SandCat: The previously identified Uzbekistan hacking group named SandCat is being exposed by Kaspersky. According to Kaspersky, they have been tracking the group since their discovery in 2018 and due to bad operational security by the group, Kaspersky has been able to receive samples of malware before the group fully developed it, leading them to multiple zero-day vulnerabilities purchased by SandCat from third-parties. SandCat downloaded Kaspersky anti-virus software onto the development machines they were using for malware, allowing Kaspersky to collect samples that triggered their anti-virus before it was fully developed. They were also able to embed a screenshot of the developers’ machines in a test file, exposing the attack platform as it was in development. These faults by SandCat inadvertently supplied researchers with four different zero-days. Furthermore, these mistakes by SandCat also affected Saudi Arabian hacking groups as well as those in the UAE. When zero-days or malware are purchased from third party vendors, there are two options–either a premium price is paid for exclusive rights to that zero-day, or for a lower price, the group can have access to it, but it is not exclusive to the particular attacker. Since both groups purchased the same zero-days, once one group exposed it, it became less valuable for all of the buyers because patches can be issued by the affected vendor and then customers can patch their systems to remediate the vulnerability. Kaspersky plans on unveiling their findings at the Virus Bulletin conference in London.
Analyst Notes
This group has been around for some time, yet the group has predominately flown under the radar. With Kaspersky revealing their findings today and calling out the bad operational security of SandCat, it is likely the group will change tactics. We will likely see the group stop testing their malware in development on machines running an antivirus. It is important to quickly evaluate, test and apply appropriate patches to software to remediate known vulnerabilities. Customers of Anti-Virus products should also be aware that the Anti-Virus (AV) vendor necessarily has access to any files flagged as malicious on any system that AV software is installed on. Therefore, it is important to install AV products only from well-known and trustworthy vendors.
