The National Computer Emergency Team (NCERT) issued an advisory regarding a cybercrime campaign targeting high-profile offices and government organizations. The campaign, believed to be linked to the Sidewinder APT group, uses phishing tactics to infiltrate systems and steal sensitive data.
How the Hacker Group Works
According to the NCERT, the campaign employs various tactics and techniques, including spear phishing links via clickable URLs in phishing PDF documents. Exploitation techniques for client execution are used through compromised client applications. Defense evasion strategies include masquerading, hiding artifacts, and creating files inside user directories to conceal malicious activity. Credential access is achieved through OS credential dumping and stealing web session cookies.
The campaign also involves gathering system and software information through registry queries and system information discovery. Sensitive data is acquired by searching for files of interest on local systems. For command and control, application layer protocols and encrypted channels are utilized. The impact disrupts system availability and network resources through data destruction.
What to Do?
The advisory recommends several actions to mitigate the risks posed by this cyber campaign. According to the NCERT, government organizations, and offices should deploy advanced email filtering solutions to detect and quarantine suspicious attachments and URLs. Email authentication mechanisms like SPF, DKIM, and DMARC should be utilized to verify the authenticity of incoming emails and prevent domain spoofing.
Document security policies should restrict the execution of macros and scripts within office documents to mitigate the risk of malware embedded within attachments. Sandboxing and static analysis tools should be used to analyze suspicious documents in a controlled environment, identifying and mitigating potential malware threats before they reach end-users. The advisory asks to implement PDF security features such as digital signatures and document encryption to prevent unauthorized tampering and modification.
The NCERT also recommends deploying endpoint detection and response (EDR) solutions to detect and block malicious activities at the endpoint level, including file-less malware execution and credential theft attempts. According to the advisory, application control measures should be implemented to restrict the execution of untrusted binaries and scripts on endpoints, reducing the attack surface for adversaries.
Integrating threat intelligence feeds into security monitoring systems can proactively identify indicators of compromise associated with known APT groups and emerging cyber threats. Leveraging threat intelligence platforms to correlate IOCs with historical attack data can help identify patterns indicative of ongoing or impending cyber campaigns.
NCERT has urged government organizations, ministries, and divisions to remain vigilant and take necessary security measures to protect against cyber threats.
