In a new whitepaper, security experts at Airbus Defence & Space Cybersecurity Unit (formerly Cassidian CyberSecurity) detail how the APT has been undetected since at least 2011 and say that its operators have been reliant on an assortment of different malware, including some developed exclusively by the threat actor.
Instead of looking to exploit any zero-day vulnerability, the group relies “extensively” on spear phishing, malware and vulnerabilities existing on older versions of Microsoft Office as well as the Heartbleed bug, which continues to affect some 300,000 open-source web servers worldwide.
The campaign apparently starts with a phishing email, with one example promising a holiday along with a Microsoft Office Word attachment. Airbus admits that this is “amateur” – with the attached Word file triggering a CVE-2014-1761 to infect the computer with Troj/ReRol.A malware, while others relied on the older CVE-2012-0158 vulnerability, which effected MS Office versions 2003 through to 2010, SQL Server and other popular enterprise software applications.
Researchers believe that the group have also sent spear-phishing emails.
“This could mean that the Pitty Tiger group is using stolen material as spear-phishing content, either to target other persons in the compromised company, or to target other persons in a competitor's company, or more generally to compromise another target,” reads the white paper.
The report's authors are in little doubt that the group behind the APT is not state-sponsored, despite the RATs, tools (including vulnerability scanner), binaries and language used pointing to China as the origin of the group.
“They lack the experience and financial support that one would expect from state-sponsored attackers. We suppose this group is opportunistic and sells its services to probable competitors of their targets in the private sector.”
“We have been able to leverage several attackers profiles, showing that the Pitty Tiger group is fairly small compared to other APT groups, which is probably why we saw them work on a very limited amount of targets in an unusual malware sample in June.”
The group uses an assortment of malware and tools during their APT operations in addition to PittyTiger remote access Trojan (APT). A variant of infamous ‘Gh0st' RAT (otherwise known as “Paladin”) has been used repeatedly by group, together with some other RATs that appear to have been developed exclusively for the campaign (the MM RAT – aka Troj/Goldsun-B – and Gh0st RAT variant “Leo”).
The Troj/ReRol.A malware is the most commonly used for this cyber-espionage campaign and is used to infect workstations, collect system information and to install even more malware. “It acts as first stage download and system data collector often used in the initial compromise of the Pitty Tiger campaigns, generally embedded in Microsoft Office documents.”
Researchers were able to get this insight due to server mis-configurations enabling them to collect information from the three C&C servers used by this group of attackers from end of 2013 to July 2014.
Intriguingly, the firm also testified that the cyber-criminals were able to successfully collect information on some of their targets by exploiting the Heartbleed bug – which allows information that would be usually be protected by SSL/TLS encryption to be stolen. The Pitty Tiger group was able to get administrator credentials for at least one target in this way.
Brian Honan, the founder and consultant at BH Consulting, told SCMagazineUK.com that the APT is yet another fine that defences are not up to the required standard, as recently outlined in ISACA's report on advanced persistent threats.
“Many organisations still believe they will not be the victim of a targeted attack and therefore many rely on traditional lines of defence such as firewalls and anti-virus software,” said Honan by email.
“What Pitty Tiger and other attacks show is that determined attackers will bypass this simple lines of defence in order to get what they want. This means companies need to conduct proper risk assessments and threat analysis to determine not “if”, but rather “why” they would be a target for a determined adversary. Moving this mind-set from thinking something might happen to understanding why it would happen can help defenders better design their defences, as once you understand what it is you are trying to protect it is then easier to defend it.”
Honan added that businesses should look at awareness training, ‘proactive monitoring' and patch management.
“In the case of Pitty Tiger effective patch management would have been an effective mitigation as it targets the CVE-2012-0158 vulnerability in Microsoft Office for which a patch was issue in 2012. We also need to remind ourselves that persistent threats require persistent defence.”
Jason Steer, EMEA director of technology strategy at APT defence firm FireEye, told SC that spear-phishing is the ‘primary method to deliver a targeted attack' – mainly because traditional security layers cannot detect advanced payloads sent this way – and said that the use of Heartbleed vulnerability is not a surprise with many firms still to patch the flaw.
“I suspect that this vulnerability will be with us for years to come as it continues to be discovered in many other products and hardware.”
Steer also pointed to FireEye research which indicated that defence, telco and energy sectors are the most targeted sectors – and said that the company has seen Chinese political rights activity spear-phish using the same Office CVE, albeit with a technique known as ‘DLL side-loading'.
He urged companies to patch their base OS and third-party software and says they must focus more on detection:
“Detection is key as it enables your business to being responding and mitigate the risk quickly and the faster you move the less risk of data loss, PII stolen and IP copied.”