Next-Gen Nation-State Gangs Hit 40K High-Value Targets in 90 Days

Why Trust Techopedia
KEY TAKEAWAYS

  • A report by Menlo Security identifies a surge in highly evasive, adaptive threat (HEAT) attacks by nation-state actors. These sophisticated attacks target web browsers and bypass traditional security measures.
  • LegalQloud, Eqooqp, and Boomer are state-sponsored cybercriminal groups using HEAT tactics. They target high-value organizations like governments, banks, and healthcare providers.
  • These new attacks can bypass multi-factor authentication (MFA), a previously reliable security measure. Adversary-in-the-Middle (AiTM) kits are used to hijack sessions.
  • Current "catch-the-bad-guy" tactics and traditional security tools are failing. The report suggests a shift towards a more comprehensive strategy to anticipate and mitigate evolving threats.

The recent Menlo Security report “Global Cyber Gangs” identified three new players in the cybercriminal global landscape aiming their guns at governments, big banks, and healthcare organizations.

These new groups not only appear to have the support of nation-states but also use the newly emerging HEAT attack techniques — Highly Evasive, Adaptive Threat.

HEAT is a class of cyber threats that leverages web browsers as the attack vector and employs various techniques to evade multiple layers of detection in current security stacks.

MenloLabs described the new groups as a “trifecta of sophisticated HEAT campaigns”. The groups — LegalQloud, Eqooqp, and Boomer — are targeting C-suite executives, major banking institutions, financial powerhouses, insurance giants, legal firms, government agencies, and healthcare providers.

After analyzing the operations of these groups, MenloLabs researchers concluded that their attacks represent an “alarming escalation in cyber warfare”, one which leaves organizations vulnerable and unprepared.

Who are the New Cybercriminal Gangs?

Of the three new threat groups, LegalQloud stands out for being hosted on Tencent Cloud — the largest Internet company in China. This group is impersonating legal firms and actively looking to steal Microsoft credentials.

The group targets governments and investment banks in North America. LegalQloud has attacked 500 enterprises in just 90 days. Its weapon of choice? Bypassing URL categorization and block lists.

In contrast, Eqooqp goes after logistics, finance, petroleum, manufacturing, higher education, research, and government. The group’s technology can defeat multifactor authentication (MFA). In recent months, Menlo Cloud shut down about 50,000 attacks linked to Eqooqp.

Thirdly, Boomer is a new type of phishing campaign that moves against government and healthcare. In Boomer attacks, threat actors employ advanced evasive techniques including dynamic phishing sites, custom HTTP headers, tracking cookies, bot detection countermeasures, encrypted code, and server-side generated phishing pages.

Nick Edwards, VP of Product Management at Menlo Security, spoke to Techopedia about the magnitude of attacks the world is experiencing.

“State-sponsored cyberattacks have evolved into a global cyber war, impacting an estimated one-third of Americans this year alone.

 

“Our report exposes the sophisticated, browser-based tactics that are rendering traditional defenses obsolete. A staggering 60% of malicious clicks are linked to phishing and fraud, and 25% of those attacks bypass legacy security filters.”

Andrew Harding, VP of Security Strategy at Menlo Security warned of the impacts these groups have in the Menlo report.

“State-sponsored cyberattacks are a looming cloud over security leaders, and our research shows that they have been growing in both sophistication and scale.”

 

“One thing is clear: attackers are moving fast and refreshing their tactics to target the browser, and traditional security controls such as SSE or SWG are letting these attacks slip through the cracks.”

The Next Gen of Cybercriminal Technologies

Cyberattacks have significantly changed in the last few years. Now they are changing again, and fast. Menlo Security says that these groups, supported and sheltered by state sponsors, are getting smarter every day.

Groups like LegalQloud, Eqooqp, and Boomer are taking things to the next level by deploying large-scale credential phishing attacks, hitting governments in APAC and North

America, and flying under the radar, thanks to new malware kits.

Without advanced phishing and anti-malware delivery technologies, organizations, businesses, and individuals stand little chance against these attacks that leverage

sophisticated software engineering.

Attackers are using the same tools and processes that engineers who build cloud-based applications use. They are also using the security controls that companies use to defend themselves.

Menlo Security explained in the report how attackers have reinvented attack techniques.

“The common element in these new tactics is that attackers gain initial access through browsers, not through vulnerable remote access systems or other public-facing servers.

 

“Network infrastructure security controls and cloud network services do not stop these attacks. They have created the successor to Advanced Persistent Threats (APT): Highly Evasive Adaptive Threats (HEAT).”

Edwards from Menlo Security told Techopedia.

“The message is clear: if you are not prioritizing the browser on your cybersecurity roadmap, you are not doing enough to protect your organization.”

Edwards said that the cybersecurity landscape has reached a critical inflection point as state-sponsored actors escalate their tactics. They employ highly evasive and adaptive threat (HEAT) attack techniques to bypass traditional defenses like secure web gateways, multi-factor authentication, and other network security tools.

Adam Maruyama, Field CTO at Garrison Technology — a company specializing in advanced browser security for enterprises, spoke to Techopedia about the changes in attacks.

“After 15 years of well-publicized nation-state attacks that only seem to be growing in prevalence, those concerned about preventing such attacks need to ask whether they need to be doing something fundamentally different to address the risk of vulnerable software.”

Maruyama explained that shifting browser risk from the endpoint to the cloud via cloud-hosted browser isolation services doesn’t effectively remove that risk — rather, it sets up another software-based hurdle for adversaries to address.

“Just as adversaries learned to test against and circumvent endpoint protection products, they’re almost certain to find ways to circumvent the code re-rendering algorithms and containerization software used by such services,” Maruyama said.

“A more fundamental shift away from software and toward verifiable, hardware-enforced security is necessary to break the ‘cat and mouse’ cycle of browser security.”

New Adversary-in-the-Middle Malware Kits Empower New Attackers

As mentioned, Menlo reported that new AiTM malware kits, being sold on the dark web, are facilitating these new attacks. Adversary in the Middle (AiTM) kits can potentially evade and breach Multi-Factor Authentication (MFA) security checks, target web browsers, and circumvent the additional layers of security provided by MFA, such as one-time passwords, digital tokens, or biometric authentication, and gain unauthorized access to sensitive data and systems.

Attackers also leverage sign-on (SSO) impersonation, potentially exploiting SSO systems to gain unauthorized access to multiple related services.

Wes Kussmaul, CEO at The Authenticity Institute and President at The Authenticity Alliance — an organization working to establish a highly secure online infrastructure for developing countries, told Techopedia that accountability is the basis of security.

Kussmaul said that there is an abundance of catch-the-bad-guys (CTBG) security technologies that are not working.

“Companies and individuals are becoming more and more aware of the fact that security technology is not working. And if you think about it, the reason is obvious.”

 

“Instead of catch-the-bad-guys security, consider the ABE approach. That is, replace CTBG commando outposts with Accountability Based Environments (ABE).”

ABE focuses on creating a secure online environment where even if an attacker gains access to a system, they cannot do significant harm.

This could involve implementing stronger authentication methods, following secure coding practices to make applications less vulnerable, and using decentralized architectures to make it harder for attackers to take control of entire systems. However, ABE is a new concept, and more research is needed to determine how it can be implemented effectively.

The Bottom Line

Cyberattacks are becoming more prevalent and increasingly sophisticated. Nation-state actors are at the forefront of this development, actively creating and refining these advanced threats. Traditional security measures are proving less and less effective in the face of such innovation.

Perhaps the most alarming aspect of these evasive techniques is their ability to bypass even multi-factor authentication (MFA), a security measure previously considered quite secure.

Hackers are employing Adversary in the Middle (AiTM) kits to hijack sessions, highlighting the need for a new approach to cybersecurity. Traditional “catch-the-bad-guy” reactive security tactics and traditional security tools are no longer sufficient.

The public and private sectors must now move towards a more comprehensive strategy that anticipates and mitigates these evolving threats and understands the modern tools at play.

Related Terms

Related Article