Analysis Summary

Cybersecurity researchers have recently uncovered a SideWinder campaign by identifying 37 new domains used by the advanced persistence threat (APT) group.

“Threat Actors often leverage domain-based infrastructure to host and facilitate malicious operations,” reads the report. “When actors deploy these new domains, they often leave patterns that can be used to signature the infrastructure and link it to past known activity.”

The SideWinder APT is a skilled cyber espionage gang active since at least 2012. The group is thought to be based in India and has targeted government bodies, military organizations, and financial institutions in South Asia and the Middle East. The group is renowned for executing its attacks utilizing a variety of intricate strategies and tactics. These include social engineering, spear-phishing, and zero-day exploits to infiltrate target networks.

Government agencies and Pakistan are recurrent themes across the discovered domains. Through references to updates, servers, downloads, and services, the researchers noticed a recurrent theme of IT support services. The domains are connected, as evidenced by these similarities. Similar registration dates, naming conventions, and IP infrastructure are shared by the domains.

Some 2023 reports detail the activity of the SideWinder APT which helped in linking the discovered domains to the threat group, such as targeting mainly the South Asian countries that border India, impersonating government and military entities, and gaining initial access by leveraging weaponized documents with government themes.

SideWinder has previously exploited a remote template injection flaw tracked as CVE-2017-0199 to download a remote file containing hidden JavaScript code. Another SideWinder document is seen in the report with motifs from the Pakistani government and an overall polished appearance. The researchers found similar documents being downloaded from the domains they discovered in the analysis.

In the remaining domains, researchers were unable to locate any more instances of weaponized documents utilizing CVE-2017-0199. They did notice, though, that PDFs that linked to password-protected .zip files had changed. This signified a shift in particular strategies while maintaining the general strategy of using documents as weapons.

Organizations should be on the lookout for SideWinder APT group attacks and take preventative action to safeguard their networks due to the group's extensive history of successful attacks and sophisticated tactics. This includes putting strong cybersecurity safeguards in place, carrying out routine security audits, and giving staff members continual training to assist them in recognizing and avoiding phishing and social engineering scams.

Impact

• Cyber Espionage
• Unauthorized Access
• Sensitive Data Theft

Indicators of Compromise

Domain Name

• nitb-update-services.top
• services-pk-users.top
• mofa-services-server.top
• goverment-pk-update.top
• documents-server-pk.top
• cabinet-download-server.top
• cnsa-gov.com
• dgps-govpk.co
• dgps-govpk.com
• ep-gov-pk.christmas
• ep-gov-pk.icu
• gov-govpk.info
• govt-pk.com

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your antivirus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and antimalware software and update signature definitions on time. Using multilayered protection is necessary to secure vulnerable assets.
• Enforce strong password policies across the organization. Encourage the use of complex passwords and enable multifactor authentication (MFA) wherever possible to add an extra layer of security.
• Deploy reliable endpoint protection solutions that include antivirus, antimalware, and host-based intrusion prevention systems (HIPS) to detect and block malicious activities.
• Utilize web filtering and content inspection tools to block access to malicious websites and prevent users from downloading malicious files.
• Deploy IDPS solutions to detect and block suspicious network traffic and intrusions.
• Conduct regular vulnerability assessments and penetration testing to identify weaknesses in the network infrastructure and address them before attackers exploit them.
• Continuously monitor network traffic and security logs for any signs of suspicious activities. Stay updated on the latest threat intelligence to understand the tactics, techniques, and procedures (TTPs) employed by the Sidewinder APT group and other threat actors.