SilverFish Hacking Group Abused Enterprise Victims for Sandbox Tests
The victim networks used for testing out payloads as a new form of sandbox.
Cyberattackers involved in worldwide hacking campaigns are using the compromised systems of high-profile victims as playgrounds to test out malicious tool detection rates. SilverFish is an extremely skilled threat group that has been responsible for intrusions at over 4,720 private and government organizations like Fortune 500 companies, ministries, airlines, defense contractors, audit and consultancy companies, and automotive manufacturers.
It looks like the attacks are aimed mostly at the US and European entities, whilst focusing especially on critical infrastructure and targets that have a large market value.
SilverFish has been connected to the SolarWinds breach, being one of the many threat groups that took advantage of the situation.
How was Silverfish discovered?
After the disclosure related to the SolarWinds breach, the researchers at Prodaft received an analysis request from a client, furthermore creating a fingerprint-based on public Indicators of Compromise.
The researchers discovered new detections within 12 hours, after running IPv4 scans, showing that among the victims found existed a US military contractor, a top COVID-19 testing kit manufacturer, aerospace and automotive giants, multiple police networks, European airport systems, and multiple banking institutions from the US and Europe.
How does SilverFish exploit data?
It looks like SilverFish’s main focus is network reconnaissance and data exfiltration, by using a variety of software and scripts for both initial and post-exploitation activities.
Some of these include readily-available tools like Empire, Cobalt Strike, and Mimikatz, and also bespoke rootkits like PowerShell, BAT, and HTA files.
SilverFish is following a particular behavioral pattern that contains running commands in order to list domain controllers and trusted domains, and displaying stored credentials and admin user accounts, then the scripts are launched for post-exploit reconnaissance and data theft activities.
But, maybe, we could consider the most interesting tactic the use of existing enterprise victims as a sandbox.
The SilverFish group has designed an unprecedented malware detection sandbox formed by actual enterprise victims which enables the adversaries to test their malicious payloads on victim servers with different enterprise AV and EDR solutions, further expanding the high success rate of the SilverFish group attacks.
Another interesting discovery made was related to the panels, these are set for “Active teams” and account for multiple groups, or teams such as Team 301, 302, 303, and 304, with working hours staying between 8 am – 8 pm UTC, and having visibly less activity during weekends. Attacker teams seem to cycle every day or so between victims and whenever a new target is snared, the server is assigned to a particular working group for an examination.
Will SilverFish remain a threat?
SilverFish-SolarWinds attacks started at the end of August 2020 and were conducted in three waves. The attacks ended with the seizure and sinkhole of a key domain.
SilverFish are still using relevant machines for lateral movement stages of their campaigns. Unfortunately, despite being large critical infrastructure, most of their targets are unaware of the SilverFish group’s presence on their networks.
SilverFish infrastructure had revealed links to multiple IoCs that were previously attributed to TrickBot, EvilCorp, WastedLocker, and DarkHydrus.