It has been revealed that a threat actor once best known for cyber bank robbery in Russia has made a move to espionage. The highly targeted attacks against government institutions in Eastern Europe, which took place during June 2019, employed the use of a Microsoft Windows zero-day exploit. In and of itself this isn’t unusual as there have been plenty of Windows zero-days discovered. However, this is the first time that researchers had seen the Buhtrap group using a zero-day attack, although the group has been involved in the cyber-spying business for some years now across Eastern Europe and Central Asia.
Anton Cherepanov, a senior malware researcher at security vendor ESET, explained how the zero-day exploit abused a local privilege escalation vulnerability in Microsoft Windows in order to run arbitrary code and install applications, and view or change data on the compromised systems. As soon as the researchers had properly analyzed the exploit, it was reported to the Microsoft Security Response Center, and a fix was included in the July 9 “Patch Tuesday” update.
The vulnerability itself only impacted older versions of Windows, specifically variations of Windows and Windows Server 2008. This is because, as Cherepanov explained, “since Windows 8 a user process is not allowed to map the NULL page. Microsoft back-ported this mitigation to Windows 7 for x64-based systems.” The advice, predictably, is to upgrade to a newer version of the operating system if possible. Especially as critical security updates will disappear soon when extended support for Windows 7 Service Pack 1 ends in January 2020. Gavin Millard, vice-president of intelligence at Tenable, warns users not to be complacent seeing as the vulnerability is “now being actively exploited in the wild,” advising that “patches should be deployed as soon as possible.”
I wondered why a group that had apparently seen quite some success while being a “pure” cybercrime operation might make the change to what would appear the more dangerous and less profitable business of espionage? It’s not the first time that Chris Doman, a security researcher at AT&T Alien Labs, has been surprised by such a move. “Previously the Game Over Zeus botnet, normally observed stealing banking credentials, was seen searching for files containing text such as “classified” when installed on machines in Ukraine,” Doman says.
Javvad Malik, security awareness advocate at KnowBe4, readily admits that attribution and motivation are two of the most challenging things to nail down with cyber groups. “In this case it could very well be possible that Buhtrap expanded their operations from cybercrime to include espionage because of the greater money-making opportunity or for political reasons,” Malik says, adding “another theory is that it could be that the original group has two separate streams where each part focuses on one of cybercrime or espionage, but still share the same tactics, techniques, and procedures.”
Boris Cipot, senior security engineer at Synopsys, agrees that the motivation is hard to pinpoint. “We could say it is financial,” Cipot says “however, we would still need to speculate whether the financial motivation comes as a criminal intent to sell the stolen information to the highest bidder on the dark web or that they are simply expanding into the business of offering espionage services as a cybersecurity company.” Cipot says that such services are known to have been used in many cyber-espionage cases.
Or, they could have become part of an espionage ring in order to avoid prison time. “This is also something we have seen in the past,” Cipot says “where cybercriminals, when caught, were used to either work for the government or other organizations to avoid sentences in prison.” Eoin Keary, CEO, and co-founder of edgescan, agrees it is likely “given their level of skill,” that they may have been convinced by a nation-state to “use their skill set in the realm of espionage and go legitimate.” Although Keary also points out that the world of corporate espionage is very lucrative, “with many nation states happily paying for intellectual property, energy information, blueprints, business plans and communiques between governments and business leaders.”
Interestingly, there could be an even more straightforward explanation according to Michael Hartmann, vice-president EMEA at OneLogin, who says that: “According to insiders some of Buhtrap group’s source code got leaked or intentionally published on the darknet, which may be a reason why other attacker groups are now using and customizing these attack vectors to target other organizations, which explains the perceived change in the Buhtrap attack strategy.”