LONGLEASH: A New Tool for Network Expansion
A sophisticated threat actor, tracked by cybersecurity researchers as UAT-7810 and believed to be operating out of China, has developed a new piece of malware dubbed LONGLEASH. This malware is specifically designed to compromise internet-facing networking devices, with a current focus on unpatched Ruckus routers. The primary objective of LONGLEASH is to expand the actor's existing Operational Relay Box (ORB) network, a complex infrastructure of compromised devices used for malicious activities.
The ORB network, as described by researchers, functions as a distributed network of compromised devices that the attackers can leverage for various purposes. These purposes can include masking the origin of further attacks, conducting espionage, or facilitating the exfiltration of sensitive data. By continually expanding and maintaining this network, UAT-7810 enhances its operational security and its ability to operate undetected for extended periods.
LONGLEASH represents an evolution in the group's tactics, techniques, and procedures (TTPs). Previous operations by UAT-7810 have been observed utilizing different malware families. The development of LONGLEASH suggests a deliberate effort to create more specialized tools tailored to their current campaign objectives, particularly the large-scale compromise of network infrastructure.
Targeting Network Infrastructure
The choice of targeting internet-facing networking devices is strategic. These devices, often overlooked by organizations in their security hardening efforts, provide a persistent and often powerful foothold into a network. Routers, in particular, sit at the gateway of network traffic, making them ideal pivot points for attackers. By compromising these devices, UAT-7810 gains the ability to monitor, redirect, or block traffic, and to use these devices as launching pads for attacks against other internal systems or external targets.
Ruckus routers appear to be a primary target in this campaign. While the specific vulnerabilities being exploited are not detailed in public reports, the emphasis on unpatched devices indicates that known vulnerabilities are likely being leveraged. This underscores a common theme in cyberattacks: the persistent exploitation of known security flaws that organizations have failed to remediate. The attackers are not necessarily discovering zero-day vulnerabilities but are efficiently exploiting the low-hanging fruit present in the vast number of unpatched devices globally.
The expansion of the ORB network through devices like Ruckus routers provides UAT-7810 with increased bandwidth and a wider geographical distribution for their malicious operations. A larger network of compromised devices makes it more difficult for security professionals to identify and block malicious traffic, as it can be dispersed across numerous IP addresses and geographic locations. This distributed nature also offers resilience; if one compromised device is discovered and removed, the network can continue to function using the remaining nodes.
LONGLEASH Functionality and Evolution
While the specifics of LONGLEASH's internal workings are still under analysis, its purpose is clear: to establish and maintain control over compromised devices for the ORB network. This likely involves capabilities such as establishing persistent backdoors, downloading and executing additional payloads, and potentially using the compromised device to scan for and exploit other vulnerable systems within the same network or on the broader internet.
The development of new malware like LONGLEASH signifies the ongoing innovation within advanced persistent threat (APT) groups. These groups are not static; they continuously adapt their toolkits and methodologies to overcome defenses and achieve their objectives. For UAT-7810, this means refining their approach to network compromise and operational infrastructure management. The malware's name, LONGLEASH, might allude to the control and reach the attackers aim to maintain over the compromised devices, essentially keeping them on a 'long leash' for extended use.
The threat actor's focus on network devices rather than traditional endpoints like servers or workstations suggests a shift in strategic targeting. Compromising network infrastructure offers a more systemic level of control and a broader attack surface. It's less about breaching a single machine and more about gaining control over the arteries of an organization's digital communication.
Implications for Network Security
The emergence of LONGLEASH and its role in expanding the ORB network presents a significant challenge for network security professionals. Organizations using Ruckus routers, particularly those with internet-facing deployments, must prioritize patching these devices immediately. Beyond Ruckus, this incident serves as a stark reminder that any internet-connected networking equipment is a potential target. A comprehensive inventory of all network devices, coupled with a rigorous patch management program, is essential.
Furthermore, network segmentation and traffic monitoring become even more critical. By segmenting networks, organizations can limit the lateral movement of attackers even if a perimeter device is compromised. Robust monitoring can help detect anomalous traffic patterns originating from or passing through network devices, which might indicate compromise or exploitation attempts.
The sustained effort by UAT-7810 to build and maintain its ORB network highlights the persistent nature of nation-state-backed cyber operations. These groups are well-resourced and patient, constantly seeking new avenues to establish persistent access and conduct their operations. The LONGLEASH malware is another tool in their evolving arsenal, underscoring the need for continuous vigilance and proactive security measures across all layers of network infrastructure.
The Unanswered Question of Scope
What remains unclear is the full extent of the ORB network's current size and its global distribution. While the focus on Ruckus routers is noted, it is plausible that UAT-7810 targets other brands and types of networking equipment. The potential for this malware to be adapted for other devices means that the threat landscape could be far wider than currently understood, impacting organizations that may not even be aware they are running vulnerable equipment.
