Emotet traffic in our customer environments</li>
<li>explore the underlying Emotet infrastructure and track the setup and longevity of the Tier 2 servers</li>
<li>collaborate with CERTs and notify ISPs of malicious activity</li>
</ul>
<p>We own and operates one of the world&#39;s largest tier-1 IP backbones, giving insight into a significant portion of the global internet traffic. We’re also consistently ranked among the top five network providers in the world. In the fall of 2018, our security division added botnet infrastructure detection capabilities to our Managed Security Services (MSS) Threat Detection services. This unique capability was use during this project in order to explore and monitor the Emotet network infrastructure.</p>
<h2 id="starting-the-journey">Starting the journey</h2>
<p>The assumptions of behaviour of the Tier 1 C2s were reduced to the expectation that they forward their traffic towards a Tier 2 C2. We initially monitored Tier 1 C2 traffic en masse. We extracted Tier 1 C2 lists from Emotet samples and applied these IOCs in our netflow monitoring in NTT Ltd.’s global internet infrastructure, where one potential Tier 2 C2 was found:</p>
<img src="/img/blog/behind-the-scenes-of-the-emotet-infrastructure/In_Text_1.jpeg" alt="Tier 1 and Teir 2 C2s" title="Tier 1 and Teir 2 C2s" width="740" height="555" />

<p>The Emotet botnet is divided into separate Epochs, Epoch 1, 2 and 3, which all have their own separate Tier 1 C2 infrastructure 2. The Tier 1 C2s in the picture above belong to Epoch 2.</p>
<p>A Shodan lookup of the services of the Tier 2 C2 shows the following setup of HTTP services:</p>
<img src="/img/blog/behind-the-scenes-of-the-emotet-infrastructure/In_Text_2.jpeg" alt="services of the Tier 2 C2" title="services of the Tier 2 C2" width="740" height="555" />

<p>At this point in the investigation we assumed that the above was the standard setup for all Tier 2 C2s and automated the analysis of outgoing traffic from Tier 1 C2s to find new Tier 2 C2s. We found new ones by selecting traffic where:</p>
<ul>
<li>the source IP is an Emotet Tier 1 C2</li>
<li>the destination port is TCP/80 and is running a NGINX service, with the error message “HTTP 404 Not found”</li>
<li>the destination IP is also running an Apache service which gives “HTTP 200 OK” status message over port TCP/8080</li>
</ul>
<h2 id="observed-backends">Observed backends</h2>
<p>With our new workflow established we’ve observed 16 Tier 2 C2 servers with incoming Tier 1 C2 traffic of their respective associated Epoch:</p>
<ul>
<li>eight Tier 2 C2s belong to Epoch 1</li>
<li>five Tier 2 C2s belong to Epoch 2</li>
<li>three Tier 2 C2s belong to Epoch 3</li>
</ul>
<p>With the following hosting providers used:</p>
<ul>
<li>seven using Serverius Holding</li>
<li>five using GloboTech</li>
<li>two using Worldstream</li>
<li>one using PnS Hostings</li>
<li>one using RealHosters</li>
</ul>
<p>The graphs below show the timelines for when each Tier 2 C2 is receiving connections from Tier 1 C2s grouped by each Epoch. The Y-axis is the number of connecting Tier 1 C2s and the X-axis is the timeline. The coloured lines each represent a Tier 2 C2.</p>
<h3 id="epoch-1">Epoch 1:</h3>
<img src="/img/blog/behind-the-scenes-of-the-emotet-infrastructure/In_Text_3.jpeg" alt="Epoch 1" title="Epoch 1" width="740" height="555" />

<h3 id="comment">Comment:</h3>
<p>Based on the synchronization in time when old Tier 2 C2s disappear and new Tier 2 C2s appears there are two separate Tier 2 C2 infrastructures for Epoch 1 in use at the same time: <strong>37.252.15.50 -&gt; 185.180.223.70 and 72.10.162.83 -&gt; 72.10.162.84-&gt; 72.10.162.85-&gt; 72.10.162.86</strong>.</p>
<h3 id="epoch-2">Epoch 2:</h3>
<img src="/img/blog/behind-the-scenes-of-the-emotet-infrastructure/In_Text_4.jpeg" alt="Epoch 2" title="Epoch 2" width="740" height="555" />

<h3 id="comment-1">Comment:</h3>
<p>The new Tier 2 C2s appear at the same time or a little before the old one goes down. The overlap with two Tier 2 C2 active at the same time is noteworthy.</p>
<h3 id="epoch-3">Epoch 3;</h3>
<img src="/img/blog/behind-the-scenes-of-the-emotet-infrastructure/In_Text_5.jpeg" alt="Epoch 3" title="Epoch 3" width="740" height="555" />

<h3 id="comment-2">Comment:</h3>
<p>The IP 134.119.194.179 has for a very long time been utilized as a Tier 2. The IP 37.252.14.29 has a low utilization of connecting Tier 1 C2s.</p>
<p>From the analysis above the following Tier 2 IPs were excluded due to their short time-span and low amount of connecting Tier 1 C2s indicating them to possibly be inactive:</p>
<ul>
<li>37.252.15.52</li>
<li>37.252.14.109</li>
<li>185.180.223.114</li>
</ul>
<h2 id="theories-on-administration">Theories on administration</h2>
<p>Our analysts have three main theories on how the actor behind Emotet administers the Tier 2 C2 servers:</p>
<h3 id="theory-1--apache-tcp8080">Theory 1 – Apache TCP/8080</h3>
<p>An administration panel and/or API access exposed over Apache TCP/8080 which the actor connects to. No network traffic in the NTT Global internet infrastructure supporting this theory has been seen.</p>
<img src="/img/blog/behind-the-scenes-of-the-emotet-infrastructure/In_Text_6.jpeg" alt="Apache TCP8080" title="Apache TCP8080" width="740" height="555" />

<h3 id="theory-2--nginx-tcp80">Theory 2 – NGINX TCP/80</h3>
<p>The hosting of an administration panel and/or API access over the same port that they receive C2 traffic. This would make it easier for the actor to hide their tracks by possibly tunnelling their traffic through Tier 1 C2s towards Tier 2 C2s.</p>
<img src="/img/blog/behind-the-scenes-of-the-emotet-infrastructure/In_Text_7.jpeg" alt="NGINX TCP80" title="NGINX TCP80" width="740" height="555"/>

<h3 id="theory-3---a-tier-3-c2">Theory 3 - A Tier 3 C2</h3>
<p>Tier 2 C2s forwarding their traffic towards a central Tier3 C2 which has data for all three Epochs. No outgoing traffic from Tier 2 C2s inside of NTT Global internet infrastructure has been observed supporting this and it’s seen as very unlikely.</p>
<img src="/img/blog/behind-the-scenes-of-the-emotet-infrastructure/In_Text_8.jpeg" alt="A Tier 3 C2" title="A Tier 3 C2" width="740" height="555" />

<h2 id="closing-thought-on-theories">Closing thought on theories</h2>
<p>The overlaps observed in the Tier 2 C2 infrastructure with multiple Tier 2 C2s being active at the same time indicates an additional complexity. Based on netflow monitoring of our global internet infrastructure, theory 2 is found to be most likely, but forensics of Tier 2 C2s would be needed in order to confirm this theory.</p>
<h3 id="conclustion">Conclustion</h3>
<p>NTT Ltd.’s Threat Detection has reliably been able to follow the changes in the use of Tier 2 servers in the Emotet network infrastructure. It’s noteworthy how one of the largest threat actors today can largely operate undisturbed with Tier 2 servers having uptime of multiple months. This research is of use when planning takedown actions, but also in understanding threat actors&#39; operations and improving the detection capabilities that NTT Ltd. Threat Detection has in customer environments.</p>
<p>In the recently released 2020 Global Threat Intelligence Report, our researchers and thought leaders share statistics and trends from the previous year. A key theme in this year’s report is ‘Threat actors are innovating and evolving their tradecraft’. Read more about how automation, multi-stage-payloads and custom targeted malware are changing the threat landscape here.</p>
<h3 id="references">References</h3>
<p>1 <a href="https://blog.centurylink.com/emotet-illuminated-mapping-a-tiered-botnet-using-global-network-forensics/">https://blog.centurylink.com/emotet-illuminated-mapping-a-tiered-botnet-using-global-network-forensics/</a></p>
<p>2 <a href="https://isc.sans.edu/forums/diary/Emotet+epoch+1+infection+with+Trickbot+gtag+mor84/25752/">https://isc.sans.edu/forums/diary/Emotet+epoch+1+infection+with+Trickbot+gtag+mor84/25752/</a></p>


Behind the scenes of the Emotet Infrastructure

<p>One of the great challenges of cybersecurity is the need to learn continuously.  Just as our adversaries adapt and change all the time, we need to remain one step ahead of them.  This is especially true of the analysts in our SOC, who never stop learning.  The SOC is the front-line where analysts are exposed to all the latest exploits developed by threat actors.  That exposure, on its own, isn&#39;t enough, however.  That is why our analysts are on a continuous quest to learn from their peers and from the industry.</p>
<p>One exciting and rewarding way for our analysts to test themselves and learn from their peers is by participating in cybersecurity competitions.  These are highly competitive events where analysts get to pit themselves against peers from other organizations in events which test both their skill and their resolve to overcome adversaries in high-pressure situations. In some cases, analysts even get the chance to take on the role of the attacker, which helps them to better understand the tactics and strategies used by their adversaries.</p>
<p>Our SOC teams have participated in a number of cybersecurity competitions and have achieved top results in competition against other highly skilled teams. The list below lists some of our achievements in recent years.</p>
<ul>
<li>9th (1st onsite) Security Fest CTF 2018 (among 400 teams)</li>
<li>1st and 2nd  Splunk Boss of the SOC Helsinki 2019 (among 14 teams)</li>
<li>2nd  Splunk Boss of the SOC Nordic 2020 (among 43 teams)</li>
<li>6th  Splunk Boss of the SOC v6.conf21 2021(among 425 teams)</li>
<li>17th Cyber Apocalypse CTF 2022 (among 7024 teams)</li>
<li>17th  Hack the Box Business CTF Dirty Money 2022 (among 657 teams)</li>
</ul>
<p>Capture the flag (CTF) competition has become increasingly popular among cybersecurity professionals, providing a fun and engaging way to test and improve skills. To succeed in a CTF competition, participants must have a strong understanding of a wide range of security concepts and techniques. These may include cryptography, web security, reverse engineering, forensics, exploit development, and programming.  Participants must use their expertise and problem-solving abilities to complete these challenges and earn points or capture the flag.</p>
<p>The NTT SOC team has had the opportunity to compete against several of the most respected security firms in the industry at the &quot;Hack the Box Business CTF 2022&quot; event. In order to successfully complete the exploitation challenge known as &quot;Midenios&quot; which has a difficulty of “Hard”, the participant must create a custom JavaScript payload to exploit the discovered vulnerability. The NTT analyst that was able to solve this challenge wrote a detailed blog post about it which can be found <a href="https://insight-jp.nttsecurity.com/post/102htp3/hack-the-box-business-ctf-2022-pwn-firefox" target="_blank" rel="noopener">here</a>.</p>
<p>Another analyst who successfully solved a malware analysis related challenge offered some great feedback on the real world value of a challenge they encountered in the same competition: “We received an email with a suspicious document attached. The document contained a malicious VBA script that attempted to download malware when the user opened it. We were able to obtain the malware and reverse engineer it to find the flag that was hidden within it.” This technique has been observed in multiple malware families, including Emotet, IceID, and Dridex.</p>
<p>Another popular cybersecurity competition is Boss of the SOC (BOTS) arranged by Splunk. BOTS is a cybersecurity competition that involves participants attempting to detect and respond to simulated security threats in a SOC environment. The participants are typically presented with a set of simulated network environments and are asked to detect and respond to security threats in real-time. These threats may include malware, network intrusions, and other types of cyber-attacks.</p>
<p>One of our team members who participated in BOTS describes “BOTS puts our threat hunting skills to the test. We got to make use of different logs, statistics, geolocation, and more to hunt for everything from APT groups to kidnapped toads.&quot; Another member added “BOTS pushed my problem-solving skills to the limit and taught me new strategies that have been useful in my role as an analyst.”</p>
<p>Overall, CTF and BOTS competitions provide a unique and exciting opportunity for security professionals to test and improve their skills. These competitions are challenging and engaging and can help participants to stay sharp and up-to-date on the latest security technologies and techniques. Whether you are a seasoned veteran or a newcomer to the field of security, participating in a CTF or BOTS competition can be a rewarding and valuable experience.</p>
<p>Cybersecurity competitions provide a competitive proving ground where our analysts can hone their skills. The experience they build from the perspective of both the defender and the attacker provides them with an invaluable edge. NTT’s Samurai Managed Detection and Response service relies on the continuous learning that our analysts undertake so that we can keep ahead of threat actors as we defend our clients.</p>
<p>To find out more about Samurai Managed detection and Response, <a href="/contact">reach out to our experts today</a>.</p>


Competing in Cyber Security

<p><strong>In the fall of 2018, We added botnet infrastructure detection capabilities to our Managed Security Services (MSS) and threat detection services.</strong>
In the initial press release, there were limited details released on how our machine learning system leverages our access to our global network infrastructure. We own and operate one of the world&#39;s largest tier-1 IP backbones, having insight into a significant portion of the global internet traffic and we are consistently ranked among the top five network providers in the world.</p>
<p>In this blog post, we’ll explain how our threat detection analysts used netflow data captured from our global internet infrastructure to uncover the previously unstudied layered network approach the operators of Dridex use, and its unexpected overlap with the Emotet infrastructure.</p>
<h2 id="once-upon-a-time-when-analyzing-emotet-traffic">Once upon a time when analyzing Emotet traffic</h2>
<p>It was observed by threat detection analysts that an Emotet C2 server was repeatedly communicating with the IP 179.43.147.77 over port TCP/38400. This was an abnormality in the Emotet network infrastructure behavior we’d seen so far.</p>
<p>In response to this abnormality, our threat detection team opened an investigation in an attempt to identify the purpose and behavior of 179.43.147.77.</p>
<p>During long term monitoring and analysis of netflow gathered from our global internet infrastructure we observed multiple malware families communicating with the IP over the same port, TCP/38400. The below image summarizes our observations:</p>
<img src="/img/blog/dridex-and-emotet-infrastructure-overlaps/In_Text_1_740x555.jpeg" alt="malware communicating with IP" title="malware communicating with IP" width="740" height="555" />

<p>In numbers, we observed the following to speak with 179.43.147.77 over TCP/38400:</p>
<ul>
<li>10 Emotet epoch 2 C2s</li>
<li>4 Emotet epoch 3 C2s</li>
<li>7 Dridex C2s</li>
</ul>
<p>Analysis of available open-source intelligence (OSINT) shows that 179.43.147.77 has been used by the group TA505 at 2019-06-20 to distribute the malware FlawedAmmyy1 2. The hosting company that the IP belongs to, Private Layer Inc, is an offshore hosting company which has been observed to be utilized by threat actors in the past.</p>
<p>The questions start stacking up, what is the purpose of 179.43.147.77? And is it still managed by TA505?</p>
<p><strong>Exploring the connection to TA505</strong></p>
<p>Given that FlawedAmmyy was distributed from 179.43.147.77 at 2019-06-20 it was investigated if TA505 still manages this server. The currently used SSH key was set in the timeframe 2019-06-20 - 2019-07-20 based on historical scanning data as Shodan performs internet wide scans at least once a month3:</p>
<img src="/img/blog/dridex-and-emotet-infrastructure-overlaps/In_Text_2_740x555.png" alt="malware communicating with IP" title="malware communicating with IP" width="740" height="555" />

<p>If it was the case that the new SSH key was set at 2019-06-20 it indicates that the same operator which distributed the TA505 tied FlawedAmmy sample is also operating the administration of command and control servers connecting over port 38400.</p>
<p>Dridex has been distributed and used by TA505&lt;sup4&lt;&gt;, which strengthens the connection.&lt;/sup4&lt;&gt;</p>
<p>Going against this theory is that TA505 has no known ties to the Emotet group, which begs the question why they would manage Emotet C2 servers.</p>
<p>Furthermore, no malware families which TA505 is known to use besides Dridex have been seen to communicate with 179.43.147.77 making the connection even weaker.</p>
<p>Based on these observations, it’s believed that the operator of 179.43.147.77 changed after the distribution of FlawedAmmy.</p>
<p><strong>The use case of 179.43.147.77</strong></p>
<p>Central to the use case behind 179.43.147.77 is knowing when the connecting servers are becoming active C2 servers. If they initially connect to 179.43.147.77 for a duration of time, then stop communicating and become active C2 nodes instead, it could indicate that the operator of 179.43.147.77 handover or sale of access to those servers.</p>
<p>On the other hand, if communication between the servers and 179.43.147.77 is ongoing while the servers are active C2s, it implies that 179.43.147.77 has a closer tie to the groups behind Emotet and Dridex.</p>
<p>We don’t believe that the operator behind 179.43.147.77 has coincidently hacked the same servers as the groups behind Emotet and Dridex, as the incoming connections towards 179.43.147.77 are almost exclusively Emotet and Dridex C2-servers, i.e. indicating non-randomness in controlled servers.</p>
<p><strong>Dridex C2s activity timeline</strong></p>
<p>Below is a timeline visualizing when it was observed that the Dridex C2s speak with 179.43.147.77 and also when they were included as C2s in Dridex binaries.</p>
<img src="/img/blog/dridex-and-emotet-infrastructure-overlaps/In_Text_3_740x555.png" alt="malware communicating with IP" title="malware communicating with IP" width="740" height="555"/>

<p>The timeline shows that the majority of the IPs are acting as C2s while they communicate with 179.43.147.77, which lowers the likelihood of the operator 179.43.147.77 to only handover access of the managed servers to other actors.</p>
<p><strong>Emotet epoch 2 activity timeline</strong></p>
<p>Doing the same analysis with the Emotet epoch 2 C2s shows somewhat inconclusive behavior:</p>
<img src="/img/blog/dridex-and-emotet-infrastructure-overlaps/In_Text_4_740x555.png" alt="malware communicating with IP" title="malware communicating with IP" width="740" height="555" />

<p>It seems that they actively start speaking with 179.43.147.77 after or at the same time they became Emotet C2s. Five C2s with spotty monitoring coverage were excluded from the graph due to too little available netflow capture for timeline analysis.</p>
<p><strong>Conclusion</strong></p>
<p>Our threat detection analysts make the conclusion that the operator of 179.43.147.77 has strong ties to one of the current groups using the Dridex malware from late December 2019 and is continuing to this day. Threat actors face takedowns of their infrastructure and see a need for persistence and centralized control, as seems to be the case here.</p>
<p>The result of this discovery was used by the team to update the threat detection services coverage to monitor for command and control servers in customer environments before they are, if ever, publicly known. The team continuously monitors the underlying network infrastructure behind the operations of threat actors in order to improve our detection capabilities and uncover previously unknown relations.</p>
<p>In the recently released 2020 Global Threat Intelligence Report, our researchers and thought leaders share statistics and trends from the previous year. A key theme in this year’s report is ‘Threat actors are innovating and evolving their tradecraft’. Read more about how automation, multi stage payloads and custom targeted malware are changing the threat landscape here.</p>
<p><strong>References</strong></p>
<ul>
<li>[1] <a href="https://urlhaus.abuse.ch/url/210523/">https://urlhaus.abuse.ch/url/210523/</a></li>
<li>[2] <a href="https://securitynews.sonicwall.com/xmlpost/malicious-office-files-are-seen-distributing-flawedammy-rat/">https://securitynews.sonicwall.com/xmlpost/malicious-office-files-are-seen-distributing-flawedammy-rat/</a></li>
<li>[3] <a href="https://www.us-cert.gov/ncas/alerts/aa19-339a">https://www.us-cert.gov/ncas/alerts/aa19-339a</a></li>
<li>[4] <a href="https://help.shodan.io/the-basics/on-demand-scanning">https://help.shodan.io/the-basics/on-demand-scanning</a></li>
</ul>


Dridex and Emotet infrastructure overlaps

<p>Digital optimism despite increased cyber threats and cross-border collaboration were two of the main themes of the Aspen Digital Global Cyber Security Group workshop in Madrid, Spain, in which NTT Security Holding’s CEO Shinichi Yokohama participated. The event was organized by Aspen Digital and aims to address significant technology and security challenges, and explore solutions for international cybersecurity collaboration across the public and private sectors. </p>
<p>The workshop brought together representatives from various backgrounds, sectors and nationalities to foster a rich dialogue about pressing matters. We had the opportunity to catch up with Shinichi to discuss the key takeaways from the workshop and his perspective on global cyber security collaboration. </p>
<h2 id="shinichi-what-was-the-overall-atmosphere-at-the-aspen-digital-global-cyber-security-group-workshop">Shinichi, what was the overall atmosphere at the Aspen Digital Global Cyber Security Group workshop?</h2>
<p>The atmosphere was quite optimistic despite the challenging nature of our discussions. One of the main things I observed was the underlying optimism from all sectors and nationalities about the future of a digital society. There was a shared belief among us delegates that while cyber threats are a byproduct of digitalization, the benefits of digital progress outweigh the risks. </p>
<p>Despite the growing threat landscape, we shared a belief that collaboration, between sectors and nations, is paramount for the protection of critical infrastructure under the current &quot;new norm&quot;. This &quot;new norm&quot; refers to the increasingly complex and persistent cyber threat environment that Chief Information Security Officers (CISOs) in the private and public sector must navigate.</p>
<h2 id="how-is-the-balance-of-responsibility-between-the-public-and-private-sectors-progressing-in-terms-of-cyber-security">How is the balance of responsibility between the public and private sectors progressing in terms of cyber security?</h2>
<p>The balance is shifting. Historically, national security was primarily the government&#39;s responsibility. However, in the realm of cyber security, the private sector plays an equally crucial role. I once made an analysis which showed that in Japan, over 90 percent of IT and data assets are owned and handled by private companies. This is likely true for many other countries as well. Therefore, ensuring national cyber security cannot be achieved by the government alone. Private companies, the government, including public sector operations, and citizens must all be proactive in their cyber security measures. This collaboration between the public and private sectors is vital.</p>
<h2 id="can-you-elaborate-on-the-different-roles-that-the-government-and-private-sector-play-in-cyber-security">Can you elaborate on the different roles that the government and private sector play in cyber security?</h2>
<p>There are specific functions that only governments can perform, such as law enforcement and international cooperation in arresting cyber criminals. Governments can also lead proactive cyber defense measures, where private companies are limited, which are essential for preventing attacks before they happen. The private sector not only owns and operates most of the infrastructure that needs protection, but it also possesses the most advanced competence and technology within cyber security. They are expected to implement robust cyber security practices and share threat intelligence with the government to create a broad cyber defense strategy.</p>
<h2 id="are-there-any-examples-of-successful-collaborations-between-public-and-private-in-cyber-security">Are there any examples of successful collaborations between public and private in cyber security?</h2>
<p>Ukraine is a noteworthy example. Before the full-scale Russian invasion in February 2022, there was significant collaboration between the Ukrainian government and critical infrastructure companies, such as those in the transport, telecommunications, and power sectors. This proactive defense strategy has helped to mitigate the impact of cyber attacks during the war. This is an excellent example of the importance of collaboration between the public and private sectors.</p>
<h2 id="what-gives-you-optimism-that-we-will-manage-the-huge-cyber-challenges-we-face">What gives you optimism that we will manage the huge cyber challenges we face?</h2>
<p>History shows that humanity is capable of minimizing damage while maximizing the benefits of new technologies. Whether it was the start of automobiles or electricity, we have always found ways to use technology for good while mitigating its risks. I believe the same will happen with digital technologies. Our discussions at the Aspen Digital Global Cyber Security Group reaffirmed my belief in the power of human cleverness and collaboration to overcome these challenges.</p>
<p>The next meeting of the Aspen Digital Global Cyber Security Group is set for the fall. This upcoming event promises to build on the progress made in Madrid and continue the important yet encouraging discussions around global cyber security collaboration.
To learn more about the <a href="https://www.aspeninstitute.org/" target="_blank" rel="noopener nofollow">Aspen Institute</a> and <a href="https://www.aspendigital.org/" target="_blank" rel="noopener nofollow">Aspen Digital</a>, please visit their website.</p>


NTT Security Holding’s CEO Shinichi Yokohama: Ensuring global cyber security requires public-private collaboration

<p><strong>Report contains global attack data collected and analyzed from January 1, 2022, to December 31, 2022.</strong></p>
<p><strong>Tokyo, JP – 30 May 2023 –</strong> From the disruption of fuel distribution to the interruption of emergency healthcare services, cyberattacks are no longer confined to cyberspace.</p>
<p>The recently released 2023 Global Threat Intelligence Report by NTT Security Holdings highlights the growing convergence of cyberthreats and their physical implications. This timely report sheds light on the most prevalent attacks of the past year and provides crucial recommendations to safeguard businesses from evolving threats.</p>
<p>“In 2022, NTT Security Holdings observed continued attacks against organizations in the critical infrastructure and supply chain sectors. Impact on day to day life from nation-state and organized cybercriminals behind these threats increased significantly,” said Gregory Garten CTO, NTT Security Holdings. “The continued success of phishing and exploitation of older vulnerabilities highlight the skills shortage in cybersecurity and lack of proper attack surface management, underscoring the need for a mature and cohesive cyber defense solution.”</p>
<h2 id="key-insights-from-the-2023-report">Key Insights from the 2023 Report</h2>
<ul>
<li>The integration of technology into infrastructure and supply chains made sectors like Technology, Manufacturing, and Transport/Distribution particularly vulnerable.</li>
<li>Attacks targeting cloud and Software-as-a-Service (SaaS) platforms continued to increase. In fact, web-based and desktop application threats accounted for a staggering 70% of attacks.</li>
<li>WordPress emerged as the most attacked Content Management System (CMS) software in the Americas, APAC (Asia Pacific), and EMEA (Europe, the Middle East, and Africa).</li>
<li>Banking Trojans experienced a slight decline from the previous year, but Cryptominers saw a resurgence despite the fluctuating value of many cryptocurrencies.</li>
<li>Attackers focused on high-impact vulnerabilities, with nearly 75% of them having critical- or high-severity CVSSv3 scores.</li>
</ul>
<p>Despite significant efforts to disrupt and dismantle attacks, cyberthreats continue to evolve at a rapid pace. “Organizations around the globe must ensure that their cybersecurity measures keep pace to protect their digital assets and infrastructure,” added Garten. “Our hope is that business and technical leaders leverage this report’s insights to plan and execute their security strategies.”</p>
<h2 id="how-to-access-the-full-report">How to Access the Full Report</h2>
<p>For a comprehensive understanding of the latest cyberthreat landscape, you can download the complete <a href="/global-threat-intelligence-report-2023">2023 Global Threat Intelligence Report</a></p>
<h3 id="about-ntt-security-holdings">About NTT Security Holdings</h3>
<p>NTT Security Holdings, a Group company, provides proactive cyber defense and services that make use of gathered human resources and intelligence to protect our customers and society. For more than 20 years, our company has helped clients protect their digital businesses by predicting, detecting, and responding to cyberthreats, while supporting business innovation and managing risk. Our SOC, R&amp;D centers and security experts deliver unsurpassed threat intelligence and handle hundreds of thousands of security incidents annually. Together, we secure the connected future.</p>
<h3 id="media-enquiries">Media Enquiries:</h3>
<p>Jeremy Nichols</p>
<p>Director, Global Threat Intelligence Center</p>
<p>NTT Security Holdings</p>
<p>T:  +1 (402) 361-3053</p>
<p>E:  <a href="mailto:&#x6a;&#x65;&#114;&#101;&#x6d;&#x79;&#46;&#110;&#105;&#99;&#104;&#x6f;&#108;&#x73;&#x40;&#103;&#108;&#x6f;&#98;&#x61;&#x6c;&#46;&#110;&#116;&#116;">&#x6a;&#x65;&#114;&#101;&#x6d;&#x79;&#46;&#110;&#105;&#99;&#104;&#x6f;&#108;&#x73;&#x40;&#103;&#108;&#x6f;&#98;&#x61;&#x6c;&#46;&#110;&#116;&#116;</a></p>


NTT Security Holdings 2023 Global Threat Intelligence Report

Watch the NTT Security Holdings Global Threat Intelligence Report Webinar

<p>Today, every business or organization – no matter the size – is at risk of a ransomware attack. Governments, private sector businesses and even tech companies (companies you think would know how to protect themselves) have faced debilitating cyberattacks in recent months. The cost of these attacks is staggering. In 2021 alone, ransomware victims <a href="https://therecord.media/ransomware-victims-paid-more-than-600-million-to-cybercriminals-in-2021/" target="_blank" rel="noopener">paid more than $600 million to cybercriminals</a>. To put that number into perspective, the <a href="https://www.cybersecuritydive.com/news/ransomware-attacks-payouts-2021/622784/#:~:text=Ransomware%20hit%2066%25%20of%20mid,with%20%24170%2C000%20the%20prior%20year." target="_blank" rel="noopener">average of these payments</a> reached $812,000 – up from an average payment of $170,000 in 2020.  </p>
<h2 id="a-tech-giant-falls-victim">A Tech Giant Falls Victim</h2>
<p>Cisco ranks number 63 on the Fortune 100 with $49 billion in revenue. But on August 10, 2022, Cisco confirmed that its <a href="https://www.bleepingcomputer.com/news/security/cisco-hacked-by-yanluowang-ransomware-gang-28gb-allegedly-stolen/" target="_blank" rel="noopener">corporate network had been breached</a> by the Yanluowang ransomware group in May of 2021. According to the threat actor, 2.75GB of data had been stolen, including everything from NDAs to engineering drawings.</p>
<p>How could a company like Cisco fall victim to this attack? All it took was one employee. The threat actors hijacked an employee’s personal Google account and found credentials synced from their browser. From there, the attacker tricked the employee into accepting a phony multi-factor authentication (MFA) push notification. That’s all it took for the threat actor to get its foot in the door of the company’s network and then into the company’s servers and domain controllers.</p>
<img src="/img/blog/protection-from-ransomware/ransomware-example.jpg" alt="Cisco incident email" width="739" height="452" loading="lazy">

<p>Eventually, Cisco detected the attackers and successfully evicted them from their digital environment. However, over the following weeks, the attackers continued to try to regain access to Cisco’s network.</p>
<h2 id="you-dont-have-to-be-big-to-get-hacked">You Don’t Have to Be Big to Get Hacked</h2>
<p>While it makes sense for threat actors to go after the big guys (the bigger the company, the bigger the potential ransom), mid-sized organizations face the same risks. In 2021, <a href="https://www.cybersecuritydive.com/news/ransomware-attacks-payouts-2021/622784/#:~:text=Ransomware%20hit%2066%25%20of%20mid,with%20%24170%2C000%20the%20prior%20year." target="_blank" rel="noopener">66% of mid-sized organizations worldwide</a> found their digital landscape had fallen victim to cyberattacks – an increase of 37% over 2020. Worse still, 46% of these breached companies paid a ransom. As mentioned above, the average payment reached $812,000 in 2021.</p>
<h2 id="entire-countries-face-risks">Entire Countries Face Risks</h2>
<p>Over the past two months, Costa Rica has been crippled by two major ransomware attacks. Declaring the attacks a <a href="https://www.wired.com/story/costa-rica-ransomware-conti/" target="_blank" rel="noopener">national emergency</a> (the first time that a country has ever called a cyberattack a “national emergency”),  the breaches have crippled many essential services, halted international trade and cost the country millions as the affected organizations have had to perform their work on paper instead of on computers. According to Costa Rica’s president Rodrigo Chaves, the first attack targeted 27 government bodies, while the second attack focused on the country’s healthcare system. </p>
<p>Allegedly perpetrated by the Conti hacking group, the attacker demanded a $10 million ransom payment, which later ballooned to $20 million when no ransomware payments were made. </p>
<h2 id="bounties-on-attackers">Bounties on Attackers</h2>
<p>In addition to targeting Costa Rica, Conti has also attacked hospitals and businesses around the world. Their estimated ransomware earnings totaled over $180 million last year alone. Conti has become so dangerous, that the US State Department announced <a href="https://www.wired.com/story/conti-group-ransomware-members-reward-target/" target="_blank" rel="noopener">bounties of up to $10 million</a> for anyone who provides useful information about individual members of Conti. </p>
<img src="/img/blog/protection-from-ransomware/ransomeware-example-2.jpg" alt="bounty hunt information" width="739" height="452" loading="lazy">

<h2 id="how-to-protect-your-business">How to Protect Your Business</h2>
<p>Cyberattacks can be devastating and costly to an organization – and the threats are continuing to evolve and become more malicious. When it comes to protecting your digital environment, prevention is the best medicine. The United States Computer Emergency Readiness Team (US-CERT) recommends a number of measures to protect your networks from ransomware infection:</p>
<ul>
<li><strong>Establish a data backup and recovery plan.</strong> Make sure to have a plan for all critical information. By performing backups on a regular basis, you’ll limit the effects of data loss and help to expedite the recovery process. Also, since any backup connected to your network can still be at risk for ransomware, you’ll want to isolate your most important backups from the network. It is also important for backups to be immutable (they cannot be changed) to help in preventing a ransomware attacker from also attacking your backups. </li>
<li><strong>Install the latest patches.</strong> Many attacks target applications and operating systems. To protect against these attacks, make sure you keep your operating system and software up to date by installing the latest patches. </li>
<li>Use the latest <strong>endpoint protection software</strong> and make sure it’s up to date.</li>
<li><strong>Restrict privileges.</strong> Limit the ability of people within your organization to install software on their own. Restricting these privileges may help to stop malware from running or limit its ability to breach your network. Where users do require admin privileges, they should not always work with elevated privileges. Most operating systems now follow this approach, where you need to enter a password in order to use admin privileges.</li>
<li><strong>Safeguard emails.</strong> Make sure everyone in your organization knows to NOT click any links in emails or download attachments unless they trust the sender. This requires training. It is also worth considering less subtle measures, like inserting headers into external emails to make sure that users are aware of them.</li>
</ul>
<h2 id="to-pay-or-not-to-pay-a-ransom">To Pay or Not to Pay a Ransom?</h2>
<p>US-CERT discourages organizations from paying ransomware. The main reason is that paying the ransom doesn’t guarantee that the threat won’t be carried out. However, US-CERT also acknowledges that you may not be able to retain your data without paying a ransom if you fall victim to Cryptolocker, Cryptowall or other sophisticated ransomware. As always, the first step to defending your cyber landscape is a strong offense. Follow the tips above and always stay vigilant. It may not be easy but staying one step ahead of threat actors can help to protect your business from expensive ransomware attacks.</p>


Ransomware is everywhere

<p>Last year was an unpredictable year in the cybersecurity. A dynamic evolving threat landscape comprised of determined cyber adversaries, innovative tools and refined techniques are challenging the status quo. With pandemic and mounting supply-chain disruptions impacting business continuity, companies – now more than ever – are looking for cybersecurity partners to navigate this landscape. Join our webinar with Mark Thomas, Head of Threat Intelligence at NTT provide insights into the key findings of NTT 2022 Global Threat Intelligence Report.</p>
<p>We provide an exclusive look into:</p>
<ul>
<li>Shift into critical infrastructure and supply chains attacks</li>
<li>How cloud migration is changing global attacks</li>
<li>Most targeted industries</li>
<li>Most common malware types</li>
<li>Type of attacks that Incident Response teams spend most time on</li>
</ul>
<h2 id="webinar-august-17-2022">Webinar: August 17, 2022</h2>
<h3 id="1000am-1045am-cet">10:00am-10:45am (CET)</h3>
<p>Speaker - Mark Thomas</p>
<p>Head of Threat Intelligence, NTT</p>
<p>For the past 21 years, Mark has worked in the Cyber Security field establishing pragmatic, business-aligned risk minimization strategies and cyber defenses to reduce losses, protect brand reputation, and achieve return on investment. His broad knowledge and in-depth expertise are a result of working extensively with large enterprise. Mark has had senior leadership and technical management roles, driving mission-critical SOC operations in geographically dispersed matrix environments, enabling greater business resilience and security agility. He is known for assisting clients achieve early threat detection and rapid response in combating new waves of cyber-attacks through best-practice computer network defense.</p>
<p>Sign up here:</p>


NTT Global Threat Intelligence Report Webinar

<p>Cyberhoten blir alltmer sofistikerade, korrekt detektion och snabb respons är viktigare än någonsin tidigare. Samtidigt är av stor betydelse att företag, organisationer och myndigheter uppfyller kraven i Säkerhetsskyddslagen genom att hantera sin data på rätt sätt. Under webbinariet kommer vi att ge dig värdefulla insikter och strategier om hur du kan stärka cybersäkerheten och samtidigt hantera all data inom ditt egna nätverk.</p>
<p>Du kommer bland annat få ta del av:</p>
<ul>
<li>Aktuella hotbilder och trender inom cybersäkerhet - de viktigaste insikterna från vår senaste rapport.</li>
<li>Hur du säkerställer kontroll över din datahantering för att uppfylla kraven i Säkerhetsskyddslagen.</li>
<li>Strategier för att hantera data inom det egna nätverket och förhindra oavsiktlig dataexport.</li>
<li>Live demonstration av en hackerattack och hur vårt säkerhetscenter i Göteborg hanterar den.</li>
</ul>
<p>När: Onsdagen den 21 juni
Tid: Kl. 9:00-10:00</p>
<p>För frågor och anmälan, kontakta <a href="mailto:marcus.silwer@global.ntt">marcus.silwer@global.ntt</a></p>


Så stärker du cybersäkerheten – hantering av data inom det egna nätverket

<p>In the fall of 2018, the security division of NTT Ltd. added botnet infrastructure detection capabilities to its Managed Security Services (MSS) and threat detection services. In the initial press release, there were limited details released on how our machine learning system leverages our access to NTT Ltd.’s global network infrastructure. We own and operate one of the world&#39;s largest tier-1 IP backbone having insight into a significant portion of the global internet traffic and is consistently ranked among the top five network providers in the world.</p>
<p>In this blog post, we’ll explain how our threat detection analysts used netflow data captured from our global internet infrastructure to uncover overlaps of the Emotet command and control (C2) infrastructure with a previously unknown IRC botnet.</p>
<p><strong>Once upon analysing Emotet traffic</strong>
It was observed by threat detection analysts that 16 Emotet command and C2s speak with the IP 63.147.95.189 over port
TCP/65456:</p>
<img src="/img/blog/shellbot-victim-overlap-with-emotet-network-infrastructure/Shellbot_emotet_traffic_image.jpeg" alt="Shellbot emotet traffic" title="Shellbot emotet traffic" width="624" height="452" />

<p>A correlation search on Open-Source Intelligence (OSINT) sources uncovered the following file hosted on the same IP:</p>
<img src="/img/blog/shellbot-victim-overlap-with-emotet-network-infrastructure/OSINT_image.jpeg" alt="OSINT" title="OSINT" width="318" height="172" />

<p>Analysing foo.txt we came to the conclusion that it is an IRC Perl bot.</p>
<p>The settings are:
<img src="/img/blog/shellbot-victim-overlap-with-emotet-network-infrastructure/HTML_response_image.png" alt="PERL bot settings" title="PERL bot settings" width="994" height="76" /></p>
<p>Simplifying the code above one step, we can see how the C2 IP is set, which port is used, the room to join and a list of admins which can send commands:
<img src="/img/blog/shellbot-victim-overlap-with-emotet-network-infrastructure/Shellbot_Commands_image.png" alt="Simplified above code" title="Simplified above code" width="395" height="79" /></p>
<p>We connected to 63.147.95.189 with an IRC client in order to confirm the theory that there’s an IRC service running on port 65456:
<img src="/img/blog/shellbot-victim-overlap-with-emotet-network-infrastructure/In_Text_4.jpeg" alt="Connected to IP via IRC Client" title="Connected to IP via IRC Client" width="740" height="555" /></p>
<p>Unexpectedly the IRC server went down, and we laid the project to rest. However, in February 2020, it was once again online and, this time, with a lot of fever victims connected. One day, the admin connected and sent commands in the channel:
<img src="/img/blog/shellbot-victim-overlap-with-emotet-network-infrastructure/In_Text_4.jpeg" alt="Admin sends commands to IRC channel" title="Admin sends commands to IRC channel" width="740" height="555" /></p>
<p>As can be seen, the actor sent various commands which all involved the uninstallation of any victims still speaking with the C2. We’ll proceed with further analysis of the source code of the IRC bot.</p>
<p>Code similarities with Shellbot</p>
<p>Shellbot is an IRC bot which previously has been researched 1 2. The sample observed here stored in foo.txt has a subset of the functionalities of the Shellbot samples referenced by other researchers 3.</p>
<p>The bullet points over function name similarities and dissimilarities between foo.txt and the Shellbot sample 3 :</p>
<ul>
<li>26 functions with the same name</li>
<li>17 function names only seen in Shellbot sample 3</li>
<li>Five function names only seen foo.txt</li>
</ul>
<img src="/img/blog/shellbot-victim-overlap-with-emotet-network-infrastructure/Shellbot_indicator_table_image.jpeg" alt="Shellbot indicator table" title="Shellbot indicator table" width="390" height="666" />
_Function name difference table, where green indicates that the function only exists in foo.txt and red shows it only exists in Shellbot sample 3 :_

<p>Throughout the code there are large code overlaps showing that the bot is built upon a similar code base but has been evolutionized by different actors over time.
Here’s an example of a code overlap where the only difference is that the function and variable names are in Portuguese and English:
<img src="/img/blog/shellbot-victim-overlap-with-emotet-network-infrastructure/HTML_code.jpeg" alt="Portugeuse vs English code overlap" title="Portugeuse vs English code overlap" width="1022" height="296" /></p>
<p>The function name and code segment overlaps are confirmation that foo.txt is a Shellbot variant. The large availability of samples makes any attribution of the actor behind this activity unlikely.</p>
<p><strong>Victimology</strong></p>
<p>In our backend, we’ve captured over 80 victims connecting over port 65456 to the C2. Based on OSINT data from Shodan on these victims, we attempted to find the common denominator for the likely original point of exploitation. We started by listing the used ports:</p>
<img src="/img/blog/shellbot-victim-overlap-with-emotet-network-infrastructure/Shellbot_used_ports_image.jpeg" alt="Shellbot ports used" title="Shellbot ports used" width="740" height="555" />

<p>As can be seen, the most common ports show us no surprises, with port 22 used by 81%, indicating most victims to be *nix variants. Port 80 and 443 also occur on most of the victims, with a close to even distribution of NGINX and Apache, the ones classified as http or https are products unknown to Shodan:</p>
<img src="/img/blog/shellbot-victim-overlap-with-emotet-network-infrastructure/pie_1.jpeg" alt="most common services" title="most common services" width="740" height="555" />

<p>We also tried to group by the number of victims affected by the same CVE, at most we only observed five victims were affected by the same CVE:</p>
<img src="/img/blog/shellbot-victim-overlap-with-emotet-network-infrastructure/Pie_2.jpeg" alt="most common services" title="most common services" width="740" height="555" />

<p>It might be that the actor is using scanners which exploits multiple known vulnerabilities and/or performs password bruteforce.</p>
<p><strong>Conclusion</strong></p>
<p>We consider the overlap of victims with Emotet C2s incidental. The massive amount of exploitation attempts which occur on the internet inevitably leads to multiple actors exploiting and operating on the same machines. Nevertheless, with this research we’ve been able to add detection for a previously unknown C2 server for the protection of our customers.</p>
<p>In the recently released 2020 Global Threat Intelligence Report, NTT Ltd. researchers and thought leaders share statistics and trends from the previous year. A key theme in this year’s report is ‘Attacks are focusing on web applications’. Read more about how attacks towards web applications and open-source software is changing the threat landscape here.</p>
<p><strong>Indicators of compromise</strong>
44f1bc205590b4f7f9436cf0321fb1c754611a6d7a3abf986a8e1511eb843e93
63.147.95.189</p>
<p><strong>References:</strong>
1 <a href="https://jask.com/wp-content/uploads/2019/02/Shellbot-Campaign_v2.pdf">https://jask.com/wp-content/uploads/2019/02/Shellbot-Campaign_v2.pdf</a>
2 <a href="https://blog.trendmicro.com/trendlabs-security-intelligence/perl-based-shellbot-looks-to-target-organizations-via-cc/">https://blog.trendmicro.com/trendlabs-security-intelligence/perl-based-shellbot-looks-to-target-organizations-via-cc/</a>
3 Sample from [1] 331bafbf48e1ece5134bc42f4a9bd2be</p>


Shellbot victim overlap with Emotet network infrastructure

<p>NTT Security is closely following the evolution of the banking malware TrickBot which has been involved in multiple major incidents such as deployments of the now infamous ransomware Ryuk crippling global organizations and large cities.</p>
<p>In this blog post, we will first provide a description on the commonly observed way of distributing TrickBot and then go into detail on targeted activity where the Powershell backdoor PowerBrace was deployed through an active infection. The use of PowerBrace is noteworthy as there are only a few samples available in public and it has been attributed to other major threat actors, indicating previously unknown collaborations.</p>
<p>The research in this blog post is based on detected customer incidents through managed security services, incident response engagements and TrickBot infrastructure-mapping using the NTT Tier 1 internet backbone infrastructure. We have previously written about our research here.</p>
<h2 id="distribution-method">Distribution method</h2>
<p>NTT Security observes that the threat actor behind TrickBot mainly uses two distribution methods to deliver the malware. The first one is traditional email campaigns where the threat actor is behind the distribution themselves. From the victim’s view, it has the following workflow:</p>
<ol>
<li>User receives email with malicious attachment, for example a Word document with macro code</li>
<li>Attachment is opened and macro code is executed. The macro code downloads TrickBot from an external server</li>
<li>The TrickBot sample is executed and the client is infected</li>
</ol>
<img src="/img/blog/trickbot-drops-powerbrace/2019-07-11-15-19-35-066-5d275387989b6e151430daf7.png" alt="Trickbot infects client" title="Trickbot infects client" width="892" height="184" />

<p>The other increasingly popular way is to collaborate with external successful malware distributors such as the group behind Emotet. Emotet is a malware which is most commonly spread through email campaigns. Once a successful infection has taken place, it has been observed that additional malware, such as TrickBot, are fetched and installed.</p>
<h2 id="powerbrace-backdoor-deployment">PowerBrace backdoor deployment</h2>
<p>During May 2019, NTT Security’s Security Operation Center (SOC) observed the TrickBot threat actor deploying the Powershell backdoor PowerBrace towards a small subset of victims. We assess that the victims were manually singled out by the TrickBot actor due to their high profile/high impact.</p>
<p>The workflow for manually singled out victims is outlined below:</p>
<img src="/img/blog/trickbot-drops-powerbrace/2019-07-11-15-20-19-405-5d2753b38cb62403f0943b19.png" alt="Workflow for singled out victims" title="Workflow for singled out victims" width="966" height="421" />

<p>The PowerShell command used to deploy PowerBrace was as follows:</p>
<img src="/img/blog/trickbot-drops-powerbrace/2019-07-11-15-21-00-317-5d2753dc8cb62403f0943b35.png" alt="Powershell deployment" title="Powershell deployment" width="831" height="179" /> 

<p>As can be seen, the backdoor is downloaded from hxxp://util98[.]com/navleft.gif and have the C2 server provided as argument pp with domain qqcore[.]co and port 443.</p>
<p>The backdoor communicates over SSL and additionally all its traffic is bytewise XOR encoded.</p>
<img src="/img/blog/trickbot-drops-powerbrace/2019-07-11-15-21-13-850-5d2753e9989b6e151430db3e.png" alt="backdoor communications" title="Powershell deployment" width="1120" height="405" />

<p>Each time the backdoor is run, a 15-character long session key is generated and sent to the C2 server.</p>
<p>The session key is required each time the C2 server communicates with the client, otherwise, the commands will be ignored.</p>
<p>The backdoor supports multiple commands – a list of them below:</p>
<img src="/img/blog/trickbot-drops-powerbrace/2019-07-11-15-21-49-523-5d27540d989b6e151430db59.png" alt="backdoor commands" title="backdoor commands" width="313" height="391" />

<p>There are also a few features which are not implemented:</p>
<img src="/img/blog/trickbot-drops-powerbrace/2019-07-11-15-22-17-580-5d2754298cb62403f0943b71.png" alt="unimplemented backdoor commands" title="unimplemented backdoor commands" width="168" height="117" />

<p>To analyze the behavior of an active install, NTT Security created a basic server which mimics the C2 server behavior. </p>
<p>The initial client check-in looks like:</p>
<img src="/img/blog/trickbot-drops-powerbrace/2019-07-11-15-22-51-416-5d27544b8cb62403f0943b88.png" alt="initial client check" title="initial client check" width="704" height="98" /> 

<p>Example of invoking the cmd directory listing command:</p>
<img src="/img/blog/trickbot-drops-powerbrace/2019-07-11-15-23-19-533-5d2754678cb62403f0943b9b.png" alt="cmd directory listing" title="cmd directory listing" width="529" height="234" />

<p>The backdoor will delete itself at execution indicating it to be deployed only when needed and not to be used as a persistence mechanism:</p>
<img src="/img/blog/trickbot-drops-powerbrace/2019-07-11-15-23-52-980-5d275488989b6e151430dbd2.png" alt="deployment only when needed" title="deployment only when needed" width="478" height="37" />

<p>Our working theory is that PowerBrace is used as a tool during intrusions in order to quickly perform tasks such as file transfers, command execution, additional payload deployments etc.</p>
<p>At the end of the blog post, an Indicators of Compromise (IOC) section is provided with a yara rule for the backdoor included.</p>
<h2 id="context-before-attribution">Context before attribution</h2>
<p>The attribution puzzle of PowerBrace largely revolves around the TrickBot actor, TA505 group and Lazarus group. For readers not acquainted to these threat actors, we will provide an introduction to both TA505 and Lazarus.</p>
<p>TA505 is a financially motivated actor known to perform a large span of activities such as being the creators of multiple ransomware families, most famously Locky. It is also the creator of the banking malware Dridex. Additionally, <a href="https://web.archive.org/web/20191212212511/https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter" target="_blank" rel="noopener">it makes use of email campaigns and is known to, among other threats, distribute TrickBot</a>.</p>
<p>Lazarus, also known as Hidden Cobra and Guardians of Peace is a threat actor connected to the North Korean government. It is known for multiple high-profile activities, such as being the creator of WannaCry and the Sony breach. It is also <a href="https://web.archive.org/web/20191212212511/https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/" target="_blank" rel="noopener">financially motivated with targets such as cryptocurrency exchanges and banks</a>.</p>
<h2 id="attribution">Attribution</h2>
<p>With the above introduction about the groups completed, we will go into the details of how the PowerBrace backdoor come into the picture with TA505 and Lazarus.</p>
<p>BAE Systems attributed the creation of PowerBrace to the Lazarus group during the Kaspersky Security Analyst Summit 2019.</p>
<p>Additionally, <a href="https://web.archive.org/web/20191212212511/https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap" target="_blank" rel="noopener">Norfolkinfosec found OSINT IOCs indicating an overlap of tools used between TA505 and Lazarus where PowerBrace was part of the toolset</a>.</p>
<p>The observations of Norfolkinfosec summarized:</p>
<p>The Vietnamese CERT published a <a href="https://web.archive.org/web/20191212212511/http://xml12.quangtri.gov.vn/xml_snnnt/VBDI/CV__110_12.02.2019.signed.signed.pdf" target="_blank" rel="noopener">report</a> on an APT attack towards financial organizations where a PowerBrace sample is listed as an IOC. Among the listed IOCs are also a <a href="https://web.archive.org/web/20191212212511/https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/" target="_blank" rel="noopener">hash for a file named HSMBalance.exe which is attributed to Lazarus group</a>.</p>
<p>In the same report, there are IOCs overlapping with activity by the financially motivated group named TA505 reported in a <a href="https://web.archive.org/web/20191212212511/https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en" target="_blank" rel="noopener">blog post from Threat Intelligence Center at 360</a>.</p>
<p>This highlights a possible collaboration between Lazarus and TA505.</p>
<p>BAE systems has commented on the possibility of a collaboration in connection to an <a href="https://web.archive.org/web/20191212212511/https://www.wired.com/story/atm-hacks-swift-network/" target="_blank" rel="noopener">article in Wired</a> about attacks on ATM networks. The article has the following quote highlighted it:</p>
<img src="/img/blog/trickbot-drops-powerbrace/2019-07-11-15-24-28-192-5d2754ac989b6e151430dc07.png" alt="wired quote" title="wired quote" width="527" height="168" />

<p>This connection does not seem to have a very high certainty as the speaker of the related SAS2019 talk <a href="https://web.archive.org/web/20191212212511/https://twitter.com/KevinPerlow/status/1116124672343597056" target="_blank" rel="noopener">commented on a Twitter post</a>:</p>
<img src="/img/blog/trickbot-drops-powerbrace/2019-07-11-15-24-55-600-5d2754c7989b6e151430dc29.png" alt="twitter post from SAS2019" title="twitter post from SAS2019" width="607" height="128" />

<p>The interesting point to make here is that TrickBot has dropped PowerBrace, a backdoor which seems to be created either by Lazarus or TA505 group.</p>
<p>Does this indicate that the TrickBot group is collaborating with Lazarus? Or does the TrickBot group collaborate with TA505 which in turn collaborates with Lazarus? Can it be the case that the author of PowerBrace actually is TA505 and not Lazarus?</p>
<p>The uncertainties are many in how these groups relate to each other. We can however say with:</p>
<ul>
<li>High confidence – that PowerBrace has been deployed through TrickBot infections</li>
<li>Medium confidence – that the TrickBot group has a collaboration with an external criminal financial actor during targeted attacks.</li>
</ul>
<h2 id="summary">Summary</h2>
<p>The TrickBot group has created a resilient malware infrastructure which poses a serious threat to companies and their users. NTT Security helps its customers detect, prevent and remediate TrickBot and PowerBrace infections via its threat detection services delivered from multiple 24/7 SOCs around the world. </p>
<p><em>Acknowledgement</em></p>
<p>The NTT Security team would like to extend a thank you to Saher Naumaan and team for sharing context information during the creation of this blog post, and to Norfolkinfosec for analyzing and correlating OSINT information.</p>


Targeted TrickBot activity drops 'PowerBrace' backdoor

<p>We’ve seen a TrickBot variant exclusively communicating over DNS. This variant is used in a campaign named Anchor_DNS, and we’re seeing it deployed on targets in the financial sector as well as high impact servers such as AD controllers.</p>
<p>In this blog post, we’ll go through the workflow taken by the actors in order to reach an Anchor_DNS infection, technically analyse the sample, and provide recommendations for detection.</p>
<h2 id="trickbot-group-workflow">TrickBot Group workflow</h2>
<p>The deployment workflow of Anchor_DNS begins with the typical distribution methods of TrickBot, such as mail-spam and malware droppers. The TrickBot campaigns related to this activity are common ones like, tot548, ser501 etc. When an infection has taken place, the actors attempt to move laterally in the network using Trickbot&#39;s automated spreading modules or via manual actions.</p>
<p>Our theory is that the actor investigates the newly infected victims and classifies their importance. If the victim is of high importance, the TrickBot operator might decide to migrate this victim to the Anchor_DNS campaign.</p>
<p>If deemed not interesting, the main working group’s standard operating procedure will take place, which typically includes activities such as password stealing, bank session hijacking and ransomware encryption among others.</p>
<img src="/img/blog/anchor-dns-trickbot/Intext_image_740x555_1.jpeg" alt="Trickbot group workflow" title="Trickbot group workflow" width="740" height="555" />

<h2 id="tactics-behind-the-actors-of-anchor_dns">Tactics behind the actors of Anchor_DNS</h2>
<p>The insight into the actors behind Anchor_DNS TTPs is limited due to the small subset of victims compared to normal TrickBot infections; however, we’ve observed certain activity.</p>
<p>The actor has deployed remote administration tools such as Metasploit Meterpreter and, through them, deployed selected malware. The malware type depends on the target, but from what we’ve seen, ransomware and POS-oriented ones are prevalent.</p>
<p>Based on the above, our theory is that the deployment of tools from the Anchor_DNS C2 is, at least partially, on-request by premium customers of the TrickBot group.</p>
<img src="/img/blog/anchor-dns-trickbot/Intext_image_740x555_2.jpeg" alt="Trickbot tactics" title="Trickbot tactics" width="740" height="555" />

<h2 id="technical-analysis">Technical analysis</h2>
<p>The following analysis is based on the Virustotal submitted Anchor_DNS TrickBot sample f7278cd22070f0418ac75b599b8bcc524ee9d6adbda4103d149c9484cdaeb4f3 which has submission countries Arab Emirates and Germany:</p>
<img src="/img/blog/anchor-dns-trickbot/Intextimage740x55531.jpeg" alt="Trickbot technical analysis" title="Trickbot technical analysis" width="740" height="264" />

<p>Submission countries for an in-the-wild URL for the executable also has South Korea as a submitter:</p>
<img src="/img/blog/anchor-dns-trickbot/Intext_image_740x555_4.jpeg" alt="South Korean submitter" title="South Korean submitter" width="740" height="555" />

<p>Both the South Korea and the United Arab Emirates submitters occur in the Hacking team database leak released by Wikileaks [1][2] indicating either that the submitters have experienced previous intrusions, or that they are part of a widespread products automated Virustotal submissions.</p>
<h2 id="installation">Installation</h2>
<p>Upon execution, the malware will perform a few steps in order to ensure persistence.</p>
<p>First, the malware copies itself to the first allowed location of:</p>
<ul>
<li>C:\Windows\SysWOW64\</li>
<li>C:\Windows\</li>
<li>C:\Users\AppData\Roaming\</li>
</ul>
<p>The destination filename is each time randomly generated; examples are:</p>
<ul>
<li>gsmpgyda.exe</li>
<li>pwpowcrn.exe</li>
<li>mntsbdyh.exe</li>
</ul>
<p>Once copied, the file at the original path is deleted.</p>
<p>The newly created file is executed with the -i flag which initiates the setup of a scheduled task named &quot;WinRAR autoupdate#83029&quot;, which executes the dropped sample with parameter –u every fifteen minutes.</p>
<p>The –u option will perform standard communication with the C2 server, utilizing subdomain names to send data and resolved IPs as receival of data.</p>
<h2 id="data-streams">Data streams</h2>
<p>Anchor_DNS stores key strings for the malware base64 encoded as data streams written to the malware file.</p>
<p>Those are:</p>
<ul>
<li><strong>$FILE:</strong> C:\Windows\SysWOW64\mntsbdyh.exe (malware-location)</li>
<li><strong>$GUID:</strong> /anchor_dns/DESKTOP-C7FF9D5_W629200.03FCAA33763A8FE5CF0BF6FD99F5D2C/</li>
<li><strong>$TASK:</strong> WinRAR autoupdate#83029</li>
</ul>
<p>The <strong>$GUID</strong> data will be used during the connection towards the C2 server, <strong>$TASK</strong> is, as previously mentioned, the task name used for the scheduled task and <strong>$FILE</strong> is the current location of the malware.</p>
<h2 id="communication-over-dns">Communication over DNS</h2>
<p>C2 communication is performed over DNS which has previously not been seen by TrickBot.</p>
<p>The malware has three communication types, each are assigned a number:</p>
<ul>
<li>Type 0 (Send data)</li>
<li>Type 1 (Prepare for receival of data)</li>
<li>Type 2 (Receive data)</li>
</ul>
<img src="/img/blog/anchor-dns-trickbot/Intext_image_740x555_5.jpeg" alt="malware communication types" title="malware communication types" width="740" height="555" />

<h2 id="communication-base-structure">Communication base structure:</h2>
<p>The client sends data using subdomains while the server responds with resolved IPs as response.</p>
<p>Subdomains are XOR encoded, observed key is 0xb9:</p>
<img src="/img/blog/anchor-dns-trickbot/Intextimage740x55562.jpeg" alt="observed key for subdomain" title="observed key for subdomain" width="740" height="123" />

<p>The three phases of communication all follow a basic structure, which consists of the message type and a 16-byte generated UUID:</p>
<img src="/img/blog/anchor-dns-trickbot/Intext_image_740x555_7.jpeg" alt="UUID breakdown" title="UUID breakdown" width="740" height="555" />

<p>The generated UUID is unique for each lookup and most likely used make sure that messages are only handled once.</p>
<p>In the following three sections, we’ll discuss the structure and function of each message type.</p>
<h2 id="sending-of-data-type-0">Sending of data (type 0):</h2>
<p>Message type 0 is the sending of data which is structured as follows:</p>
<img src="/img/blog/anchor-dns-trickbot/Intext_image_740x555_8.jpeg" alt="type 0 breakdown" title="type 0 breakdown" width="740" height="555" />

<p>As can be seen, the structure is fairly similar to the URI structure of the normal TrickBot variant which communicates over HTTP, example from Malware Traffic analysis;</p>
<img src="/img/blog/anchor-dns-trickbot/Intext_image_740x555_9.jpeg" alt="Malware traffic analysis" title="Malware traffic analysis" width="740" height="555" />

<p>Prepare for receival of data (type 1):</p>
<p>The message type 1 is used in connection of message type 2 in order to receive data:</p>
<img src="/img/blog/anchor-dns-trickbot/Intext_image_740x555_10.jpeg" alt="Type 1 breakdown" title="Type 1 breakdown" width="740" height="555" />

<p>Receive data (type 2):</p>
<p>Message type 2 which is the receival of data looks like this:</p>
<img src="/img/blog/anchor-dns-trickbot/Intext_image_740x555_11.jpeg" alt="Type 2 breakdown" title="Type 2 breakdown" width="740" height="555" />

<p>The C2 sends its data through the resolved IP addresses which can be like this:</p>
<img src="/img/blog/anchor-dns-trickbot/Intextimage740x555121.jpeg" alt="C2 resolved IP address" title="C2 resolved IP address" width="740" height="278" />

<p>The type 2 message will loop over until all data is received and action is taken.</p>
<p>Then it’ll start over with a type 0 message.</p>
<p>The documentation of this protocol is not complete, and we encourage fellow researchers to analyse it in detail.</p>
<h2 id="why-communicate-over-dns">Why communicate over DNS?</h2>
<p>It’s questionable why one would want to have C2 traffic over DNS, when the organization already is successfully infected with the regular TrickBot variant. From the attackers’ point of view, we see the following potential motivations:</p>
<ul>
<li>Separate C2 infrastructure – if cleanup of the network is made with the help of network forensics, it’s possible that this previously undocumented variant remains undetected.</li>
<li>DNS monitoring is lacking in certain organizations.</li>
<li>Important systems such as AD controllers are often expected to perform DNS requests, but not HTTP(S) traffic to unknown destinations.</li>
</ul>
<h2 id="has-my-organization-been-infected">Has my organization been infected?</h2>
<p>Besides having an effective security posture, monitoring for any of the following may help uncover an Anchor_DNS infection:</p>
<ul>
<li>DNS lookups containing the string “anchor_dns” XOR encoded</li>
<li>DNS anomalies</li>
<li>Endpoint monitoring of among other things, scheduled tasks</li>
</ul>
<h2 id="summary">Summary</h2>
<p>We’re continuously monitoring the actions of the Trickbot authors and their innovations to stay hidden while infecting victims around the world. This new TrickBot variant has been publicly unknown until now.</p>
<p>We hope this documentation encourages researchers to further investigate and document its behavior, as well as for potentially targeted organizations to keep this research in mind.</p>
<p>We help customers detect, prevent and remediate TrickBot infections via our threat detection services delivered from multiple 24/7 SOCs around the world.</p>
<p>IOCS:</p>
<img src="/img/blog/anchor-dns-trickbot/intext14.jpeg" alt="IOCs" title="IOCs" width="497" height="168" />

<p><strong>References:</strong></p>
<ul>
<li>[1] <a href="https://wikileaks.org/hackingteam/emails/emailid/78668">https://wikileaks.org/hackingteam/emails/emailid/78668</a></li>
<li>[2] <a href="https://wikileaks.org/hackingteam/emails/emailid/1078610">https://wikileaks.org/hackingteam/emails/emailid/1078610</a></li>
</ul>


TrickBot variant “Anchor_DNS” communicating over DNS

<p>In <a href="https://www.verizon.com/business/resources/executivebriefs/2019-dbir-executive-brief.pdf" target="_blank" rel="">Verizon’s Data Breach Investigations Report</a>, research from 41,686 security incidents and 2,013 data breaches indicated that <strong>94% of all malware is delivered by email</strong>. Such an alarming statistic indicates that now might be an ideal time to review some of the best ways to secure your personal and professional emails from cyberattacks.</p>
<h2 id="1-use-a-password-manager">1. Use a Password Manager</h2>
<p>Trying to keep track of dozens of different passwords for email accounts, social media accounts, subscriptions and more can be a daunting task. Which is why most people use one password over and over again. This reuse of the same password, however, increases the chances that your email account will be hacked. </p>
<p>A password manager can help to alleviate this problem. With a password manager, you assign a master password that regulates your password database. According to CNET, here are some of the best password managers:</p>
<ul>
<li><a href="https://bitwarden.com/" target="_blank" rel="noopener">Bitwarden</a>: Best free password manager</li>
<li><a href="https://www.lastpass.com/" target="_blank" rel="noopener">LastPass</a>: Best paid password manager</li>
<li><a href="https://1password.com/" target="_blank" rel="noopener">1Password</a>: Best paid password manager for multiple platforms</li>
</ul>
<h2 id="2-check-for-two-factor-authentication">2. Check for Two-Factor Authentication</h2>
<p>Two-factor authentication (2FA) is a type of multi-factor authentication (MFA) that improves access security by requiring two methods to verify your identity. When registering a new email account, make sure that your account comes with 2FA support. This additional layer of protection enhances your email’s security and decreases the likelihood of your email account being compromised.</p>
<p>Once your two-factor authentication has been activated, you will receive an alert (typically a text message or warning linked to your smartphone) if someone tries to log into your email account. The only way access will be granted to your email account is if you allow the sign-in.</p>
<h2 id="3-invest-in-endpoint-protection-software">3. Invest in Endpoint Protection Software</h2>
<p>EPP is the first line of defense for protecting against cyberattacks entering your network via email. With this preventative software, you’ll have a powerful scanning tool for detecting malicious software, including worms, trojans and ransomware.  </p>
<h2 id="4-recognize-phishing-emails">4. Recognize Phishing Emails</h2>
<p>Phishing is an online scam where criminals try to steal your personal information by impersonating legitimate organizations. The phishing scams can be hatched through email, texts or ads and typically include a link that takes you to a fake website. To spot a phishing scam, <a href="https://www.itgovernance.co.uk/blog/5-ways-to-detect-a-phishing-email" target="_blank" rel="noopener">itgovernance.co.uk</a> offers these clues:</p>
<ul>
<li><p>The message is sent from a public email domain.
The most obvious way to spot a bogus email is if the sender uses a public email domain, such as “@gmail.com.” Google doesn&#39;t even send business emails that end in “@gmail.com.” If you see an email from a company, but the domain name (the part after the @ symbol) doesn’t match the supposed sender, the email is in all likelihood a fake.</p>
</li>
<li><p>The domain name is misspelled.
Some threat actors will go even further to scam you by registering a domain that looks similar to an actual domain. Also known as “typosquatting” or “URL hijacking,” this tactic can add a layer of authenticity to a scam email. As an example, domains could look like these:</p>
<ul>
<li>Amzon.com (instead of amazon.com)</li>
<li>Chasse.com (instead of Credit Card, Mortgage, Banking, Auto | Chase Online | Chase.com )</li>
<li>Facebok.com (instead of Facebook - log in or sign up )</li>
<li>Linkdin.com (instead of LinkedIn: Log In or Sign Up )</li>
</ul>
<p>  Scammers can also misuse the top-level domain system, which is the last part of the domain, such as .com, .org, .net or .edu. For example:</p>
<ul>
<li>Aol.cm</li>
<li>OWH联盟外投</li>
<li>chase.cm</li>
<li>Costco.cm</li>
<li>Walmart.cm</li>
</ul>
</li>
<li><p>The email is poorly written.
Oftentimes, English is not the first language of the scammers, which can result in misspellings, bad grammar and oddly worded sentences. If the email you’re reading has an excessive number of typos, avoid clicking on any links. Instead, reach out to the supposed sender via their website or phone number.</p>
</li>
<li><p>The email contains infected attachments or suspicious links.
You may not know if an attachment is infected until you click on it. The best course of action is to NEVER open an attachment from a source you don’t know and trust. If you’re not sure about an attachment, contact the alleged sender to verify that they sent the attachment.</p>
<p>  When viewing links on a desktop, you can hover over the link and the destination address will appear in a bar along the bottom of the browser. If this destination email address doesn’t match the context of the rest of the email, it’s a malicious link. On your phone, you can hold down on the link and a pop-up will appear showing the destination address. As with attachments, the best rule to follow is to NEVER click on a link unless you’re 100% certain that the email is authentic.</p>
</li>
<li><p>The message has an unnecessary level of urgency.
Phishing emails almost always encourage you to act immediately – and often tell you what bad things will happen if you don&#39;t act right away. Instead of clicking on a link or attachment immediately, pause and verify the source. This small delay can save your entire organization from getting hacked.</p>
</li>
<li><p>The message claims to be from a government agency or financial institution.
Another important hint to watch out for is that a lot of organizations like banks and government agencies don’t send you emails with any information (like bank statements) in them. For instance, banks will usually send you a message telling you to log into your account to retrieve new information like a bank statement. For example, the Australian government, through its mygov portal will only email you a notification to tell you that you have a new message in your mygov inbox.</p>
<p>  Another important point is that because of phishing emails, organizations like banks and government agencies usually do not provide any links to their sites in communications with you. It is never safe to click on a link in an email that you did not expect. Rather manually type in the URL of the website. Only click on a link in an email if you were expecting to get that email, and you have checked the URL.</p>
</li>
</ul>
<h2 id="5-dont-use-public-wi-fi-when-signing-into-your-email">5. Don’t Use Public Wi-Fi When Signing into Your Email</h2>
<p>Free public Wi-Fi can be appealing, but only use your personal mobile data when signing into your email account. Additionally, avoid using public computers often available in hotel business centers. </p>
<h2 id="6-safeguard-your-wi-fi-network">6. Safeguard Your Wi-Fi Network</h2>
<p>Whether talking about your business or home network, you’ll want to follow a few basic guidelines:</p>
<ul>
<li>Be sure to keep the Wi-Fi name hidden from strangers.</li>
<li>Don’t share your Wi-Fi network’s credentials with anyone.*</li>
<li>Use a strong password.</li>
<li>Change your Wi-Fi network password every 2 to 3 months.</li>
</ul>
<p>*In reality, these things are not as easy as they sound, for the following reasons: smart devices like light bulbs need your WiFi password and they are not easy to update. Friends often need to use your WiFi.</p>
<p>A good solution to this is that a number of WiFi routers allow you to set up a guest account which has different credentials, and which can be easily changed. Some more advanced WiFi systems also prevent guest users from accessing resources on your local network.</p>
<h2 id="7-keep-your-systems-updated">7. Keep Your Systems Updated</h2>
<p>Operating system updates typically come with security upgrades. Be sure to keep your computer, smartphone and tablet updated with the latest operating system to provide the best line of defense against potential email breaches.</p>
<h2 id="8-weed-your-digital-landscape">8. Weed Your Digital Landscape</h2>
<p>If you have apps on your phone or browser extensions on your computer that you no longer use, delete them. Most of us skip reading any permissions when installing a new app or extension, so there’s always a possibility that these can be gateways to gaining access to your email. Better to delete them if you’re not using them.</p>
<h2 id="9-change-passwords">9. Change Passwords</h2>
<p>If you don’t want to use a password manager as mentioned above, be sure to change your passwords often. It can be tedious – but getting hacked is worse.</p>
<p>By following these tips, you’ll be well on your way to securing your personal and professional emails from cyberattacks.</p>


9 ways to protect your emails from cyberattacks

<p>Advanced persistent threats (APTs) stand out over other forms of cyber attacks.</p>
<p>Before we get into it, first, we need to address: <a href="https://en.wikipedia.org/wiki/Advanced_persistent_threat" target="_blank" rel="noopener">What is an APT?</a> APT refers to a class of threat actor who uses stealth to establish unauthorized access, usually remaining undetected for a period of time, waiting until they are ready to accomplish their objective (usually political or economic). Where APTs can be especially insidious is when their goals are data theft or espionage.</p>
<p>APTs can not only be incredibly damaging --- persisting over a considerable period of time --- but they are also organized efforts typically led by a group or groups of hackers. It&#39;s this powerful and orchestrated collective force that makes APTs a particularly difficult threat to take down. </p>
<p>Difficult, but not impossible.</p>
<h2 id="understanding-apts">Understanding APTs</h2>
<p>Let&#39;s get to know an APT&#39;s objectives before covering how to stop them. </p>
<p>The groups behind APTs invest significant time and resources in creating advanced and sophisticated mechanisms of surveillance and infiltration. Once an APT is inside their target, they generally spend as much time as they can harvesting information and eventually can cause total chaos.</p>
<p>If efforts aren&#39;t made to prevent APTs from operating, then their legacy can be hugely detrimental to their victim and those in a similar industry.</p>
<p>There are broadly four categories by which you can classify an APTs goals:</p>
<ul>
<li><p>Theft of intellectual property - stealing secret information</p>
</li>
<li><p>Financial crime and theft - stealing for monetary gain</p>
</li>
<li><p>Destruction - aimed at total devastation of an organization</p>
</li>
<li><p>Hacktivism - hacking with the intention of exposing organizations by hackers that label themselves as activists.</p>
</li>
</ul>
<p>Now you&#39;ve been introduced to APTs, let&#39;s look at how to identify and prevent their associated threats.</p>
<h2 id="the-three-stages-and-symptoms-of-an-advanced-persistent-threat-attack">The three stages and symptoms of an advanced persistent threat attack</h2>
<p><strong>1.  Infiltration</strong></p>
<p>There are usually up to three ways of infiltrating a target: authorized personnel, web assets, and/or network resources.</p>
<p>Phishing is well documented as a way of tricking an employee into giving away security details. Spear phishing is a more targeted version of this, whereby a threat actor will identify a person of high importance to a company and will seek to ascertain highly valuable information through deceptive means.</p>
<p>Malware and ransomware are commonly used to creep into a company&#39;s systems and exploit them. Distributed Denial of Service (DDoS) attacks are utilized to flood a network of devices with traffic and act as a smokescreen, hiding other activities. They will also inhibit ordinarily authorized users from accessing their network as they usually would.</p>
<p>When a hacker breaks through and penetrates the network perimeter, they will often deploy malware that allows access for other hackers --- what&#39;s known as a backdoor shell. This can take the form of Trojans that are disguised as regular software, to reduce the chances of detection.</p>
<p><strong>2.  Escalation and lateral movement</strong></p>
<p>Once the hackers have breached the network, they look to course through the arteries of the company and unearth anything that they deem of value. They&#39;ll locate staff that hold access to the most sensitive parts of the organization and specifically target them, prying open the door to more information.</p>
<p>With sensitive data now in the hands of the hackers, they are free to sell this to rival companies so that they gain a competitive advantage. Or, if disruption was the aim, the threat actors may delete key data in order to sabotage their target.</p>
<p>At NTT, we specialize in preventing lateral movement. Our systems are capable of unearthing suspicious activity thanks to data collated from an array of log sources.</p>
<p><strong>3.  Exfiltration</strong></p>
<p>While harvesting the desired information, the hackers require a place to store it. Usually, this is found somewhere within the very network that they are working in.</p>
<p>The final stage in this process is to extract the documents without being found, and so distraction tactics are needed. White noise strategies are implemented to draw the attention of a security team while the real work is carried out.</p>
<p>Botnets are a typical mechanism used to create white noise. NTT&#39;s T1 IP backbone helps provide data that is collected and then analyzed to spot the control and command systems that are used by botnets --- and, therefore, their threat can be mitigated. Even DNS tunneling can be screened for, which is usually much more challenging to locate. </p>
<h3 id="how-to-spot-an-apt-attack">How to spot an APT attack:</h3>
<ul>
<li><p>Abnormal usage on a network, for example, multiple logins at unusual times</p>
</li>
<li><p>A high prevalence of backdoor Trojans</p>
</li>
<li><p>An unaccounted stockpiling of data, as this may signal an impending data harvest from hackers</p>
</li>
<li><p>Atypical movements of data are a key signifier of suspicious activity, such as a large variation in inbound and outbound flows.</p>
</li>
</ul>
<h2 id="examples-of-apt-attacks">Examples of APT attacks</h2>
<p>The following APT attacks took place in August 2022. </p>
<ul>
<li><p>Andariel (an APT branch of Lazarus), <a href="https://itbrief.com.au/story/kaspersky-uncovers-new-attacks-by-advanced-persistent-threat-group" target="_blank" rel="noopener">used DTrack malware and newly created Maui ransomware</a> to target major companies in the USA and Japan. They used these means, also known as remote administration tools (RATs), to obtain user browser history and access user records that they freely manipulated.</p>
</li>
<li><p>The Luckymouse group has been shown to be <a href="https://www.infosecurity-magazine.com/news/chinese-hacker-compromised-mimi/" target="_blank" rel="noopener">utilizing a Trojan form of the MiMi messaging service to gain backdoor access</a> across commonly used devices such as macOS, Windows and Linux. The criminals were found to be targeting at least 13 companies across the Philippines and Taiwan.</p>
</li>
</ul>
<p>It has also recently been revealed that a Russian-backed group using the moniker, SEABORGIUM, has been <a href="https://www.scmagazine.com/brief/social-engineering/russian-apts-cyberespionage-operations-thwarted" target="_blank" rel="noopener">carrying out spying activities across Europe for at least five years</a>. SEABORGIUM has a track record of using phishing emails and infiltrating OneDrive, as well as LinkedIn, to target people&#39;s data.</p>
<h2 id="when-it-comes-to-apts-action-is-essential">When it comes to APTs, action is essential</h2>
<p>APTs have become so prevalent and powerful that the US Department of Justice has declared pursuing and stopping these threat actors an urgent concern. Although they also recognize that APTs form just a single branch of a multifaceted crime component, making them more challenging to address.</p>
<p>A <a href="https://www.justice.gov/dag/page/file/1520341/download" target="_blank" rel="noopener">July 2022 report from the DoJ</a> draws attention to the partnership between certain hacking groups and certain nation states, due to their common ground and political tendencies. The groups are not pursued by the authorities within these countries --- with this inaction looking more like advocacy of criminal behavior.</p>
<p>The most effective course of action seems to be raising awareness of these cybersecurity issues. The DoJ has called for cooperation throughout all parts of society in order to resist these threat actors, since we cannot rely on some nations to crack down on criminal activity.</p>
<h3 id="ntt-are-world-leaders-in-cybersecurity-and-stopping-apts">NTT are world-leaders in cybersecurity and stopping APTs</h3>
<p>NTT Group is committed to R&amp;D with a total budget of around $3.6 billion and cyber threat research is one of the many important facets of this research investment. Our investment in cyber security R&amp;D has also resulted in the registration of patents in that area by NTT.</p>
<p>Choose <a href="http://security.ntt">NTT</a> for protection that you won&#39;t find anywhere else.</p>


SOC Cyber Security Report

Latest Report: 2023.11

Topics Covered in Report 2023.11

Ransomware group files complaint against victim organization with the US Securities and Exchange Commission

A shortened URL created by an online service directs customers to a malicious site

Microsoft's VS Code tool could reveal passwords

Previous Reports

2023.01

2023.02

2023.03

2023.04

2023.05

2023.06

2023.07

2023.08

2023.09

2023.10