In a pioneering cooperative effort, several industry security leaders, including Tenable, have been working on a project led by Novetta Solutions to investigate, report on, and take action against the major threat actor group dubbed “Axiom.” According to Novetta, over the past six years, Axiom’s intelligence-gathering activities have impacted international private organizations primarily in the fields of telecommunications, security, and integrated circuits, and government agencies focusing on aerospace, humanitarian and environmental issues.
The cybersecurity coalition includes companies such as Bit9, Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Symantec, Tenable, ThreatConnect, ThreatTrack Security, and Volexity. The team coordinated months of remediation efforts against the malware and is now sharing detection and removal guidance. To date, the team has removed Axiom malware from over 43,000 customer systems, 180 of which included HiKit, the actor’s data exfiltration tool.
This coalition is the first of its kind to bring industry leaders together in a new paradigm of sharing technical information and taking proactive measures against a major security threat. The coalition collected and made available a very large sample set of Axiom malware. Tenable’s work with the coalition focused on examining the samples for the detection of remote network backdoors.
The Operation SMN: Axiom Threat Actor Group Report details the coalition’s key findings and guidance for the detection and remediation of the malware.
Tenable’s Nessus vulnerability scanner already detects most of the families of malware used by Axiom. Nessus can also help customers detect Axiom attacks with the following plugins:
- Remote detection of the HiKit backdoor client plugin 78429
- Remote detection of Poison Ivy client plugin 69320
- Remote detection of ZXShell client and C&C plugin 78430