Signature Techniques of Asian APT Groups Revealed

Cyber Security Threat Summary:
The Kaspersky Cyber Threat Intelligence team has unveiled crucial insights into the tactics, techniques and procedures (TTPs) employed by Asian Advanced Persistent Threat (APT) groups. In a report published today, Kaspersky reveals TTPs found from their examination of one hundred global cybersecurity incidents.

The document not only highlights common TTPs, their usage in various stages of the attacks, but also offers recommendations to combat these threats. A key finding of their research is that Asian APTs do not seem to have a regional bias, and will employ their tactics against targets worldwide.

Security Officer Comments:
Notably, the attackers regularly combined two techniques T1543.003 - Create or Modify System Process: Windows technique Service, and T1574.002 - Hijack Execution Flow: DLL Side-Loading to escalate their privileges and evade detection. Asian APTs group primarily focus on cyber-espionage, often gathering sensitive information and exfiltrating it through legitimate cloud services or external channels. In some cases, these APT groups employed ransomware in their attacks.

Kaspersky says the industries most frequently targeted by these APT groups include government, industrial, healthcare, IT, agriculture and energy sectors.

Suggested Correction(s):
T1543.003: Create or Modify System Process: Windows technique Service

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

  • Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them.
  • On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system. On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third
  • party-developed service drivers.
  • Enforce registration and execution of only legitimately signed service drivers where possible.
  • Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed.
  • Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.
T1574.002: Hijack Execution Flow: DLL Side-Loading

Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
    When possible, include hash values in manifest files to help prevent side-loading of malicious libraries. Update software regularly to include patches that fix DLL side-loading vulnerabilities.