On Wednesday Microsoft released a report on a Private Sector Offensive Actor (PSOA) using Windows and Adobe 0-day attacks. PSOAs are companies that offer surveillance and intrusion, usually to governments or business interests, as a form of espionage-as-a-service. Microsoft calls this latest group KNOTWEED, and has identified them as an Austria-based company called DSIRF. Most notably, KNOTWEED has been deploying a malware toolkit called Subzero, which operates via an attack chain involving Adobe Remote Code Execution (RCE) exploits and the recently patched Windows privilege escalation exploit CVE-2022-22047. This is very similar to previous attack chains that have been leveraged to deploy Subzero in 2021, which included a malicious DLL signed with DSIRF’s code-signing certificate.
The use of 0-day exploits may prove challenging for detection, but once an attacker has achieved the initial intrusion, their Tactics, Techniques, and Procedures (TTPs) are often much easier to detect. For example, KNOTWEED’s TTPs post-compromise included making changes to the registry to enable plaintext passwords, using Curl to download tools, and running PowerShell scripts directly from GitHub. Companies can therefore detect similar techniques by monitoring the use of the reg and curl commands and PowerShell making remote network connections. In general, establishing a baseline of normal process and command line behavior can be extremely beneficial for identifying unusual activity that requires investigation.
Companies should also ensure that they are deploying updates as soon as possible in their environments, following proper change control procedures. This will minimize the amount of time corporate systems are exposed to 0-day exploits. Companies should also implement Multi-Factor Authentication (MFA), which will help protect against password-stealing attempts and be careful to close legacy or backup avenues of access that do not require MFA.