Sunday, August 16, 2020

CERT Advisory for BEAR

  • Fancy Bear

Also known as APT28 (by Mandiant), Pawn Storm, Sofacy Group (by Kaspersky), Sednit, Tsar Team (by FireEye), STRONTIUM (by Microsoft)

The hackers operating out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main SpecialService Center (GTsSS).

▶ Drovorub

August 13, 2020

The National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) have released a cybersecurity advisory introducing previously undisclosed Russian malware. NSA and the FBI attributed the malware, dubbed Drovorub, to Russian advanced persistent threat (APT) actors.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the joint advisory (CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF, 45 pages) and employ its detection techniques and mitigations.

Drovorub components

* FBI and NSA expose new Linux malware Drovorub, used by Russian state hackers (ZDNet)
Per the two agencies, Drovorub is a multi-component system that comes with an implant, a kernel module rootkit, a file transfer tool, a port-forwarding module, and a command-and-control (C2) server.

"Drovorub is a 'swiss-army knife' of capabilities that allows the attacker to perform many different functions, such as stealing files and remote controlling the victim's computer,"

"In addition to Drovorub's multiple capabilities, it is designed for stealth by utilizing advanced 'rootkit' technologies that make detection difficult,"

To prevent attacks, the agency recommends that US organizations update any Linux system to a version running kernel version 3.7 or later, "in order to take full advantage of kernel signing enforcement," a security feature that would prevent APT28 hackers from installing Drovorub's rootkit.

✓ The name Drovorub is the name that APT28 uses for the malware, and not one assigned by the NSA or FBI.

✓ The name comes from drovo [дрово], which translates to "firewood," or "wood" and rub [руб], which translates to "to fell," or "to chop."

✓ The FBI and NSA said they were able to link Drovorub to APT28 after the Russian hackers reused servers across different operations. For example, the two agencies claim Drovorub connected to a C&C server that was previously used in the past for APT28 operations targeting IoT devices in the spring of 2019. The IP address had been previously documented by Microsoft.

No comments: