Makers of popular antivirus and digital security software ESET have discovered the attackers who exploited a recent Windows OS zero-day vulnerability. The hacking group behind the attack is believed to be conducting cyber-espionage. Interestingly, this is not a typical target or methodology of the group that goes by the name ‘Buhtrap’, and hence the exploit strongly indicates the group may have pivoted.
Slovak antivirus maker ESET has confirmed that a hacker group known as Buhtrap is behind a recent Windows OS zero-day vulnerability that was exploited in the wild. The discovery is rather interesting and concerning because the group’s activities were severely curtailed a few years back when its core software code-base was leaked online. The attack used a just-fixed Windows OS zero-day vulnerability reportedly to conduct cyber-espionage. This is certainly a concerning new development primarily because Buhtrap never showed interest in extracting information. The group’s primary activities involved stealing money. Back when it was highly active, Buhtrap’s primary targets were financial institutions and their servers. The group used its own software and codes to compromise the security of banks or its customers to steal money.
Incidentally, Microsoft has just issued a patch to block the zero-day Windows OS vulnerability. The company had identified the bug and tagged it CVE-2019-1132. The patch was part of July 2019 Patch Tuesday package.
Buhtrap Pivots To Cyber-Espionage:
The developers of ESET have confirmed the involvement of Buhtrap. Moreover, the antivirus maker has even added the group was involved in conducting cyber-espionage. This goes completely against Buhtrap’s any previous exploits. Incidentally, ESET is aware of the group’s latest activities, but haven’t divulged the group’s targets.
Interestingly, several security agencies have repeatedly indicated that Buhtrap isn’t a regular state-sponsored hacker outfit. Security researchers are confident that the group operates mainly from Russia. It is often compared with other focused hacking groups like Turla, Fancy Bears, APT33, and the Equation Group. However, there’s one crucial difference between Buhtrap and others. The group rarely surfaces or takes responsibility for its attacks openly. Moreover, its primary targets have always been financial institutions and the group went after money instead of information.
Buhtrap group uses zero‑day in latest espionage campaigns: ESET research reveals notorious crime group also conducting espionage campaigns for the past five years The post Buhtrap group uses zero‑day in latest espionage campaigns appeared first on… https://t.co/mvCyy424cg pic.twitter.com/9OJ6nXZ1sT
— Shah Sheikh (@shah_sheikh) July 11, 2019
Buhtrap first surfaced back in 2014. The group became known after it went after many Russian businesses. These businesses were quite small in size and hence the heists did not offer many lucrative returns. Still, garnering success, the group started targeting larger financial institutions. Buhtrap began going after relatively well-guarded and digitally secured Russian banks. A report from Group-IB indicates the Buhtrap group managed to get away with more than $25 million. In all, the group successfully raided about 13 Russian banks, claimed security-company Symantec. Interestingly, most of the digital heists were successfully executed between August 2015 and February 2016. In other words, Buhtrap managed to exploit about two Russian banks per month.
The Buhtrap group’s activities suddenly ceased after their own Buhtrap backdoor, an ingeniously developed combination of software tools surfaced online. Reports indicate a few members of the group itself might have leaked the software. While the group’s activities came to an abrupt halt, access to the powerful set of software tools, allowed several minor hacking groups to flourish. Using the already perfected software, many small groups started conducting their attacks. The major disadvantage was the sheer number of attacks that took place using the Buhtrap backdoor.
Since the leak of the Buhtrap backdoor, the group actively pivoted to conducting cyber-attacks with a completely different intention. However, ESET researchers claim they’ve seen the group shift tactics since way back in December 2015. Apparently, the group started targeting government agencies and institutions, noted ESET, “It is always difficult to attribute a campaign to a particular actor when their tools’ source code is freely available on the web. However, as the shift in targets occurred before the source code leak, we assess with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in targeting governmental institutions.”
Buhtrap sure has a weird evolution…. from stealing $25M from Russian banks… to carrying out cyber-espionage operations. Is this the bogachev effect? pic.twitter.com/nuQ7ZKPU1Y
— Catalin Cimpanu (@campuscodi) July 11, 2019
ESET researchers were able to claim the Buhtrap’s hand in these attacks because they were able to identify patterns and discovered several similarities in the way attacks were conducted. “Although new tools have been added to their arsenal and updates applied to older ones, the Tactics, Techniques, and Procedures (TTP) used in the different Buhtrap campaigns have not changed dramatically over all these years.”
Buhtrap Use A Windows OS Zero-Day Vulnerability That Could Be Bought On The Dark Web?
It is interesting to note the Buhtrap group used vulnerability within the Windows operating system that was quite fresh. In other words, the group deployed a security flaw that is usually tagged “zero-day”. These flaws are usually unpatched and not easily available. Incidentally, the group has used security vulnerabilities in the Windows OS before. However, they have typically relied on other hacker groups. Moreover, most of the exploits had patches which were issued by Microsoft. It is quite likely that group ran searches looking for unpatched Windows machines to infiltrate.
This is the first known instance wherein Buhtrap operators used an unpatched vulnerability. In other words, the group used true zero-day vulnerability within Windows OS. Since the group obviously lacked the necessary skillset to discover the security flaws, researchers strongly believe the group may have bought the same. Costin Raiu, who heads the Global Research and Analysis Team at Kaspersky, believes the zero-day vulnerability is essentially an “elevation of privilege” flaw sold by an exploit broker known as Volodya. This group has a history selling zero-day exploits to both cybercrime and nation-state groups.
— marc ochsenmeier (@ochsenmeier) July 11, 2019
There are rumors that claim Buhtrap’s pivot to cyber-espionage could have been managed by Russian intelligence. Although unsubstantiated, the theory could be accurate. It might be possible that the Russian intelligence service recruited Buhtrap to spy for them. The pivot could be part of a deal to forgive the group’s past transgressions in lieu of sensitive corporate or government data. Russia’s intelligence department has been believed to have orchestrated such large-scale through third-party hacking groups in the past. Security researchers have claimed that Russia regularly but informally recruits talented individuals to try and penetrate the security of other countries.
Interestingly, back in 2015, Buhtrap was believed to have been involved in cyber-espionage operations against governments. Governments of Eastern Europe and Central Asia countries have routinely claimed that Russian hackers have attempted to penetrate their security on several occasions.