Operation CuckooBees
Operation CuckooBees was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of Operation CuckooBees, which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed Operation CuckooBees was conducted by actors affiliated with Winnti Group, APT41, and BARIUM.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
During Operation CuckooBees, the threat actors collected data, files, and other information from compromised networks.[1] |
|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
During Operation CuckooBees, the threat actors renamed a malicious executable to |
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
During Operation CuckooBees, the threat actors modified the |
| Enterprise | T1190 | 利用公开应用程序漏洞 |
During Operation CuckooBees, the threat actors exploited multiple vulnerabilities in externally facing servers.[1] |
|
| Enterprise | T1574 | .002 | 劫持执行流: DLL Side-Loading |
During Operation CuckooBees, the threat actors used the legitimate Windows services |
| Enterprise | T1547 | .006 | 启动或登录自动启动执行: Kernel Modules and Extensions |
During Operation CuckooBees, attackers used a signed kernel rootkit to establish additional persistence.[1] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
During Operation CuckooBees, the threat actors used batch scripts to perform reconnaissance.[1] |
| .005 | 命令与脚本解释器: Visual Basic |
During Operation CuckooBees, the threat actors executed an encoded VBScript file using |
||
| Enterprise | T1120 | 外围设备发现 |
During Operation CuckooBees, the threat actors used the |
|
| Enterprise | T1133 | 外部远程服务 |
During Operation CuckooBees, the threat actors enabled WinRM over HTTP/HTTPS as a backup persistence mechanism using the following command: |
|
| Enterprise | T1201 | 密码策略发现 |
During Operation CuckooBees, the threat actors used the |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
During Operation CuckooBees, the threat actors enabled HTTP and HTTPS listeners.[1] |
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility |
During Operation CuckooBees, the threat actors used the Makecab utility to compress and a version of WinRAR to create password-protected archives of stolen data prior to exfiltration.[1] |
| Enterprise | T1003 | .002 | 操作系统凭证转储: Security Account Manager |
During Operation CuckooBees, the threat actors leveraged a custom tool to dump OS credentials and used following commands: |
| Enterprise | T1083 | 文件和目录发现 |
During Operation CuckooBees, the threat actors used |
|
| Enterprise | T1078 | .002 | 有效账户: Domain Accounts |
During Operation CuckooBees, the threat actors used compromised domain administrator credentials as part of their lateral movement.[1] |
| Enterprise | T1505 | .003 | 服务器软件组件: Web Shell |
During Operation CuckooBees, the threat actors generated a web shell within a vulnerable Enterprise Resource Planning Web Application Server as a persistence mechanism.[1] |
| Enterprise | T1069 | .001 | 权限组发现: Local Groups |
During Operation CuckooBees, the threat actors used the |
| Enterprise | T1027 | .010 | 混淆文件或信息: Command Obfuscation |
During Operation CuckooBees, the threat actors executed an encoded VBScript file.[1] |
| .011 | 混淆文件或信息: Fileless Storage |
During Operation CuckooBees, the threat actors stroed payloads in Windows CLFS (Common Log File System) transactional logs.[1] |
||
| Enterprise | T1082 | 系统信息发现 |
During Operation CuckooBees, the threat actors used the |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
During Operation CuckooBees, the threat actors used the |
|
| Enterprise | T1124 | 系统时间发现 |
During Operation CuckooBees, the threat actors used the |
|
| Enterprise | T1007 | 系统服务发现 |
During Operation CuckooBees, the threat actors used the |
|
| Enterprise | T1049 | 系统网络连接发现 |
During Operation CuckooBees, the threat actors used the |
|
| Enterprise | T1016 | 系统网络配置发现 |
During Operation CuckooBees, the threat actors used |
|
| Enterprise | T1135 | 网络共享发现 |
During Operation CuckooBees, the threat actors used the |
|
| Enterprise | T1588 | .002 | 获取能力: Tool |
For Operation CuckooBees, the threat actors obtained publicly-available JSP code that was used to deploy a webshell onto a compromised server.[1] |
| Enterprise | T1087 | .001 | 账号发现: Local Account |
During Operation CuckooBees, the threat actors used the |
| .002 | 账号发现: Domain Account |
During Operation CuckooBees, the threat actors used the |
||
| Enterprise | T1057 | 进程发现 |
During Operation CuckooBees, the threat actors used the |
|
| Enterprise | T1018 | 远程系统发现 |
During Operation CuckooBees, the threat actors used the |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
During Operation CuckooBees, the threat actors used scheduled tasks to execute batch scripts for lateral movement with the following command: |