This week we interviewed Bradford Regeski, a Cyber Threat Intelligence analyst at H-ISAC, about the top threats the healthcare industry is seeing. He shared a number of excellent resources on threat actors, told us a little more about H-ISAC, and dove deeper into Deep Panda. As usual, we took this Cyber Threat Intelligence about Deep Panda to create an adversary emulation plan, this time targeting Linux systems, showed you how to emulate the adversary, and discuss defending against threat actors targeting the healthcare industry. As a reminder, SCYTHE has an open offer for healthcare organizations to use our platform, for free, until the end of the year. It is our way of giving back to a community we have all relied on this year.
Cyber Threat Intelligence
This week we learned about H-ISAC and received some great Cyber Threat Intelligence based on their primary focus: sharing timely, actionable, and relevant information with each other including intelligence on threats, incidents and vulnerabilities.
Brad referenced an excellent resource that is TLP:White, meaning we can share it publicly, from the Health Sector CyberSecurity Coordination Center (HC3). Within this document we can obtain more information about Deep Panda who, like Orangeworm, has a number of TTPs attributed to their behavior and also a number of malware:
This week, we will focus on emulating malware in Linux and have chosen Derusbi to be the example. Here is the Threat Profile for Deep Panda using Derusbi:
Adversary Emulation Plan
This is the first #ThreatThursday where we emulate a Linux malware so let’s walk through these steps. Creating a Linux campaign is very similar to the Windows campaigns we have done:
- Select New Campaign under the Campaign Manager dropdown menu on the left.
- Give the campaign a name
- Select Linux as the Target operating system
- Add a start date and end date (optional)
- Select the communication module. In this case, we will do HTTPS
- Select the parameters or upload a profile
- Click Next
On the Automate Campaign screen we will import our existing threat that was created by our Sales Engineer, Sean Sun:
- Click Existing Threats under the Compound Actions menu
- Select an existing threat, in this case Desrubi
- Click Add Steps
Deep Panda, like Sandworm, lives off the land which means you will be able to execute most of these commands without the SCYTHE automation, manually from a console. However, SCYTHE does have the uploader and downloader module which allows you to move files to and from the Virtual File System. This is very convenient for an operator. All the steps can be extracted from the JSON file hosted on our community threats.
Defend against Deep Panda
Like many other malware families, defense against Deep Panda should be first centered around detection of unexpected behaviors. As demonstrated above, Deep Panda uses its access to create files; this creates an initial important touchpoint in which a defender could be alerted if file creation is occurring in an unexpected manner on this Linux system. Monitoring for unexpected file system changes, or package installation, can be even more critical for systems with no standardized Antivirus or EDR deployments, which is often the case for Linux endpoints. Finally, it is worth reiterating that using a robust permissions model, including implementing and tuning tools such as SELinux, can be critical in protecting vital Linux-based infrastructure.
This week we learned about H-ISAC and the work they are doing to collaborate with the Healthcare sector. We want to thank Brad for spending some time with us and talking about Deep Panda. We consumed Cyber Threat Intelligence from various sources and created a Linux variant of Desrubi. We learned how to create and run a Linux campaign as well as some manual commands that can be executed if you do not have SCYTHE yet. Lastly, we covered how to defend against Linux malware. We hope you enjoyed our #ThreatThursday and thanks again to Brad for coming on the show.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email firstname.lastname@example.org, visit https://scythe.io, or follow on Twitter @scythe_io.
H-ISAC is a trusted global community of critical infrastructure owners and operators within the Healthcare and Public Health sector (HPH). The community is primarily focused on sharing timely, actionable and relevant information with each other including intelligence on threats, incidents and vulnerabilities. Shared data can include indicators of compromise, tactics, techniques and procedures (TTPs) of threat actors, advice and best practices, mitigation strategies and other valuable material. Sharing can occur via machine to machine or human to human. H-ISAC also fosters the building of relationships and networking through a number of educational events in order to facilitate trust. Working groups and committees focus on topics and activities of importance to the sector. Shared Services offer enhanced services to leverage the H-ISAC community for the benefit of all.