Skip to content

ESET Research uncovers latest version of Gelsemium: Cyberespionage against government and other targets in Asia

BRATISLAVA, MONTREAL – Since mid-2020, ESET Research has been analyzing multiple campaigns, later attributed to the Gelsemium cyberespionage group, and has tracked down the earliest version of their main malware, Gelsevirine, to 2014. During the investigation, ESET researchers found a new version of Gelsevirine, a backdoor that is both complex and modular. Victims of its campaigns are located in East Asia as well as the Middle East and include governments, religious organizations, electronics manufacturers and universities. At present, the group has managed to remain mostly under the radar. This research was exclusively previewed at the annual ESET World conference this week.

Gelsemium is very targeted – with only a few victims, according to ESET telemetry – and considering its capabilities, this points to the conclusion that the group is involved in cyberespionage. The group has a vast number of adaptable components. “Gelsemium’s whole chain might appear simple at first sight, but the exhaustive number of configurations, implanted at each stage, can modify on-the-fly settings for the final payload, making it harder to understand,” explains ESET researcher Thomas Dupuy, co-author of the Gelsemium research analysis.

Gelsemium uses three components and a plug-in system to give the operators a range of possibilities to gather information: the dropper Gelsemine, the loader Gelsenicine, and the main plugin Gelsevirine.

ESET researchers believe that Gelsemium is behind the supply-chain attack against BigNox that was previously reported as Operation NightScout. This was a supply-chain attack, reported by ESET, that compromised the update mechanism of NoxPlayer, an Android emulator for PCs and Macs, and part of BigNox’s product range, with over 150 million users worldwide. The investigation uncovered some overlap between this supply-chain attack and the Gelsemium group. Victims originally compromised by that supply-chain attack were later being compromised by Gelsemine. Among the different variants examined, “variant 2” from the article shows similarities with Gelsemium malware.

For more technical details about Gelsemium, read the blogpost “Gelsemium: when threat actors go gardening” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

IPEVO VZ-R – Visualise the Big Picture Clearly

Five Key Takeaways from the U.S. Executive Order to Bolster Nation’s Cybersecurity

It’s no secret that Nation-State attackers are targeting US government agencies and organizations. As seen inthe Solarwinds breach and the more recentColonial Pipeline ransomware attack, cybercriminals are more motivated than ever to harm US government agencies and their infrastructures.

 

Due to the United States facing different persistent and more sophisticated cyber-attacks,  United States President Joe Biden signed an executive order (EO) on May 12 to improve the cybersecurity of the United States. This executive order seeks to increase its efforts in detecting and responding to different attacks and threat actors in the cyber espionage landscape. 

This executive order outlines the Biden administration’s first step in preventing future cyberattacks that could exploit and diminish federal agencies and supply chain technologies. The executive order is proof of an increasing effort to modernize the US government’s cybersecurity practices. Some would suggest it as a playbook for how different federal agencies should respond to security incidents and how to improve the sharing of exploited information post a data breach.

Additionally, this executive order presents the idea that the US government will play a significant role as a purchaser of different cybersecurity solutions and services to ensure its security and provide investment in the private sector.

As the executive order registers close to 8,000 words, we don’t expect you to have the free time to read it thoroughly. To help, here are the five main key takeaways you need to know:

Improving Software Supply Chain Security

One of the most glaring and important takeaways from this executive order is their effort to improve the security of software. To accomplish this, the US government is setting a baseline of security standards for the development of software sold to government agencies. This requires every security vendor to provide and maintain more comprehensive visibility for their software and strictly enforce their security data that is publicly available.

Through this order, the NIST will issue supply chain security guidance for government bodies. Each government agency must comply with the guidance, and use it for software procurement contracts. The supply chain security guidance must include secure development environments (implementing proper authentication and encryption), using automated tools to validate trusted source code supply chains, checking for vulnerabilities in secure environments and more.

All government agencies must comply with this security guidance. If they are using any security solutions that don’t comply, the solution must be removed. With this security guidance in place, government agencies will be able to quickly determine whether the software was developed securely, based on government standards.

Incident Reporting Requirements for IT & OT Security

The executive order strives to reform how information about threats and incidents is shared by removing contractual “barriers.” The federal government is working with IT and operational technology (OT) service providers that have shown value by providing more insights into cyber threat and incident information on Federal Information Systems. However, until now, there have been major restrictions on limiting the sharing of such threat data with government agencies who are investigating cyber incidents.

The executive order is designed to help surmount this hurdle by enforcing that all government officials review all the current security needs and requirements IT & OT service providers. This will allow the government to recommend different updates guaranteeing that the service providers are collecting and sharing their incident reporting data with any agency with whom they are working with. 

Enhancing Detection of Cybersecurity Vulnerabilities

Another major takeaway away from the executive order is to improve the ability to detect malicious activity on federal networks. The United States Office of Management and Budget will publish a set of requirements for federal civilian agencies to deploy different cybersecurity solutions that will support the detection of possible vulnerabilities.

By enabling different detection and response systems, government agencies will have improved information-sharing capabilities within the federal government. If different agencies adopt slower and less consistent deployment of cybersecurity solutions and practices, it will provide the opportunity for cybercriminals to exploit and expose the different government organizations. With the help of active cyber threat hunting, remediation best practices and incident response services, government agencies will be more equipped for addressing incoming cyber attacks.

By adopting this new approach of detecting cybersecurity risks, the US government should become the leaders in cybersecurity adoption with strong threat detection and incident response in place which is integrated with a concrete intra-governmental data sharing system. 

Modernizing Federal Government Security

Another key takeaway from the executive order is the strong emphasis on modernizing government agencies’ cybersecurity by implementing security best practices. As stated in the order, within 180 days all government agencies are required to adopt multi-factor authentication and encryption “to the maximum extent consistent with federal records laws and other applicable laws.”

Additionally, the executive order also is pushing for government bodies to deploy an endpoint detection and response (EDR) initiative to “support proactive detection of cybersecurity incidents within Federal Government infrastructure”. The modernization of government agencies’ security is coming in the wake of the ongoing efforts by the US government as they are grappling with cybersecurity issues.

Establishing a Cybersecurity Safety Review Board

The Executive Order will establish a Cybersecurity Safety Review Board, which will consist of government and private sector leads. The board will be modeled after the National Transportation Board (NTB) which investigates different events in the transportation sector. The cybersecurity safety review board will convene in the event of a major cybersecurity event to investigate and analyze how the security event occurred, the findings and advise the security recommendations for improving cybersecurity. The Board will report to DHS on how the government can improve response practices. This reviewal process will ensure that lessons learned from each major security event won’t be forgotten.

Similar to the private sector, government agencies have recognized there is a major gap in the standards concerning incident response. The typical organizational response is to handle the incident response on their own terms and too often tag the severity with the known information at the time of the attack. This allows the tagging of a severity incorrectly and the severity will most likely change over time as more information of the security event will come out. To help improve incident responding protocols and understanding the true severity, the executive order is recognizing the importance of establishing a standard incident response “playbook” that will help government agencies to properly respond to different cyber attacks with a more concrete plan. 

Moving Forward

While the executive order is still fresh,  we will witness how the federal government embarks on major organizational changes and initiatives needed to accomplish the goals of the executive order. As cyber threats continue to increase in impact and size, it will be interesting to see how NIST and other agencies will define the requirements needed for federal agencies in the federal supply chain space.

Here at SCADAfence, we are committed to working closely with our agency customers, as well as the technical partners whose integrations our customers rely on. We will continue to work together to help achieve the goals of the executive order and strengthen OT security posture.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.

Do you already know what Active Directory is and how to use it with Pandora FMS?

What is Active Directory and how to use it with Pandora FMS?

As you may already know, in this blog, we’re so into answering the big questions. After answering in previous episodes what the meaning of our existence is or explaining everything you need to know about Office 365 Monitoring, in today’s episode we are going to discuss what Active Directory is. I hope you are very comfortable sitting in your respective gamer chairs or in your two-seater sofas, because here we go!

What is Active Directory?

Active Directory is a tool that provides directory services, which entails many benefits in the business sector. Many companies have a large number of employees, they need a connected device to do their work, and there we have Active Directory, with it we can build a network of devices for users or employees.

How to collect information on user and service monitoring with Active Directory?

We already know that obtaining information is a very important section of monitoring. All these data can be very useful for us to see the status of something, find a possible problem or simply improve a certain system. Active Discovery is a process by which information can be collected while managing everything in a very simple way. We will be able to see what we need from a single computer, which will make the task much easier, since we will not have to act on each of the devices. In this article, we are going to give you the guidelines to configure Active Discovery and be able to use it.

What are the benefits of using Active Directory?

  • It is focused on professional and business use. It allows you to manage everything easily and without having to intervene in the computers of each user, which saves a lot of time.
  • Store data in real time. With data related to users and their authentication.
  • User authentication. If everything’s ok, the user’s information will reach the computer. This means that if one computer breaks down, you will be able to access it from another with authentication.
  • Easily manage all servers and applications, ensuring that everything runs at peak performance.
  • Prevention of replication errors. To verify that all replications are being performed optimally. Active Directory monitoring is essential, since you will obtain accurate information from them.
  • Obtaining information from remote sites and much more…

And here Pandora FMS comes into play

It is our standard: One of the principles of Pandora FMS is its flexibility. It is highly configurable and by using plugins you will be able to do almost anything in terms of monitoring. Making use of Active Directory in Pandora FMS is quite simple. You can use a specific plugin with which to collect different types of data. Like, for example, the number of users connected or inactive to be able to see them from the console. The data you may obtain is easily configurable from a simple txt, which will be the configuration file. The plugin can be found at the following link: https://pandorafms.com/library/active-directory/ Once downloaded, install it on the console. This short and simple process that will offer you great advantages will be explained below.

What is needed for the plugin to work?

  1. Powershell v3.0 or higher.
  2. Active Directory Powershell Module.
  3. Repadmin. The plugin needs a configuration file that will be divided into the following blocks and will be called “adparams.txt” :
  4. In user, you can choose whether to see the full list of all users or one in particular. In unused, a list of users that have not been used for at least two months. 1 to enable it and 0 to disable it.
  5. Spn allows you to see spn suffixes. 1 to enable and 0 to disable, as in the previous point.
  6. Upn allows you to see spn suffixes. 1 to enable and 0 to disable.
  7. You may also add the test block, which retrieves the information from the AD diagnostic tests that the dcdiag tool returns. 1 to enable and 0 to disable. Example: #tests Tests = 0
  8. We can run the plugin manually, calling executable.exe, writing the following output through the powershell terminal: [path_plugin]\active_directory.exe [path_conf]\adparams.txt
  9. It is recommended to save the file in pandora_agent/util.
  10. In the remote configuration of the agent that we have installed, add the following:
  11. When the interval goes by, modules collected by the users of Active Discovery, the connectivity, the status of the service or the suffixes spn and upn will be obtained.

Execution from the web console

To be able to run it from the console, the plugin will be distributed through collections. In configuration -> collections, create a collection, it will be named “Active Directory plugin” and short name “Ad_plugin”, in the following image you can see the process.

Go to files after creating the collection :

Click on “Upload Files”:

And upload the executable of the plugin and the configuration file that we created previously, then return to the previous menu and click “Create a file again” and later “Update”. In the agent where you want to use the plugin, go to the collections section and add it:

Next, go to “Agent plugins” and add the route with the plugin execution. In this case, as it is by means of collections, they will be created in the software agent installation path.

The path by default would be the view in the image (2).

Modules generated by the plugin

These will be the modules returned by a standard run.

Monitoring:

  • AD Users
  • Unused AD User
  • AD Schema Master
  • AD Root Domain
  • AD Forest Domains
  • AD Computer DNS Host Name
  • AD Global Catalogs
  • AD SPN suffixes
  • AD UPN suffixes
  • Connectivity
  • Replication admin
  • Service DNS status
  • Service DFS Replication status
  • Service Kerberos Key Distribution Center status
  • Service Active Directory Domain Services status
  • Test Advertising status
  • Test FrsEvent status
  • Test SysVolCheck status
  • Test KccEvent status
  • Test KnowsOfRoleHolders status
  • Test MachineAccount status
  • Test NCSecDesc status
  • Test Netlogons status
  • Test ObjectsReplicated status
  • Test Replication status
  • Test RidManager status
  • Test Services status
  • Test SystemLog status
  • Test VerifyReferences status

Service NetLogon status

  • Service Intersite Messaging status

And this is how they would look like in the created agent:

And, up to here that would be everything required to be able to make the plugin work. It was easy, huh? I hope many things in this life, but above all I hope this article was useful, especially to help you understand better Active Directory and how to use it in such a simple way in Pandora FMS. I will not take anymore of your time, indeed, I say goodbye, not before, of course, encouraging you to read other articles on the blog that may be to your liking and taste.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About PandoraFMS
Pandora FMS is a flexible monitoring system, capable of monitoring devices, infrastructures, applications, services and business processes.
Of course, one of the things that Pandora FMS can control is the hard disks of your computers.