- CyberSpy -
Last update 09.10.2017 12:36:27
Introduction List Kategorie Subcategory 0 1 2 3 4 5
Recently discovered RANCOR cyber espionage group behind attacks in South East Asia
27.6.2018 securityaffairs CyberSpy
Security researchers at Palo Alto Networks have uncovered a new cyber espionage group tracked as RANCOR that has been targeting entities in South East Asia.
According to the experts, the RANCOR APT group has been targeting political entities in Singapore, Cambodia, and Thailand, and likely in other countries, using two previously unknown strain of malware. The two malware families were tracked as DDKONG and PLAINTEE.
The hackers leverage spear phishing messages using weaponized documents containing details taken from public news articles on political news and events. These decoy documents are hosted on legitimate websites, such as the website of the Cambodia Government, and Facebook.
“Throughout 2017 and 2018 Unit 42 has been tracking and observing a series of highly targeted attacks focused in South East Asia, building on our research into the KHRAT Trojan. ” reads the analysis published by PaloAlto Networks.
“Based on the evidence, these attacks appear to be conducted by the same set of attackers using previously unknown malware families. In addition, these attacks appear to be highly targeted in their distribution of the malware used, as well as the targets chosen. Based on these factors, Unit 42 believes the attackers behind these attacks are conducting their campaigns for espionage purposes.”
The recent campaign appears related to the KHRAT Trojan, a backdoor that was associated with the China-linked APT group tracked as DragonOK (also known as NetTraveler (TravNet), PlugX, Saker, Netbot, DarkStRat, and ZeroT i).
The KHRAT RAT provides attackers with the typical set of RAT features, including remote access to the victim system, keylogging, and remote shell access.
One of the IP addresses for the domains associated with the KHRAT backdoor led the researchers to websites mimicking popular technology companies (i.e. facebook-apps[.]com). The experts linked the malware PLAINTEE and a loader to the domain, they were able to analyze only six samples that were associated with 2 separate infrastructure clusters.
PaloAlto researchers discovered that both clusters were involved in the campaigns that targeted organizations in South East Asia.
Experts found at least one attack against a company leveraging a Microsoft Office Excel document with an embedded macro to execute the malware. The malware was hidden in the EXIF metadata property of the document. This technique was used last year by the Russia-linked APT group Sofacy.
Researchers uncovered another attack leveraging an HTML Application file (.hta), and a series of attacks that used DLL loaders.
“We identified three unique DLL loaders during this analysis. The loaders are extremely simple with a single exported function and are responsible for executing a single command.” continues the analysis.
The DDKONG was first detected in February 2017, it was used by other attackers in the wild differently from PLAINTEE that was used exclusively by the RANCOR group.
An interesting feature of the PLAINTEE malware it the use of a custom UDP protocol for network communications.
“The RANCOR campaign represents a continued trend of targeted attacks against entities within the South East Asia region. In a number of instances, politically motivated lures were used to entice victims into opening and subsequently loading previously undocumented malware families.” Palo Alto concludes. “These families made use of custom network communication to load and execute various plugins hosted by the attackers,”
RANCOR Cyber Espionage Group Uncovered
26.6.2018 securityweek CyberSpy
A cyber espionage group that has remained undetected until recently, has been targeting South East Asia with two previously unknown malware families, according to Palo Alto Networks.
The group, referred to as RANCOR, has been targeting political entities in Singapore, Cambodia, and Thailand, but might have hit targets in other countries as well. The group mainly uses two malware families, DDKONG and PLAINTEE, the latter apparently being a new addition to its arsenal.
According to Palo Alto's reserachers, the attacks likely begin with spear phishing emails and use decoy documents containing details taken from public news articles on political news and events. These documents are hosted on legitimate websites, including a website belonging to the Cambodia Government, and Facebook.
The newly discovered campaign appears related to the KHRAT Trojan, a backdoor associated with the China-linked cyber espionage group known as DragonOK.
One of the IPs the KHRAT associated domains started resolving to in February 2018 led the researchers to websites mimicking popular technology companies, including one named facebook-apps[.]com. The researchers connected two malware samples to the domain, namely a loader and PLAINTEE.
Only six samples of the malware were found, and the researchers managed to link them to two infrastructure clusters that do not appear to overlap. Both clusters, however, were involved in attacks targeting organizations in South East Asia, and the malware was observed using the same file paths in each cluster.
At least one of the attacks used a Microsoft Office Excel document with an embedded macro to launch the payload. The main malicious code was embedded in an EXIF metadata property of the document. In another attack, an HTML Application file (.hta) was used, while other attacks used DLL loaders.
One of the DLLs downloaded a decoy from a government website that was previously used in a KHRAT attack and two DLLs (out of three) were found hosted on this same compromised website (the domain was likely hacked again in early 2018).
First observed in February 2017, the DDKONG malware might be used by multiple threat actors.
First observed in October 2017, PLAINTEE appears to be exclusively used by the RANCOR attackers. The malware uses a custom UDP protocol for its network communications, can add persistence on the victim machine, ensures only a single instance is running, and then starts collecting general system information.
The malware also beacons to the command and control (C&C) server and attempts to decode a configuration blob. After the server responds, the malware spawns several new threads to load and execute a new plugin that is to be received from the C&C in the form of a DLL with an export function of either ‘shell’ or ‘file’.
The researchers believe the attackers were sending commands to the malware manually, due to a long period of delay between these commands (automated commands are performed quicker).
“The RANCOR campaign represents a continued trend of targeted attacks against entities within the South East Asia region. In a number of instances, politically motivated lures were used to entice victims into opening and subsequently loading previously undocumented malware families. These families made use of custom network communication to load and execute various plugins hosted by the attackers,” Palo Alto concludes.
FireEye Denies Hacking Back Against Chinese Cyberspies
26.6.2018 securityweek CyberSpy
In his latest book, New York Times correspondent David Sanger describes how cybersecurity firm Mandiant hacked into the devices of Chinese cyberspies during its investigation into the threat group known as APT1.
Mandiant, now owned by FireEye, published its famous report on APT1 back in 2013 when it was led by CEO Kevin Mandia. The company at the time released information apparently showing that the Chinese military had been conducting sophisticated cyber-espionage operations.
In his book, “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age,” Sanger describes how he was allowed to watch Mandiant hack into the hackers’ systems. An excerpt of Sanger’s book shared on Twitter by Thomas Rid, a Professor of Strategic Studies at Johns Hopkins University, reads:
“Ever resourceful, Mandia’s staff of former intelligence officers and cyber experts tried a different method of proving their case. They might not be able to track the IP addresses to the Datong Road high-rise itself, but they could actually look inside the room where the hacks originated. As soon as they detected Chinese hackers breaking into the private networks of some of their clients – mostly Fortune 500 companies – Mandia's investigators reached back through the network to activate the cameras on the hackers' own laptops. They could see their keystrokes while actually watching them at their desks.
The hackers, just about all of them male and most in their mid twenties, carried on like a lot of young guys around the world. They showed up at work about eight-thirty a.m. Shanghai time, checked a few sports scores, emailed their girlfriends, and occasionally watched porn. Then, when the clock struck nine, they started methodically breaking into computer systems around the world, banging on the keyboards until a lunch break gave them a moment to go back to the scores, the girlfriends, and the porn.
One day I sat next to some of Mandia's team, watching the Unit 61938 hacking corps at work; it was a remarkable sight. My previous mental image of PLA officers was a bunch of stiff old generals sitting around in uniforms with epaulets, reminiscing about the glory days with Mao. But these guys were wearing leather jackets or just undershirts [...].”
In a statement published on Monday, FireEye admitted that Sanger was given access to the methods used by Mandiant to gather evidence of APT1’s ties to the Chinese military, but claims the reporter’s description “resulted in a serious mischaracterization of our investigative efforts.”FireEye says it does not hack back
“We did not do this, nor have we ever done this,” FireEye said regarding claims that its employees activated the cameras on the hackers’ own laptops. “To state this unequivocally, Mandiant did not employ ‘hack back’ techniques as part of our investigation of APT1, does not ‘hack back’ in our incident response practice, and does not endorse the practice of ‘hacking back.’”
“Hacking back,” the term used to describe a cyberattack victim – or someone hired by the victim – hacking into the systems of the attacker, is a controversial practice and only few cybersecurity firms have admitted doing it.
FireEye claims that what Sanger described as hacking back were actually video recordings of the attackers interacting with their malware command and control (C&C) servers. The firm has published one of the videos it presumably showed the reporter.
“To someone observing this video ‘over the shoulder’ of one of our investigators, it could appear as live system monitoring. Nevertheless, Mandiant did not create these videos through ‘hacking back’ or any hacking activity. All of these videos were made through information obtained via consensual security monitoring on behalf of victim companies that were compromised,” FireEye explained.
While some industry professionals have accepted FireEye’s explanation for obtaining data on the hackers’ personal online activities, Sanger’s claims that he saw APT1 members wearing leather jackets raises a lot of questions. FireEye has not specifically addressed this issue in its statement, but SecurityWeek is trying to obtain some clarifications from the company. In the meantime, experts have provided some more or less plausible explanations on how the reporter may have seen what he believed were the hackers.
Richard Bejtlich, who worked for Mandiant and then FireEye between 2011 and 2017, including as Chief Security Strategist, has corroborated FireEye’s statement.
‘At no time when I worked for Mandiant or FireEye, or afterwards, was there ever a notion that we would hack into adversary systems,” Bejtlich wrote in a blog post. “During my six year tenure, we were publicly and privately a ‘no hack back’ company. I never heard anyone talk about hack back operations. No one ever intimated we had imagery of APT1 actors taken with their own laptop cameras. No one even said that would be a good idea.”
New Campaign Possibly Linked to MuddyWater
16.6.2018 securityweek CyberSpy
A newly discovered attack relying on malicious Word documents and PowerShell scripts appears related to the MuddyWater cyber-espionage campaign, Trend Micro reports.
First observed in 2017, the MuddyWater campaign was targeting the Saudi government with PowerShell scripts deployed via Microsoft Office Word macros. A similar espionage campaign observed in March 2018 was targeting organizations in Turkey, Pakistan and Tajikistan.
The attacks, which are rather difficult to clear up, were previously associated with the FIN7 hacking group, but artifacts observed in multiple assaults were also linked to a single framework last year.
Discovered last month, the new campaign bears the hallmarks of MuddyWater and attempts to distribute a backdoor through Word documents that execute PowerShell scripts, Trend Micro says. Unlike previous attacks, however, the samples don’t attempt to download the scripts, but have them encoded in the document itself.
The campaign, however, does have characteristics that appear to connect it to the MuddyWater attacks, such as the use of malicious documents with embedded macros, and the obfuscation method used for the macro scripts.
A lure document claiming to be a reward or a promotion was used as part of the new attack, instead of the previously seen documents dealing with government or telecommunications-related issues. Because of this change, Trend Micro suggests that the attacks would no longer be limited to specific industries or organizations.
Once the intended victim opens the document, they are enticed into enabling the macro to view its full content. The macro uses the Document_Open() event to execute a malicious routine. Two PowerShell scripts are executed, with the second being designed to drop various components on the compromised machine.
The final payload used in this campaign is the PRB-Backdoor remote access Trojan (RAT) that was previously analyzed in May 2018. The malware communicates with a command and control (C&C) server at outl00k[.]net and includes support for a broad range of commands.
Based on the received instructions, the malware can initialize a connection with the C&C, register the infected system, gather browsing history from installed browsers and send it to the C&C, steal passwords found in the browser, read and write files, execute shell commands, log keystrokes, capture screenshots, update functions, gather system information, and initialize DNS sessions.
Last month, the security researcher behind Security 0wnage revealed that there was no reference to PRB-Backdoor or its code on public sources.
“If these samples are indeed related to MuddyWater, this means that the threat actors behind MuddyWater are continuously evolving their tools and techniques to make them more effective and persistent,” Trend Micro notes.
2018 Russia World Cup : Russian cyber spy may hack travelers’ mobile devices
15.6.2018 securityaffairs CyberSpy
According to a top US intelligence official, mobile phones of football fans traveling to Russia for the World Cup could be hacked by the Russian Intelligence.
Russia World Cup 2018 – Mobile devices and computers of football fans traveling to Russia could be hacked by the Russian Intelligence, the alert was issued by William Evanina, Director of the National Counterintelligence and Security Center.
The Top US official warned of massive surveillance operated by Russian authorities during the World Cup for security reason.
“Anyone traveling to Russia to attend the World Cup should be clear-eyed about the cyber risks involved,” Evanina said in a statement.
“If you’re planning on taking a mobile phone, laptop, PDA, or other electronic device with you — make no mistake — any data on those devices (especially your personally identifiable information) may be accessed by the Russian government or cyber criminals.”
Every traveler attending the event in Russia should be a target of the Russian Intelligence, to prevent nation-state hackers compromise their devices the official suggests removing the battery when it is not in use.
“Corporate and government officials are most at risk, but don’t assume you’re too insignificant to be targeted.”
Patchwork Cyberspies Target U.S. Think Tanks
9.6.2018 securityweek CyberSpy
The cyber-espionage group known as "Patchwork" has been launching cyberattacks directly against United States-based think tanks, Volexity reveals.
Believed to be operating out of the Indian subcontinent and supposedly active since 2014, the threat group was previously observed targeting mainly government-associated organizations connected to Southeast Asia and the South China Sea.
After expanding its target list a couple of years ago, the group adopted new exploit techniques in late 2017, and also updated malware families in its arsenal earlier this year.
Also referred to as Dropping Elephant, Patchwork has shown an increase in activity recently, and also started using unique tracking links in their phishing emails, to identify which recipients opened their messages, Volexity has discovered.
The security firm observed three spear-phishing campaigns launched by the group, “leveraging domains and themes mimicking those of well-known think tank organizations in the United States.” The actors used articles and themes from the Council on Foreign Relations (CFR), the Center for Strategic and International Studies (CSIS), and the Mercator Institute for China Studies (MERICS) as lures, along with malicious Rich Text Format (RTF) documents.
The attacks shared the use of email recipient tracking, a linked RTF document, and the final payload, but various elements in each campaign were different, Volexity reports.
In one attack, the actors also used a domain name similar to the Foreign Policy Research Institute (FPRI), in a message supposedly coming from CFR. The spear-phishing emails contained links to files featuring the .doc extension, but which were in fact RTF documents attempting to exploit CVE-2017-8750 and execute code via a malicious scriptlet file embedded in the document.
The group apparently used publicly available exploit code from Github to deploy the freely available QuasarRAT.
Written in C#, the remote access tool (RAT) provides AES encryption of network communication, file management, the ability to download, upload, and execute files, keylogging, remote desktop access, remote webcam viewing, reverse proxy, and browser and FTP client password recovery, among other capabilities.
The malware achieves persistence by creating a scheduled task that points to the QuasarRAT binary (saved on disk as microsoft_network.exe). The scheduled task, named Microsoft_Security_Task, runs at 12:00 AM each day, then repeats every 5 minutes for 60 days.
When executed, the malware first attempts to determine the geographical location of the infected host, then starts beaconing over an encrypted connection to the command and control domain.
“The addition of US-based think tanks to the list of organizations in the crosshairs of Patchwork shows an increasing diversity in the geographic regions being targeted. While there were a few peculiar components to some of the spear phish messages, the campaigns and themes were strategically relevant to the organizations being targeted. The Patchwork threat actors also appear to have adopted a technique seen from other APT groups where they are now tracking the effectiveness of their campaigns by recording which recipients have opened the phishing message,” Volexity notes.
Russian Cyberspies Change Tactics in Recent Campaign
8.6.2018 securityweek BigBrothers CyberSpy
Recently observed attacks orchestrated by the Russian threat group Sofacy have revealed a change in tactics and new iterations of previously known tools, according to Palo Alto Networks researchers.
Also tracked as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the cyber-espionage group has been associated with numerous attacks worldwide, including those targeting the 2016 presidential election in the United States, assaults on Ukraine and NATO countries, and attacks on targets in Asia.
Earlier this year, security researchers revealed that Sofacy’s campaigns overlap with other state-sponsored operations, and also dissected a new backdoor employed by the group. Dubbed Zebrocy, the new malware consists of a Delphi downloader and an AutoIT stage, ESET reported in April.
Now, Palo Alto reveals that a C++ version of Zebrocy has also been seen in attacks. Furthermore, the security researchers discovered Sofacy attacks that leveraged the Dynamic Data Exchange (DDE) exploit technique to deliver different payloads than before.
The campaign, Palo Alto says, breaks out of the previously observed patterns in that it no longer targets only a handful of employees within a single organization. Instead, the attackers sent phishing emails to “an exponentially larger number of individuals” within the target company.
“The targeted individuals did not follow any significant pattern, and the email addresses were found easily using web search engines. This is a stark contrast with other attacks commonly associated with the Sofacy group,” the security researchers explain.
Not only did the group launch a large number of Zebrocy attacks, but it also started using DDE to deliver payloads such as the Zebrocy backdoor and the open-source penetration testing toolkit Koadic (this is the first time it leverages this tool). Previously, the group used the DDE technique for the distribution of Seduploader.
As detailed in a February report, Palo Alto also discovered that the group was hiding infrastructure using random registrant and service provider information for each attack and that they deployed a webpage on each of the domains.
The artifact led to the discovery of an attack campaign using the DealersChoice exploit kit, as well as another domain serving the Zebrocy AutoIT downloader.
Eventually, this led to the discovery of the C++ variant of the Zebrocy downloader tool, as well as to “evidence of a completely different payload in Koadic being delivered as well.” The Delphi backdoor delivered as the final payload in Zebrocy attacks was found hosted at IP address 185.25.50[.]93, the researchers say.
From this command and control (C&C) IP, the researchers discovered another hard-coded user agent being used by Zebrocy. Several samples of the backdoor employing the user agent were observed targeting the foreign affairs ministry of a large Central Asian nation.
One other sample used a different user agent, which the researchers determined was from a secondary payload retrieved by the malware. The researchers eventually discovered over forty additional Zebrocy samples, several of which were targeting the same Central Asian nation.
Two weaponized Office documents leveraging DDE were used to target a North American government organization dealing with foreign affairs with the Zebrocy AutoIT downloader, and the previously mentioned large Central Asian nation, but with a non-Zebrocy payload this time, namely Koadic.
“Sofacy is carrying out parallel campaigns to attack similar targets around the world but with different toolsets. The Zebrocy tool associated with this current strain of attacks is constructed in several different forms based on the programming language the developer chose to create the tool. We have observed Delphi, AutoIt, and C++ variants of Zebrocy, all of which are related not only in their functionality, but also at times by chaining the variants together in a single attack,” Palo Alto concludes.
Amazon Alexa Has Got Some Serious Skills—Spying On Users!
9.5.2018 thehackernews CyberSpy
"Alexa, are you spying on me?" — aaaa.....mmmm.....hmmm.....maybe!!!
Security researchers have developed a new malicious 'skill' for Amazon's popular voice assistant Alexa that can turn your Amazon Echo into a full-fledged spying device.
Amazon Echo is an always-listening voice-activated smart home speaker that allows you to get things done by using your voice, like playing music, setting alarms, and answering questions.
However, the device doesn’t remain activated all the time; instead, it sleeps until the user says, "Alexa," and by default, it ends a session after some duration.
Amazon also allows developers to build custom 'skills,' applications for Alexa, which is the brain behind millions of voice-activated smart devices including Amazon Echo Show, Echo Dot, and Amazon Tap.
However, security researchers at cybersecurity firm Checkmarx created a proof-of-concept voice-driven 'skill' for Alexa that forces device to indefinitely record surround voice to secretly eavesdrop on users’ conversations and then also sends the complete transcripts to a third-party website.
Disguised as a simple calculator for solving maths problems, the malicious skill, if installed, immediately gets activated in the background after a user says "Alexa, open calculator."
"The calculator skill is initialized, and the API\Lambda-function that's associated with the skill receives a launch request as an input," researchers said in its report.
In a video demonstration, researchers show that when a user opens up a session with the calculator app (in the background), it also creates a second session without verbally indicating the user that the microphone is still active.
By design, Alexa should either end a session or ask the user for another command to keep the session open. However, the hack could allow attackers to keep the second session active for spying on users while ending the first when user interaction get overs.
Luckily, you can still spot the spy red handed if you notice the blue light on your Echo device activated for a longer period, especially when you are not chit-chatting with it.
Checkmarx reported the issue to Amazon, and the company has already addressed the problem by regularly scanning for malicious skills that "silent prompts or that listen for unusual lengths of time" and kicking them out of their official store.
It's not the first Alexa hack demonstrated by the researchers. Last year, a separate group of researchers at MWR InfoSecurity showed how hackers could turn some models of Amazon Echo into the covert listening device.
Russia-linked Hackers Exploit Lojack Recovery Tool in Attacks
7.5.2018 securityweek APT Exploit CyberSpy
Recently discovered “Lojack” agents containing malicious command and control (C&C) servers point to the Russian cyber-espionage group Sofacy, according to NETSCOUT Arbor.
Previously known as Computrace, Lojack is a legitimate laptop recovery solution used by companies looking to protect assets should they be lost or stolen. It can be used to locate and lock devices remotely, as well as to delete files.
Lojack represents a great double-agent because it is usually considered legitimate software but also allows for remote code execution, NETSCOUT Arbor's Security Engineering and Research Team (ASERT) points out. Moreover, the tool can survive hard drive replacements and operating system re-imaging.
Many of the anti-virus vendors in VirusTotal don’t flag the Lojack executable as malicious, but rather consider it as “not-a-virus” or “Risk Tool.” Additionally, with binary modification of the “small agent” considered trivial, it’s clear that attackers would consider the tool a viable target.
“With low AV detection, the attacker now has an executable hiding in plain sight, a double-agent. The attacker simply needs to stand up a rogue C&C server that simulates the Lojack communication protocols. Finally, Lojack’s ‘small agent’ allows for memory reads and writes which grant it remote backdoor functionality when coupled with a rogue C&C server,” ASERT notes.
The ASERT security researchers observed five Lojack agents that were pointing to four different suspected domains, three of which have been tied to Sofacy.
Also known as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the threat actor is believed to have targeted the 2016 U.S. presidential election, as well as Ukraine and NATO countries. In fact, the group heavily targeted NATO in early 2017, including with zero-day exploits. The group was also observed shifting focus towards the Middle East and Central Asia last year.
In March 2018, a security researcher revealed that Sofacy attacks overlap with other state-sponsored operations, after the group’s Zerbrocy malware was found on machines compromised by Mosquito, a backdoor associated with the Turla threat actor.
“ASERT assesses with moderate confidence that the rogue Lojack agents are attributed to Fancy Bear based on shared infrastructure with previous operations,” the security researchers say.
Only the presence of a rogue C&C makes the samples malicious, as attackers are merely hijacking the communication used by Lojack, the researchers say. Several of the domains extracted from the rogue agents trace back to Sofacy operations: elaxo[.]org, ikmtrust[.]com, and lxwo[.]org (tied to the group last year), and sysanalyticweb[.]com (spotted only recently).
Although the hijack of the software for malicious purposes is a publicly known tactic, similarities in the binary comparisons and infrastructure analysis increase the possibility that the same actor was behind them.
The domains are associated with the same Lojack agent utilizing the same compile time, contain nonsensical Registrant information (the same information found in multiple fields), a similar nonsensical word used in the Registrant Name field is also used for the Registrant Organization (the field is often skipped, but this actor regularly utilizes both fields).
“Hijacking legitimate software is a common enough tactic for malicious actors. What makes this activity so devious is the binaries hijacked being labeled as legitimate or simple ‘Risk Tool’, rather than malware. As a result, rogue Lojack samples fly under the radar and give attackers a stealthy backdoor into victim systems,” ASERT concludes.
Who’s who in the Zoo
4.5.2018 Kaspersky APT CyberSpy
Cyberespionage operation targets Android users in the Middle East
ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind the operation infect Android devices using several generations of malware, with the attackers including new features in each iteration. We label them from v1-v4, with v4 being the most recent version deployed in 2017. From the technical point of view, the evolution of ZooPark has shown notable progress: from the very basic first and second versions, the commercial spyware fork in its third version and then to the complex spyware that is version 4. This last step is especially interesting, showing a big leap from straightforward code functionality to highly sophisticated malware.
Evolution of ZooPark malware features
We have observed two main distribution vectors for ZooPark – Telegram channels and watering holes. The second one was the preferred vector: we found several news websites that have been hacked by the attackers to redirect visitors to a downloading site that serves malicious APKs. Some of the themes observed in campaign include “Kurdistan referendum”, “TelegramGroups” and “Alnaharegypt news”, among others.
Target profile has evolved during the last years of campaign, focusing on victims in Egypt, Jordan, Morocco, Lebanon and Iran.
ZOO. CYBERESPIONAGE OPERATION PDF
Operation Parliament, who is doing what?
14.4.2018 Kaspersky CyberSpy
Kaspersky Lab has been tracking a series of attacks utilizing unknown malware since early 2017. The attacks appear to be geopolitically motivated and target high profile organizations. The objective of the attacks is clearly espionage – they involve gaining access to top legislative, executive and judicial bodies around the world.
The attackers have targeted a large number of organizations globally since early 2017, with the main focus on the Middle East and North Africa (MENA), especially Palestine. High-profile organizations have also been targeted in other regions. The number of attacks has decreased since the beginning of 2018.
The attacks were initially discovered while investigating a phishing attack that targeted political figures in the MENA region. At first the attacks looked to be the work of the low-sophistication Gaza Cybergang (decoys, file names), but further analysis painted a very different picture.
Targets include high-profile entities such as parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies, and other unknown entities.
The malware basically provides a remote CMD/PowerShell terminal for the attackers, enabling them to execute any scripts/commands and receive the result via HTTP requests.
Kaspersky Lab users and Threat Management and Defense clients are protected from the attacks.
Cisco Talos recently published a blogpost describing targeted attacks in the Middle East region which we believe may be connected.
Victimology and Statistics
Based on our findings, we believe the attackers represent a previously unknown geopolitically motivated threat actor. The campaign started in 2017, with the attackers doing just enough to achieve their goals. They most likely have access to additional tools when needed and appear to have access to an elaborate database of contacts in sensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff. The victim systems range from personal desktop or laptop systems to large servers with domain controller roles or similar. The nature of the targeted ministries varied, including those responsible for telecommunications, health, energy, justice, finance and so on.
Victims have been spotted in the Palestinian Territories, Egypt, Jordan, the UAE, Saudi Arabia, Djibouti, Qatar, Lebanon, Chile, Somalia, Iraq, Morocco, Syria, India, Iran, Canada, the USA, the UK, Germany, Israel, Afghanistan, Serbia, Russia, Oman, Kuwait, South Korea and Denmark.
Victim organization type Number of victim organizations
Prime Ministerial Offices 3
Military/Intelligence Agencies 5
Other Gov./Ministerial/Diplomatic Offices 20
Financial/Banking Institutions 5
Media Outlets 2
Olympic/Sports Bodies 2
Research Centers/Scholars 2
Election Commissions 1
The number of victims/victim organizations probably doesn’t represent the full scope of the attacks – only a portion.
Attack description and attribution
Operation Parliament appears to be another symptom of escalating tensions in the Middle East region. The attackers have taken great care to stay under the radar, imitating another attack group in the region. They have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their command and control servers. The targeting seems to have slowed down since the beginning of 2018, probably winding down when the desired data or access was obtained. The targeting of specific victims is unlike previously seen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital).
With deception and false flags increasingly being employed by threat actors, attribution is a hard and complicated task that requires solid evidence, especially in complex regions such as the Middle East.
See the following for more information and examples of false flags being used in cyberattacks:
Wave your false flags! …or the Nightmares and Nuances of a Self-Aware Attribution Space
OlympicDestroyer is here to trick the industry
The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware. All the strings and settings were encrypted and obfuscated. Functionality was identified that enables HTTP communication with the C&C server and invokes “processcreate” based on parameters received as a response.
The configuration and strings are encrypted using 3DES and Base64 encoding. Data sent to the C&C server is also encrypted using 3DES and Base64. Different keys are used for local and network encryption.
The malware starts communicating with the C&C server by sending basic information about the infected machine. The C&C server then replies with the encrypted serialized configuration.
The malware basically provides a remote CMD/PowerShell terminal for the attackers, enabling them to execute scripts/commands and receive the results via HTTP requests.
Sample of the C&C response with encrypted commands and configurations
Examples of attack decoys
Translation: Contacts list of media personnel
Translation: Relations between UAE and Jordan, and the impact caused by the non-boycott of Qatar
Translation: Military retirement statement 2017 June
Translation: The new Hamas structure for Gaza strip 2017
Translation: Clarification report (on Gaza employee salaries)
What should high-profile organizations do?
High-profile organizations should have elevated levels of cybersecurity. Attacks against them are inevitable and are unlikely to ever cease. These organizations need to pay particular attention to their security, implementing additional measures to ensure they are well protected. Anti-targeted attack solutions, threat intelligence capabilities and data flows, default-deny application lockdown, endpoint detection and response, data leak and insider threat prevention, and even isolated/air-gapped networks should form the basis of any strategy for protecting organizations in the current threat landscape.
The victims of Operation Parliament need to re-evaluate their approach to cybersecurity.
'Operation Parliament' Imitates Another Actor to Stay Undetected
13.4.2018 securityweek CyberSpy
A series of geopolitically motivated attacks ongoing since early 2017 and targeting high profile organizations worldwide appear to be a symptom of escalating tensions in the Middle East region, Kaspersky Labs reveals.
Utilizing unknown malware, the actor remained under the radar by imitating another attack group in the region, which also made attribution difficult, especially given recent examples of false flags being planted to send investigators down the wrong tracks.
While the initial attacks look as the work of the unsophisticated Gaza Cybergang (decoys, file names), deeper analysis revealed a different picture, Kaspersky says.
The attacks, which Kaspersky refers to as Operation Parliament, were clearly centered on espionage, hitting top legislative, executive and judicial bodies. Since early 2017, the attackers targeted numerous organizations worldwide, but focused mainly on the Middle East and North Africa (MENA) region, especially Palestine.
Supposedly connected to incidents Cisco Talos detailed earlier this year, the assaults targeted high-profile entities such as parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies, and other unknown entities.
Kaspersky believes the attacks are the work of “a previously unknown geopolitically motivated threat actor” doing “just enough to achieve their goals.” The attackers supposedly have access to additional tools when needed and also use “an elaborate database of contacts in sensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff.”
Compromised systems range from “personal desktop or laptop systems to large servers with domain controller roles or similar.” They belong to ministries responsible for telecommunications, health, energy, justice, finance, and other areas.
Victims were located in the Palestinian Territories, Egypt, Jordan, the UAE, Saudi Arabia, Djibouti, Qatar, Lebanon, Chile, Somalia, Iraq, Morocco, Syria, India, Iran, Canada, the USA, the UK, Germany, Israel, Afghanistan, Serbia, Russia, Oman, Kuwait, South Korea and Denmark.
The attackers have carefully verified victim devices before infecting them and also safeguarded their command and control (C&C) servers. The attacks slowed down since the beginning of this year, likely “winding down when the desired data or access was obtained,” Kaspersky notes.
“The targeting of specific victims is unlike previously seen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital),” the researchers point out.
Packed with VMProtect, the employed malware didn’t reveal similarities with previously known malicious programs. Encryption and obfuscation were applied to all strings and settings, while communication with the C&C server was achieved via HTTP.
Data sent to the C&C is encrypted and the malware uses different keys for local and network encryption. The malware initiates communications by sending basic information about the infected machine and the server responds with the encrypted serialized configuration.
The malware provides a remote CMD/PowerShell terminal for the attackers, which allows them to execute scripts and commands on the compromised machines, and to receive the results via HTTP requests.
Kaspersky would not provide full details on the attacks and the used malware, but points out that high-profile organizations should have advanced protections in place, given that attacks against them “are inevitable and are unlikely to ever cease.”
“These organizations need to pay particular attention to their security, implementing additional measures to ensure they are well protected. Anti-targeted attack solutions, threat intelligence capabilities and data flows, default-deny application lockdown, endpoint detection and response, data leak and insider threat prevention, and even isolated/air-gapped networks should form the basis of any strategy for protecting organizations in the current threat landscape,” Kaspersky concludes.
New macOS Backdoor Linked to Cyber-espionage Group
6.4.2018 securityweek CyberSpy Apple
A recently discovered macOS backdoor is believed to be a new version of malware previously associated with the OceanLotus cyber-espionage group, Trend Micro says.
Also known as APT 32, APT-C-00, SeaLotus, and Cobalt Kitty, OceanLotus is believed to be operating out of Vietnam and has been targeting high-profile corporate and government organizations in Southeast Asia. Well-resourced and determined, the group uses custom-built malware and already established techniques.
Some of the group’s targets include human rights organizations, media organizations, research institutes, and maritime construction firms.
The newly discovered macOS backdoor, which Trend Micro detects as OSX_OCEANLOTUS.D, has been observed on machines that have the Perl programming language installed.
The malware is being distributed via malicious documents attached to emails. The document masquerades as the registration form for an event with HDMC, an organization in Vietnam that advertises national independence and democracy.
The document contains malicious, obfuscated macros with a payload written in Perl. The macro extracts an XML file from the Word document. This file is an executable acting as the dropper for the final payload, which is the backdoor.
The dropper, which has all of its strings encrypted using a hardcoded RSA256 key, is also used to establish the backdoor’s persistence on the infected systems. The dropper checks whether it runs as root or not, and uses different path and filename based on that.
The dropper sets the backdoor’s attributes to “hidden” and uses random values for the file date and time, and deletes itself at the end of the process.
The backdoor has two main functions, which collect platform information and sending it to the command and control (C&C) server. It can also receive additional C&C communication information, which is encrypted before being sent.
“Malicious attacks targeting Mac devices are not as common as its counterparts, but the discovery of this new macOS backdoor that is presumably distributed via phishing email calls for every user to adopt best practices for phishing attacks regardless of operating system,” Trend Micro concludes.
'Slingshot' Campaign Outed by Kaspersky is U.S. Operation Targeting Terrorists: Report
21.3.2018 securityweek CyberSpy
The Slingshot cyber espionage campaign exposed recently by Kaspersky Lab is a U.S. government operation targeting members of terrorist organizations, according to a media report.
Earlier this month, Kaspersky published a report detailing the activities of a threat actor targeting entities in the Middle East and Africa — sometimes by hacking into their Mikrotik routers. The group is believed to have been active since at least 2012 and its members appear to speak English, the security firm said.
The main piece of malware used by the group has been dubbed Slingshot based on internal strings found by researchers. Kaspersky identified roughly 100 individuals and organizations targeted with the Slingshot malware, mainly in Kenya and Yemen, but also in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania.
CyberScoop claims to have learned from unnamed current and former U.S. intelligence officials that Slingshot is actually an operation of the U.S. military’s Joint Special Operations Command (JSOC), a component of Special Operations Command (SOCOM), aimed at members of terrorist organizations such as ISIS and al-Qaeda. SOCOM is well known for its counterterrorism operations, which can sometimes include a cyber component.
CyberScoop’s sources expressed concern that the exposure of the campaign may result in the U.S. losing a valuable surveillance program and it could even put the lives of soldiers at risk. The Slingshot infrastructure was likely already abandoned and “burned” following the disclosure, one former intelligence official told the publication.
Kaspersky has always insisted that its role is to protect customers against cyber threats, regardless of the source of an attack. The company typically refrains from attributing attacks, but it has exposed operations believed to be linked to Russia, China, the United States and others.
In the case of Slingshot, Kaspersky has not directly attributed the campaign to the United States, but it did note that the hackers appear to speak English. The company also pointed out that some of the techniques used by this actor are similar to ones leveraged by a group known as Longhorn and The Lamberts, which is believed to be associated with the U.S. Central Intelligence Agency (CIA).
It’s also worth noting that the WikiLeaks Vault7 files, which are believed to be tools developed and used by the CIA, describe a Mikrotik router exploit, although it is unclear if it’s the one used in Slingshot attacks.
Another clue that shows a potential connection between Slingshot and U.S. intelligence is the use of tools and code strings referencing “Lord of the Rings” characters, including Gollum, which is also the name of an implant referenced in NSA documents leaked by Edward Snowden.
Kaspersky’s products were recently banned in U.S. federal agencies due to the company’s alleged ties to Russian intelligence. The security firm has denied the accusations and it has taken legal action in hopes of overturning the ban.
If Slingshot really is a U.S. government operation, Kaspersky's disclosure of the campaign will likely not help its case. One senior U.S. intelligence official told CyberScoop it was unlikely that Kaspersky had been totally unaware of what it was dealing with. CyberScoop cited a source close to Kaspersky saying that researchers may have suspected a Five Eyes nation, but they couldn’t have known for sure.
“Kaspersky Lab does not know the identity of the attackers behind the Slingshot APT or the identity of its victims. As a result of anonymized data, it's impossible for us to tell who the specific targets are. All the company can state is that our users are protected against malicious software that can spy, steal or sabotage data from their computers,” Kaspersky Lab told SecurityWeek in an emailed statement.
“Kaspersky Lab has always been very clear about our policy concerning the detection of malware: we detect and remediate all forms of malicious programs, regardless of origin or purpose. Furthermore, the company does not 'whitelist' any malware samples, not even malware used for so called 'legal surveillance'. One can easily imagine the situation in which such malware falls into the wrong hands and can be used to launch attacks against law enforcement or just regular users,” the company added.
One of the incidents that led officials to believe Kaspersky may be linked to the Kremlin involved an NSA contractor from which Russian hackers allegedly stole information on how the U.S. penetrates foreign networks and how it defends against cyberattacks. Kaspersky’s analysis showed that its antivirus product did automatically upload some files related to the NSA-linked Equation Group from a user’s computer, but the company said the files were deleted from its systems after it noticed that they contained classified information.
Russian Cyberspies Hacked Routers in Energy Sector Attacks
19.3.2018 securityweek CyberSpy
A cyberespionage group believed to be operating out of Russia hijacked a Cisco router and abused it to obtain credentials that were later leveraged in attacks targeting energy companies in the United Kingdom, endpoint security firm Cylance reported on Friday.
The United States last week announced sanctions against Russian spy agencies and more than a dozen individuals for trying to influence the 2016 presidential election and launching cyberattacks, including the NotPetya attack and campaigns targeting energy firms. Shortly after, US-CERT updated an alert from the DHS and FBI to officially accuse the Russian government of being responsible for critical infrastructure attacks launched by a threat actor tracked as Dragonfly, Crouching Yeti and Energetic Bear.
A warning issued last year by the UK’s National Cyber Security Centre (NCSC) revealed that hackers had targeted the country’s energy sector, abusing the Server Message Block (SMB) protocol and attempting to harvest victims’ passwords.
An investigation conducted by Cylance showed that the attacks were likely carried out by the Dragonfly group. The security firm has observed a series of phishing attacks aimed at the energy sector in the UK using two documents claiming to be resumes belonging to one Jacob Morrison.
When opened, the documents fetched a template file and attempted to automatically authenticate to a remote SMB server controlled by the attackers. This template injection technique was detailed last year by Cisco Talos following Dragonfly attacks on critical infrastructure organizations in the United States.
When a malicious document is opened using Microsoft Word, it loads a template file from the attacker’s SMB server. When the targeted device connects to the SMB server, it will attempt to authenticate using the current Windows user’s domain credentials, basically handing them over to the attackers.
In a separate analysis of such attacks, Cylance noted that while the credentials will in most cases be encrypted, even an unsophisticated attacker will be able to recover them in a few hours or days, depending on their resources.
According to Cylance, Dragonfly used this technique to harvest credentials that were later likely used to hack the systems of energy sector organizations in the United Kingdom.
One interesting aspect noticed by Cylance researchers is that the IP address of the SMB server used in the template injection attack was associated with a major state-owned energy conglomerate in Vietnam. Specifically, the IP corresponded to a core Cisco router that had reached end-of-life.
“The use of compromised routing infrastructure for collection or command and control purposes is not new, but its detection is relatively rare,” Cylance researchers explained. “That’s because the compromise of a router very likely implicates the router’s firmware and there simply aren’t as many tools available to the forensic investigator to investigate them. Analysis is further challenged by the lack of system logs.”
“The fact that the threat actor is using this type of infrastructure is a serious and worrisome discovery, since once exploited, vulnerabilities in core infrastructure like routers are not easily closed or remediated,” they added.
Dragonfly is not the only cyberespionage group to abuse routers in its attacks. A threat actor named Slingshot, whose members appear to speak English, has targeted entities in the Middle East and Africa using hacked Mikrotik routers.
China-linked Hackers Target Engineering and Maritime Industries
17.3.2018 securityweek CyberSpy
A China-related cyberespionage group that has been active for half a decade has increased its attacks on engineering and maritime entities over the past months, FireEye reports.
Referred to as Leviathan or TEMP.Periscope, the group has been historically interested in targets connected to South China Sea issues, which hasn't changed in the recently observed attacks. Targets include research institutes, academic organizations, and private firms in the United States.
“The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit,” FireEye says.
Over the years, the group has also shown interest in professional/consulting services, high-tech industry, healthcare, and media/publishing. Most of the identified victims were in the United States, with some located in Europe and at least one in Hong Kong.
The group’s tactics, techniques, and procedures (TTPs), as well as its targets, overlap with those associated with the group called TEMP.Jumper, which in turn overlaps significantly with the NanHaiShu group.
The recently observed spike in activity also revealed the use of a broad range of malware that other suspected Chinese groups also use. These tools include backdoors, reconnaissance tools, file stealers, and webshells.
A second backdoor is Badflick, which can modify the file system, generate a reverse shell, and modify its command and control (C&C) configuration.
Another similar piece of malware is Photo, a DLL backdoor that gets directory, file, and drive listing; creates a reverse shell; records the screen, video, and audio; lists, terminates, and creates processes; creates and modifies registry keys and values; logs keystrokes, returns usernames and passwords from protected storage; and can read, create, and modify files.
The group also used Homefry, a 64-bit Windows password dumper/cracker previously used along with the first two backdoors. Based on received commands, it can either display cleartext credentials for each login session, or can display cleartext credentials, NTLM hashes, and malware version for each login session.
Other tools employed by the hackers include Lunchmoney (which can exfiltrate files to Dropbox) and Murkytop, a command-line reconnaissance tool (which can execute files; move and delete files; schedule remote AT jobs; perform host discovery; scan for open ports in a connected network; and retrieve information about the operating system, users, groups, and shares on remote hosts).
In recent attacks, the group was also observed employing the China Chopper code injection webshell capable of executing Microsoft .NET code within HTTP POST commands (thus, it can upload and download files, execute applications, list directory contents, access Active Directory, access databases, and more).
Previously, the group used the Beacon backdoor (commercially available as part of the Cobalt Strike software platform), and the Blackcoffee backdoor that hides C&C communication as traffic to legitimate websites such as Github and Microsoft's Technet portal.
The group has been also observed using spear phishing emails; lure documents attempting to exploit CVE-2017-11882 to drop malware; stolen code signing certificates to sign their malware; bitsadmin.exe and PowerShell to download additional tools; and Windows Management Instrumentation (WMI) and Windows Shortcut files (.lnk) for persistence.
“The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations,” FireEye concludes.
Patchwork Cyberspies Update the Badnews Backdoor
13.3.2018 securityweek CyberSpy Virus
Recent infection campaigns conducted by the Patchwork cyberespionage group have revealed the use of an EPS exploit and an updated backdoor, Palo Alto Networks reports.
Believed to have been active since 2014, Patchwork, also known as Dropping Elephant or Chinastrats, is said to be operating out of the Indian subcontinent. The group was initially observed targeting government-associated organizations connected to Southeast Asia and the South China Sea, but it recently expanded the target list to include multiple industries.
In an extensive December 2017 report, Trend Micro revealed that the actor had adopted new exploit techniques and that it also added businesses to its list of targets.
Patchwork campaigns Palo Alto Networks has observed over the past few months have been targeting entities in the Indian subcontinent and revealed the use of legitimate but malicious documents to deliver an updated BADNEWS payload.
The malware, which has been updated since the last public report in December 2017, provides attackers with full control over the victim machine and is known to abuse legitimate third-party websites for command and control (C&C). The new version shows changes in the manner the C&C server information is fetched, as well as modifications to its communication routine.
The campaigns featured malicious documents with embedded EPS files targeting two vulnerabilities in Microsoft Office, namely CVE-2015-2545 and CVE-2017-0261. As lures, the attackers used documents of interest to Pakistani nuclear organizations and the Pakistani military.
When executed, shellcode embedded within the malicious EPS drops three files: VMwareCplLauncher.exe (a legitimate, signed VMware executable to deliver the payload), vmtools.dll (a modified DLL to ensure persistence and load the malware), and MSBuild.exe (which is the BADNEWS backdoor itself).
VMwareCplLauncher.exe is executed first, to load the vmtools.dll DLL, which in turn creates a scheduled task to attempt to run the malicious, spoofed MSBuild.exe every subsequent minute.
Once up and running on the infected machine, the backdoor communicates with the C&C over HTTP and allows attackers to download and execute files, upload documents of interest, and take screenshots of the desktop.
The recently observed variation of the backdoor sets a new mutex to ensure only one instance of the backdoor is running, and also uses different filenames from the previous versions. The manner in which the C&C information stored via dead drop resolvers is obfuscated has been changed as well, the security researchers say.
Although it performs many of the functions associated with previous versions, the new variant no longer searches USB drives for files that might be of interest. When preparing C&C communication, the malware aggregates victim information and appends it to two strings.
The C&C communication has been updated as well, now offering support for commands such as kill (the backdoor); upload a file containing the list of interesting files and spawn a new instance of Badnews; upload a specified file; upload a file containing the list of collected keystrokes; copy a file to a .tmp and send it to the C&C; take a screenshot and send it to the C&C; and download a file and execute it.
“The Patchwork group continues to plague victims located within the Indian subcontinent. Through the use of relatively new exploits, as well as a constantly evolving malware toolset, they aim to compromise prominent organizations and individuals to further their goals. Recent activity has shown a number of lures related to the Pakistan Army, the Pakistan Atomic Energy Commission, as well as the Ministry of the Interior,” Palo Alto concludes.
New Cyberespionage Attacks Linked to MuddyWater Campaign
13.3.2018 securityweek CyberSpy
Recent attacks targeting organizations in Turkey, Pakistan and Tajikistan appear to be linked to the previously detailed MuddyWater campaigns, according to Trend Micro.
The MuddyWater campaigns were named so because of a high level of confusion they managed to create, thus making it difficult to attribute to a specific actor. Artifacts associated with MuddyWater, however, were used in attacks targeting the Saudi Arabian government, in assaults linked to a single attack framework last year, and in incidents attributed to the hacking group FIN7.
Based on the targeted organizations and the focus on gathering of information and upload it to the command and control (C&C) servers, the actors behind these attacks appear mainly focused on espionage activities, Trend Micro says.
The newly observed attacks feature numerous ties to the previously observed MuddyWater campaigns and also show that “the attackers are not merely interested in a one-off campaign, but will likely continue to perform cyberespionage activities against the targeted countries and industries,” the security firm notes.
Similarities with earlier MuddyWater campaigns include the focus on targets in the Middle East, the use of documents that try to mimic government organizations, the dropping of a Visual Basic file and a Powershell file (the VBS executes the PS), and the use of hundreds of hacked websites as proxies.
Furthermore, the attacks show similar obfuscation processes and internal variables after deobfuscation, Trend Micro says.
Malicious documents targeting individuals working for government organizations and telecommunication companies in Tajikistan use engineering to trick victims into enabling macros. Some of the payloads were embedded inside the document itself, while others were downloaded from the Internet.
After the macros are enabled, the Visual Basic script and PowerShell script, both obfuscated, are dropped in the ProgramData directory. A scheduled task is created with the path to the VBS script to ensure persistence.
As part of other attacks, the second file dropped is a base64 encoded text file that results in the Powershell file after decoding. Another campaign would drop three files: an .sct scriptlet file, an .inf file, and a base64 encoded data file. The first two use publicly available code to bypass applocker.
The PowerShell script is divided into three parts: one contains global variables (paths, encryption keys, a list of gates and hacked websites used as proxies), the second contains functions related to standard RSA encryption, and the third contains a backdoor function.
The backdoor collects machine information, takes screenshots, and sends all data to the C&C. It also includes support for commands such as clean (attempts to delete all items from drives C, D, E, and F), reboot, shutdown, screenshot, and upload. Communication with the C&C is performed via XML messages.
“It seems that the attackers are actively monitoring the incoming connections to the C&C. In one of our attempts, we sent an improper request to the C&C server, which replied with the following message: ‘Stop!!! I Kill You Researcher.’ This level of personalized messaging implies that the attackers are monitoring what data is going to and from their C&C server,” Trend Micro explained.
The security researchers also discovered what appears to be a false flag in the PowerShell script. If the communication with the C&C fails and the PowerShell script is run from a command line, error messages written in simplified Mandarin Chinese are displayed. The messages appear machine-translated rather than written by a native speaker, Trend's researchers point out.
Sophisticated Cyberspies Target Middle East, Africa via Routers
9.3.2018 securityweek CyberSpy
CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - A cyber espionage group whose members apparently speak English has been targeting entities in the Middle East and Africa by hacking into their routers.
Researchers at Kaspersky Lab have analyzed this threat actor’s operations and determined that it has likely been active since at least 2012, its most recent attacks being observed in February.
Roughly 100 Slingshot victims have been identified, a majority located in Kenya and Yemen, but targets have also been spotted in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. While the campaign seems to focus on individuals, the security firm has also observed attacks aimed at government organizations and, strangely, some internet cafés.
The main piece of malware used by this group — dubbed Slingshot based on internal strings found by researchers — is interesting due to the fact that it infects computers through compromised routers, specifically ones made by Latvia-based Mikrotik.
It’s unclear how the targeted routers get compromised, but Kaspersky pointed out that the WikiLeaks Vault7 files, which are believed to be tools developed and used by the CIA, do include a Mikrotik exploit. The vendor claims to have patched the vulnerability leveraged by the Vault7 exploit and it’s unclear if that is the initial vector used by the attackers.
Once they gain access to a router, hackers can abuse a legitimate piece of software called WinBox, a management tool provided by Mikrotik that downloads some DLL files from the router and loads them directly into the computer’s memory.
By abusing this functionality, the Slingshot hackers can deliver the malware to the targeted router’s administrator.
The malware is basically a first-stage loader that replaces legitimate DLL files in Windows with malicious versions that have the exact same size. The malicious DLLs are loaded by the services.exe process, which has SYSTEM privileges.
The main modules downloaded by Slingshot are called Cahnadr and GollumApp. Cahnadr, also known as Ndriver, is a kernel-mode payload and it provides all the capabilities required by user-mode modules, including anti-debugging, rootkit functionality, injecting modules into the services.exe process, network communications, and sniffing capabilities for various protocols.
GollumApp is the main user-mode module and it’s designed to manage other user-mode modules while constantly interacting with Cahnadr. It includes a wide range of spying-focused functionality that allows attackers to capture screenshots, log keystrokes, collect system and network data, harvest passwords, manipulate clipboard data, run new processes with SYSTEM privileges, and inject other malicious modules into a specified process.
Since it can run in kernel mode, a feature typically present in sophisticated threats, the malware allows attackers to take full control of the infected machine.
Slingshot attempts to evade detection by using various methods, including calling system services directly in an effort to bypass security product hooks, encrypting strings in its modules, and selectively injecting processes depending on what security product is present.
Slingshot also employs some clever techniques when it comes to command and control (C&C) communications – the malware hides its traffic in legitimate communication protocols, keeping an eye out for packets that contain a special mark.
As for who is behind Slingshot, Kaspersky says it bears the hallmarks of a state-sponsored cyber espionage campaign. Its level of sophistication rivals the one of actors such as ProjectSauron and Regin.
Researchers said most of the debug messages are written in perfect English and several strings in the code reference Lord of the Rings characters.
“Slingshot is a sophisticated threat, employing a wide range of tools and techniques, including kernel mode modules that have to date only been seen in the most advanced predators,” said Alexey Shulmin, lead malware analyst at Kaspersky Lab. “The functionality is very precious and profitable for the attackers, which could explain why it has been around for at least six years.”
Iranian Hackers Use New Trojan in Recent Attacks
23.2.2018 securityweek CyberSpy
The cyberespionage group known as OilRig and previously linked to Iran has been observed using a new Trojan in recent attacks, Palo Alto Networks reports.
A highly active group mainly targeting organizations in the Middle East, OilRig was attempting to deliver a Trojan called OopsIE in two attacks targeting an insurance agency and a financial institution in the Middle East. While one of the attacks relied on a variant of the ThreeDollars delivery document, the other attempted to deliver the malware to the victim directly, likely via a link in a spear phishing email.
The first attack occurred on January 8, 2018, and started with two emails being sent to two different email addresses at the same organization within a six minutes time span. Both messages originated from an email address associated with the Lebanese domain of a major global financial institution, but researchers from Palo Alto Networks believe the email address was spoofed.
On January 16, OilRig targeted an organization that it had also hit a year ago. The OopsIE Trojan was downloaded from the command and control (C&C) server directly, suggesting that the server was being used for staging as well. It also suggests that group might have changed tactics after the targeted organization took measures to counter known OilRig TTPs following last year’s incident.
The ThreeDollars samples collected in the new attacks were similar to those analyzed in October 2017, using the same lure image (albeit a cropped and edited version) that tricks users into enabling macros. While executing a malicious macro in the background, the malicious document displays a decoy image to lower suspicion, although it is a fake error message.
The macro creates a scheduled task that executes after one minute to decode base64 encoded data using the Certutil application, and another task that executes after two minutes, running a VBScript to execute the OopsIE Trojan and clean up the installation.
Packed with SmartAssembly, the Trojan is obfuscated with ConfuserEx and achieves persistence by creating a VBScript file. It also creates a scheduled task to run itself every three minutes. The malware communicates with the C&C over HTTP, using the InternetExplorer application object.
“The Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server’s response looking for content within the tags <pre> and </pre>. The initial HTTP request acts as a beacon,” the researchers explain.
The Trojan extracts and loads an embedded assembly by concatenating the contents of two resources, a technique the OilRig group was already known to employ.
Based on responses received from the server, the Trojan can run a command, upload a file, or download a specified file.
In addition to the use of the ThreeDollars delivery document, the newly observed attacks overlap with previous incidents involving the OilRig group in that they use the C&C domain msoffice365cdn[.]com. The researchers also linked the domain’s registrant to the office365-management[.]com and office365-technical[.]info domains and believe the OilRig group is behind all of them. The IP msoffice365cdn[.]com resolves to was also associated with the group.
“This group has repeatedly shown evidence of a willingness to adapt and evolve their tactics, while also reusing certain aspects as well. We have now observed this adversary deploy a multitude of tools, with each appearing to be some form of iterative variation of something used in the past. However, although the tools themselves have morphed over time, the plays they have executed in their playbook largely remain the same when examined over the attack life cycle,” Palo Alto concludes.
Cyber Espionage Group Targets Asian Countries With Bitcoin Mining Malware
8.2.2018 thehahckernews CyberSpy CoinMine
Security researchers have discovered a custom-built piece of malware that's wreaking havoc in Asia for past several months and is capable of performing nasty tasks, like password stealing, bitcoin mining, and providing hackers complete remote access to compromised systems.
Dubbed Operation PZChao, the attack campaign discovered by the security researchers at Bitdefender have been targeting organizations in the government, technology, education, and telecommunications sectors in Asia and the United States.
Researchers believe nature, infrastructure, and payloads, including variants of the Gh0stRAT trojan, used in the PZChao attacks are reminiscent of the notorious Chinese hacker group—Iron Tiger.
However, this campaign has evolved its payloads to drop trojan, conduct cyber espionage and mine Bitcoin cryptocurrency.
The PZChao campaign is attacking targets across Asia and the U.S. by using similar attack tactics as of Iron Tiger, which, according to the researchers, signifies the possible return of the notorious Chinese APT group.
Since at least July last year, the PZChao campaign has been targeting organizations with a malicious VBS file attachment that delivers via highly-targeted phishing emails.
If executed, the VBS script downloads additional payloads to an affected Windows machine from a distribution server hosting "down.pzchao.com," which resolved to an IP address (18.104.22.168) in South Korea at the time of the investigation.
The threat actors behind the attack campaign have control over at least five malicious subdomains of the "pzchao.com" domain, and each one is used to serve specific tasks, like download, upload, RAT related actions, malware DLL delivery.
The payloads deployed by the threat actors are "diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system," researchers noted.
The first payload dropped on the compromised machines is a Bitcoin miner, disguised as a 'java.exe' file, that mines cryptocurrency every three weeks at 3 AM, when most people are not in front of their systems.
For password stealing, the malware also deploys one of two versions of the Mimikatz password-scraping utility (depending on the operating architecture of the affected machine) to harvest passwords and upload them to the command and control server.
PZChao's final payload includes a slightly modified version of Gh0st remote access trojan (RAT) which is designed to act as a backdoor implant and behaves very similar to the versions detected in cyber attacks associated with the Iron Tiger APT group.
The Gh0st RAT is equipped with massive cyber-espionage capabilities, including:
Real-time and offline remote keystroke logging
Listing of all active processes and opened windows
Listening in on conversations via microphone
Eavesdropping on webcams' live video feed
Allowing for remote shutdown and reboot of the system
Downloading binaries from the Internet to remote host
Modifying and stealing files and more.
All of the above capabilities allows a remote attacker to take full control of the compromised system, spy on the victims and exfiltrate confidential data easily.
While the tools used in the PZChao campaign are a few years old, "they are battle-tested and more than suitable for future attacks," researchers say.
Active since 2010, Iron Tiger, also known as "Emissary Panda" or "Threat Group-3390," is a Chinese advanced persistent threat (APT) group that was behind previous campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors.
Similar to the PZChao campaign, the group also carried out attacks against entities in China, the Philippines, and Tibet, besides attacking targets in the U.S.
For further insights, you can read the detailed technical paper published by Bitdefender.
Iranian Hackers Target IIS Web Servers With New Backdoor
27.1.2018 securityweek CyberSpy
The Iran-linked cyber-espionage group known as OilRig is using a backdoor to target Internet Information Services (IIS) Web servers used by Middle Eastern government organizations and financial and educational institutions.
Dubbed RGDoor, the malware is believed to be a secondary backdoor that allows the actor to regain access to a compromised Web server in the event the primary malware is detected and removed. This primary malicious tool is the TwoFace webshell, which OilRig is believed to have been using since at least June 2016.
Around since 2015, the OilRig threat group has targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries. Believed to be operating out of Iran, the group is using multiple tools, is expanding its arsenal, and is quick to adopt new exploits.
The backdoor was created using C++, which results in a compiled dynamic link library (DLL) with an exported function named “RegisterModule.” Because of that, Palo Alto's researchers believe the DLL was used as a custom native-code HTTP module loaded into IIS, and suggest that there is no visual representation of the shell for the actors to interact with.
This approach takes advantage of IIS 7 functionality that allows developers to create modules in C++ to extend IIS’ capabilities, such as carry out custom actions on requests. These “native-code modules can be installed either in the IIS Manager GUI or via the command-line using the ‘appcmd’ application,” Palo Alto has explains.
The researchers also found that RGDoor would call the “RegisterModule” function with arguments that ignore inbound HTTP GET requests, but act on all HTTP POST requests, even those issued over HTTPS. The malware parses these requests to look for a specific string in the HTTP “Cookie” field, so as to find whether cmd$ [command to execute], upload$ [path to file], or download$ [path to file] commands were issued to it.
“The sample then transmits the data back to the actor by creating a loop that calls the IHttpResponse::WriteEntityChunk method until all of the data is sent to the actor within HTTP responses. If the WriteEntityChunk method fails at any point during this loop, the code will respond to the actor with a HTTP 500 “Server Error” response by using the IHttpResponse::SetStatus method,” the researchers explain.
Because IIS does not log the values within Cookie fields of inbound HTTP requests by default, it’s difficult to locate and analyze inbound requests related to RGDoor. Furthermore, because the module checks all inbound POST requests for commands, the actor can use any URL to interact with it.
The actors behind the backdoor used the TwoFace webshell to load it onto an IIS Web server and gain backdoor access to the compromised system. The main purpose of the tool, however, appears to be regaining access to the server in the event the TwoFace webshell was removed.
“This backdoor has a rather limited set of commands, however, the three commands provide plenty of functionality for a competent backdoor, as they allow an actor to upload and download files to the sever, as well as run commands via command prompt. The use of RGDoor suggests that this group has contingency plans to regain access to a compromised network in the event their webshells are discovered and remediated,” Palo Alto concludes.
US House Passes Crucial Spying Law
17.1.2018 securityweek CyberSpy
The US House of Representatives passed a crucial surveillance law Thursday that reinforced the ability of the country's spy agencies to intercept and make use of Americans' private communications.
The national security establishment saw the reauthorization of the expiring Section 702 of the Foreign Intelligence Surveillance Act as essential, warning that they would not be able to detect terror plots without it.
But rights groups and libertarian-leaning politicians of both the Democratic and Republican parties saw the bill's passage as a blow, especially since former National Security Agency contractor Edward Snowden revealed in 2013 that the NSA was using it to vacuum up massive amounts of data on Americans.
Many had hoped the renewal would strengthen protections against invasive electronic wiretapping and social media monitoring of Americans by the NSA, the country's powerful electronic espionage body, and the Federal Bureau of Investigation.
- Trump tweets stir confusion -
The House's vote for the bill came after President Trump himself sent mixed messages of his own views, tweeting Thursday morning his opposition only to make an abrupt U-turn.
In an initial tweet he said the section 702 provision had been used by the Obama administration to "so badly surveil and abuse the Trump campaign," suggesting he was opposed to the bill.
More than an hour later, he reversed himself, saying "today's vote is about foreign surveillance of foreign bad guys on foreign land. We need it!"
While nearly all lawmakers agree that 702 is an essential tool for US intelligence to safeguard national security, the bill passed the House by 256-164, showing the level of opposition to the powers it gives US spies and law enforcement. The no votes included 45 Republicans.
"The House-passed bill does absolutely nothing to defend the vast majority of law-abiding Americans from warrantless searches, and in many ways it expands the federal government's ability to spy on Americans. A concerted campaign of fear-mongering and misinformation pushed this flawed bill over the line," said Senator Ron Wyden, one of the most vocal critics of the law.
- Post-9/11 law -
Section 702 of the FISA law was passed in 2008 after the Bush administration was shown to have allowed the then-illegal surveillance of telephone and online communications of US citizens and residents in the wake of the September 11, 2001 terror attacks.
Amid concerns it gave the government too much power to spy on citizens, the statute was given a five-year limit, and was renewed in 2012.
It allows the NSA and FBI, in their surveillance on foreign targets outside of the country for national security purposes, to also collect and hold communications by US citizens, so-called incidental collection.
It also permits the CIA and FBI to search that material, which includes social media postings, in the course of criminal investigations.
The NSA and FBI have downplayed their collection and use of the materials on Americans.
But leaks and statements by officials have suggested that the amount of material collected is massive, and that the FBI routinely searches it for information on Americans.
Opponents had hoped the new bill would require agencies to obtain specific warrants to scan and make use of the communications of Americans scooped up in the process of spying on foreigners.
But a slight change that says the FBI needs a warrant to make use of the material in court does not hinder their ability to freely examine NSA files, critics said.
The bill "fails to meaningfully restrict the use of Section 702 to spy on Americans without a warrant," the American Civil Liberties Union said.
The bill could face stronger opposition in the Senate, where Senator Rand Paul has threatened a filibuster. But analysts expect that will only slow its eventual passage.
Patchwork Cyberspies Adopt New Exploit Techniques
12.12.2017 securityweek CyberSpy
Malware campaigns attributed to the Patchwork cyberespionage group have been using a new delivery mechanism and exploiting recently patched vulnerabilities, Trend Micro warns.
Also known as Dropping Elephant or Chinastrats and believed to be operating out of the Indian subcontinent, the group is said to have been active since 2014. Initially focused on government-associated organizations that have connections to Southeast Asia and the South China Sea, the actor has expanded its target list to include entities in a broad range of industries.
In a new report (PDF) on Patchwork’s latest operations, Trend Micro says that the group has added businesses to its list of targets and that its use of numerous infection vectors and payloads makes it a credible threat.
Campaigns that security researchers have associated with the group over the course of 2017 revealed diverse methods (social engineering hooks, attack chains, and backdoors), along with the adoption of Dynamic Data Exchange (DDE), Windows Script Component (SCT), and exploits for recently reported vulnerabilities.
“These imply they’re at least keeping an eye on other threats and security flaws that they can repurpose for their own ends. Also of note are its attempts to be more cautious and efficient in their operations,” Trend Micro notes.
Targets and attack vectors
The observed campaigns focused on multiple sectors in China and South Asia, but also hit organizations in the U.K., Turkey, and Israel. Using spear-phishing emails, the cyberespionage group targeted high-profile personalities, business-to-consumer (B2C) online retailers, telecommunications and media companies, aerospace researchers, and financial institutions. The United Nations Development Programme was targeted as well.
The spear-phishing emails contained website redirects, direct links, or malicious attachments. Some emails contained direct links to malicious documents hosted on the attacker-owned servers. The group spoofed a news site and used it to divert visitors to socially engineered, malware-ridden documents and was also observed misusing email and newsletter distribution services.
A fake Youku Tudou website (a social video platform popular in China) was used for drive-by downloads. The victim was tricked into downloading and executing a fake Adobe Flash Player update that was, in fact, a variant of the xRAT Trojan.
Patchwork was also observed phishing for credentials to take over a target’s emails and other online accounts. One attack copied a webpage from a legitimate web development company and displayed the fake page to victims alone.
Using Rich Text Format (RTF) documents, the group exploited vulnerabilities such as CVE-2012-1856 – a remote code execution (RCE) in the Windows common control MSCOMCTL, or CVE-2015-1641 – a memory corruption in Microsoft Office. They also exploited the CVE-2014-4114 Sandworm RCE vulnerability in Windows’ Object Linking and Embedding (OLE) via PowerPoint (PPSX) files.
More recent vulnerabilities the actor has been abusing include CVE-2017-0199 – an RCE in Microsoft Office’s Windows OLE, patched in April 2017, and CVE-2017-8570 – an RCE in Microsoft Office patched in July 2017. They were exploited via PowerPoint (PPT) and PPSX files.
The malicious PPSX files exploiting CVE-2017-8570 downloaded a Windows Script Component (SCT) file from a Patchwork-owned server to eventually deliver the xRAT malware.
“Apart from exploit-laden documents, Patchwork also misused DDE to retrieve and execute xRAT in the infected machine. They also sent a document embedded with an executable, which downloads a decoy document and a backdoor, then executes the latter,” Trend Micro explains.
Malware and infrastructure
In addition to using a variety of malicious documents for their nefarious purposes, the Patchwork hackers also deployed a miscellany of backdoors and information stealers onto their victims’ machines. Some of these tools appear to be used solely by this group, the security researchers say.
The threat actor was observed dropping malware such as the NDiskMonitor custom backdoor (believed to be Patchwork’s own, it can list files and logical drives and download and execute files from specified URLs); and Socksbot, which can start Socket Secure (SOCKS) proxy, take screenshots, and run executables and PowerShell scripts.
Malware such as the xRAT remote access tool (its source code is available online) and the Badnews backdoor (potent information-stealing and file-executing malware) were also associated with the group’s activities, as well as a series of file stealers (Taskhost Stealer and Wintel Stealer targeting .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, and RTF files, along with .eml and .msg email messages; as well as versions of file stealers written in AutoIt).
Trend Micro has discovered 30 to 40 IP addresses and domain names used by the group in 2017 and says that each of the servers has had a different purpose. While some were only meant as command and control (C&C) servers that would collect data from the used stealers, others were used only to host phishing websites.
In some cases, the same server was being used for both C&C communication and to host distributing malware (or malicious documents) through hosting content copied from legitimate websites.
The group has been using publicly available PHP scripts for retrieving files from the server without disclosing their real paths, likely to prevent security researchers from finding open directories. Trend Micro also observed the group temporarily removing a file so it could not be retrieved or replacing it with a legitimate one. Sometimes they would display “a fake 302 redirection page to trick researchers into thinking the files are gone.”
“Patchwork is in a vicious cycle, given the group’s habit of rehashing tools and malware. The more those are used, the likelier that they’d be incorporated in the group’s arsenal. The takeaway for enterprises? The gamut of tools and techniques at Patchwork’s disposal highlights the significance of defense in depth: arraying proactive defense to thwart threats at each level—from the gateways, endpoints, and networks to servers,” Trend Micro notes.
10 Biggest Cyber Espionage Cases
11.12.2017 securityaffairs CyberSpy
Cyber espionage is now becoming more sophisticated and widespread both on the international and domestic stages. These are 10 Biggest Cyber Espionage Cases.
Cyber spying is now becoming more sophisticated and widespread both on the international and domestic stages. Cyber terrorists can attack you from any place in the world at any time if you don’t secure your computer properly. What more embarrassing about cyber espionage is that victims don’t often know that they are under constant threat for years. In the case of increasing business competition, even the smallest companies have to consider options for cyber espionage prevention. If you still don’t believe in enormous capabilities of cyber attackers, let’s look at the list of 10 biggest cyber espionage cases that affected companies, governments, and even nations.
1. Moonlight Maze
In 1999, Newsweek revealed the first case of coordinated cyber espionage in the United States. A series of cyber attacks began in 1998 and resulted in thousands of stolen documents containing confidential information about American military technologies. Hackers broke into the network of Wright Patterson Air Force Base and then connected to military research institutions. The Russia was blamed in these attacks, but there was a lack of proves. The malware implemented during the Moonlight Maze operation is still widely used for modern attacks.
2. Titan Rain
Within two years from 2003 to 2005, the U.S. government computers were under constant threat arranged by Chinese military hackers. Titan Rain also included attacks on the UK defense and foreign ministries that continued till 2007. This was the first case of cyber espionage sponsored by a state. The hackers penetrated into the network computers using different methods and tried to steal away as much information as possible. The complicity of the Chinese government in this operation wasn’t proven, but countries became more cautious about cyber espionage attacks.
3. Gillette Industrial Espionage
In 1997, Gillette suffered from industrial espionage after its engineer disclosed corporate information to the company’s competitors. Steven Louis Davis worked on the development of a new razor, but then because of quarrels with his supervisor, the engineer stole the designed technology of the new shaver system and revealed it via email and fax to Gillette’s competitors. Davis was found guilty in industrial espionage and sentenced to 27 months in jail.
4. Office of Personnel Management Data Breach
Starting from 2012, Chinese government hackers allegedly attacked the U.S. Office of Personnel Management and stole personal information about 21 million Americans. As the result of this cyber espionage, perpetrators gained an access to the sensitive data about people who worked or applied for the federal government, including military service. The data leakage was discovered in June 2015 when OPM personnel detected a malware that built a backdoor into the network. A Chinese national suspected in the malware development was arrested only in 2017. Though OPM representatives assured that no one suffered because of hacker’s intrusion, the long-term results of this data breach are still unknown.
5. Operation Aurora
In the beginning of 2010, Google claimed that the company was attacked by of a series of cyber threats originated from China. Apart from Google, hackers also attacked more than 20 international companies, including Adobe Systems and Yahoo. Google said that its intellectual property was stolen and Gmail accounts were also under persistent threats. The company even considered stopping censoring its search results in China. Attacks were performed exploiting a vulnerability in Internet Explorer and combining stealth programming and encryption techniques.
In 2009, Canadian researchers revealed a large spy network called GhostNet that arranged an intrusion into more than one thousand computers in 103 countries. Perpetrators got unauthorized access to the network of the Dalai Lama offices and used it for compromising other computers. Besides, the attacks were also performed on the foreign ministers and embassies of Germany, Pakistan, India, Iran, South Korea, and Thailand. The Chinese government denied any involvement in the attacks.
7. Night Dragon
In 2011, McAfee reported about the Night Dragon operation initiated by Chinese hackers for attacking the largest European and American energy businesses, including Royal Dutch Shell and Baker Hughes. This was one of the biggest cyber espionage cases when intruders got an access to topographical maps with potential oil reserves. According to McAfee report, attackers used a range of unsophisticated hacking tools and techniques that were available on Chinese hacker websites.
8. Spying on the Obama and McCain Computers
Another case of cyber espionage infected the computers of John McCain and Barack Obama during their presidential campaigns in 2008. Chinese or Russian hackers allegedly installed spyware on the computers of these two presidential candidates and stole sensitive data related to foreign policy. The cyber attack was initially considered as a computer virus, but then technology experts discovered a leakage of the considerable amount of files. The data leakage was revealed only after the presidential election during the federal investigation.
9. Computer Spies Breach Fighter-Jet Project
In 2009, Pentagon reported that the Fighter-Jet Project came under assault from unknown intruders. This multi-billion project of the next generation fighter became a victim of coordinated cyber espionage attacks during two years. Attackers used computers located in China for stealing a massive volume of data about electronics and internal maintenance. Fortunately, the most sensitive information was kept offline and terrorists weren’t able to access it. Though, the U.S. officials suspected Chinese hackers, the true origin of the perpetrators remained undefined.
10. Operation Shady RAT
Operation Shady RAT is undeniably one of the biggest cyber espionage cases in the history, as it affected more than 70 companies and organizations in since 2006. Victims included the International Olympic Committee that was compromised during several months prior to the 2008 Olympic Games in Beijing. The United Nation and the World Anti-Doping Agency were also under the attack. McAfee identified previously unknown malware that was spread via e-mail with a link to a self-loading remote-access tool, or rat. Cyber terrorists got an authorized access to legal contracts, government secrets, and other sensitive data. Chinese hackers have allegedly arranged the operation, as all countries of Southeast Asia suffered from the attacks except China.
As you can see, cyber hackers can attack you either inside or outside the company, so you should always be ahead of the game. In order to protect your sensitive information against any unauthorized access, consider options for cyber espionage prevention that will ensure employee monitoring and external intrusion blocking.
Iranian Cyberspies Exploit Recently Patched Office Flaw
8.12.2017 securityweek CyberSpy
A cyber espionage group linked to Iran has been using a recently patched Microsoft Office vulnerability to deliver malware to targeted organizations, FireEye reported on Thursday.
The threat actor, tracked as APT34 by FireEye and OilRig by other companies, has been active since at least 2014, targeting organizations in the financial, government, energy, telecoms and chemical sectors, particularly in the Middle East.
Back in April, researchers noticed that APT34 had started exploiting an Office vulnerability (CVE-2017-0199) in attacks aimed at Israeli organizations shortly after Microsoft released a patch.
The cyberspies have now also started leveraging CVE-2017-11882, an Office vulnerability patched by Microsoft on November 14. FireEye said it had spotted an attack exploiting this flaw less than a week after the fix was released.
The remote code execution vulnerability affects the Equation Editor (EQNEDT32.EXE) component of Office and it has been around for 17 years. Some believe Microsoft may have addressed the security hole by directly modifying the executable, suggesting that the company may have lost its source code.
Proof-of-concept (PoC) exploits were made available for CVE-2017-11882 shortly after Microsoft released a patch and, in late November, researchers reported that a cybercrime group tracked as Cobalt had started exploiting the vulnerability.
However, FireEye saw the first attempt to exploit CVE-2017-11882 less than a week after Microsoft released a fix. The attack was aimed at a government organization in the Middle East.
In July 2017, FireEye observed an APT34 attack using CVE-2017-0199 to deliver a backdoor tracked by the company as POWRUNER, and a downloader with DGA (domain generation algorithm) functionality named BONDUPDATER. In November, the group switched to using CVE-2017-11882 to deliver these PowerShell-based pieces of malware.
The attackers used specially crafted RTF documents delivered to targeted users via spear phishing emails. When opened, the file triggers the Office vulnerability and initiates an infection process that ends with the execution of the backdoor and the downloader.
POWRUNER allows attackers to collect information about the infected machine, download and upload files, and capture screenshots. Once it receives commands from its command and control (C&C) server, the malware stops running.
The BONDUPDATER downloader is APT34’s first attempt at implementing a DGA for generating subdomains that are used for C&C communications.
“We assess that APT34’s efforts to continuously update their malware, including the incorporation of DGA for C2, demonstrate the group’s commitment to pursuing strategies to deter detection,” FireEye said in a blog post. “We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region.”
This is not the first time FireEye has analyzed APT34’s activities. In May 2016, the security firm published a report detailing some of its attacks on banks in the Middle East, but at the time it did not attribute the operation to any group.
Palo Alto Networks reported in October that OilRig had started using a new Trojan in attacks aimed at entities in the Middle East.
U.S. Charges Three Chinese Hackers for Hacking Siemens, Trimble & Moody
29.11.2017 thehackernews CyberSpy
The United States Justice Department has charged three Chinese nationals for allegedly hacking Moody's Analytics economist, German electronics manufacturer Siemens, and GPS maker Trimble, and stealing gigabytes of sensitive data and trade secrets.
According to an indictment unsealed Monday in federal court in Pittsburgh, Pennsylvania, the three men worked for a Chinese cybersecurity company, Guangzhou Bo Yu Information Technology Company Limited (Boyusec), previously linked to China's Ministry of State Security.
Earlier this year, security researchers also linked Boyusec to one of the active Chinese government-sponsored espionage groups, called Advanced Persistent Threat 3 (or APT3), which is also known as Gothic Panda, UPS Team, Buckeye, and TG-0110.
In 2013, APT3 allegedly stole the blueprints for ASIO's new Canberra building using a piece of malware that was uploaded to an ASIO employee's laptop.
According to the indictment, the three Chinese nationals—identified as Wu Yingzhuo, Dong Hao, and Xia Lei—launched "coordinated and unauthorized" cyber attacks between 2011 and 2017, and successfully steal information from a number of organizations by compromising their accounts.
The trio of hackers has alleged to have attacked Moody's Analytics, Siemens, and Trimble by sending spear-phishing emails with malicious attachments or links to malware.
The men also used customized tools collectively known as the 'ups' or 'exeproxy' malware to gain unauthorized, persistent access to the targeted companies' networks, allowing them to search for and steal confidential business information and user credentials.
"The primary goal of the co-conspirators’ unauthorized access to victim computers was to search for, identify, copy, package, and steal data from those computers, including confidential business and commercial information, work product, and sensitive victim employee information, such as usernames and passwords that could be used to extend unauthorized access within the victim systems," the DOJ said.
The most affected one of the three companies was IT giant Siemens. According to the indictment, the defendants:
Stole approximately 407 gigabytes of data from Siemens' energy, technology and transportation businesses in 2014.
Hacked into Trimble's network and stole at least 275 megabytes of data, including trade secrets related to global navigation satellite systems technology the company spent millions of dollars developing, in 2015 and 2016.
Accessed an internal email server at Moody's in 2011 and forwarded the account of an unidentified "prominent employee" to their own accounts, and eventually accessing the confidential messages sent to that account until 2014.
According to the DoJ, both Wu and Dong were co-founders and shareholders of Boyusec, while Lei was an employee. All the three defendants were residents of Guangzhou.
The Chinese men have been charged with a total of eight counts, including one charge of committing computer fraud and abuse, two charges of committing trade secret theft, three counts of wire fraud and four to eight counts of aggravated identity theft.
If found guilty in the court of law, the hackers face a maximum sentence of 42 years in prison.
A China-linked cyber espionage group has been using a new strain of malware dubbed Reaver
13.11.2017 securityaffairs CyberSpy
Experts at Palo Alto Networks have discovered a new malware family named Reaver with ties to hackers who use the SunOrcal malware.
A China-linked cyber espionage group has developed a new strain of malware, dubbed Reaver, that was already observed in highly targeted attacks during 2016.
The malware was analyzed by experts at Palo Alto Networks, who spotted ten different samples belonging to three different versions of the malicious code.
The Chinese cyberspies deliver the malware Windows Control Panel (CPL) files, a technique not common in the threat landscape, according to Palo Alto Networks only 0.006% of the malware is using this method.
“Unit 42 has discovered a new malware family we’ve named “Reaver” with ties to attackers who use SunOrcal malware. SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the C2s, may have been active as early as 2010.” reads the analysis published by Palo Alto Networks.
“The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used. Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare.”
The analysis of the infrastructure used by the threat actor behind the Reaver malware revealed a link to the SunOrcal malware used by China-linked attackers in campaigns that targeted the January 2016 presidential election in Taiwan.
The experts haven’t information about the intended targets of the Reaver attackers, previous reports suggest the threat actors primarily targeted the movements the Chinese government perceives as dangerous, so-called Five Poisons.
Five Poisons movements are:
Uyghurs, particularly those supporting East Turkestan independence
Tibetans, particularly those supportive of Tibetan independence
Falun Gong practitioners
Supporters of Taiwan independence
Supporters of Chinese democracy
Starting in late 2016, the attackers used both families of malware concurrently and the same C2 infrastructure was used in the campaigns involving both malicious codes.
Threat actors behind the SunOrcal malware were known for the use of the Surtr RAT, which has been tied to weaponized document generators named HomeKit and Four Element Sword. The hacker group has been around since at least 2013, but further investigation suggests it may have been active since at least 2010.
The Reaver malware abuses the Control Panel utility in Windows, control.exe, to load the final payload. Reaver.v1 has been observed delivering a payload that uses HTTP for network communication, while versions 2 and 3 leverages a payload that uses raw TCP connections for network communication
Once Reaver infected a device, it first gathers information about the compromised system (CPU speed, computer name, username, IP, memory information and Windows version).
The Reaver malware is able to perform many other malicious activities, including reading and writing files, altering files and registries, and terminating processes, and modifying services.
Technical details about the Reaver malware are included in the report published by Palo Alto Networks, it also includes indicators of compromise (IoC) and details on the C&C infrastructure.
Chinese Cyberspies Deliver New Malware via CPL Files
13.11.2017 securityweek CyberSpy
A China-linked cyber espionage group that may have been active since as early as 2010 has developed a new piece of malware that it has used in highly targeted attacks launched over the past year.
The new malware, dubbed Reaver, was analyzed by researchers at Palo Alto Networks, who identified ten different samples representing three versions of the threat.
The final payload of the malware has been loaded using Windows Control Panel (CPL) files, which is highly uncommon – Palo Alto Networks said only 0.006% of the malware it has seen leverages this technique. A surge in CPL malware was observed in 2013 and 2014 in Brazil, where cybercriminals had been using it to deliver banking Trojans.
Based on the infrastructure it uses, Reaver has been linked by experts to SunOrcal, a piece of malware used by threat actors believed to be located in China in attacks aimed at the January 2016 presidential election in Taiwan. The group behind SunOrcal is also said to be using the Surtr RAT, which has been tied to malicious document generators named HomeKit and Four Element Sword.
The threat actor has been around since at least 2013, but some evidence suggests it may have been active since as early as 2010.
Palo Alto Networks does not have information on the individuals or organizations targeted with Reaver, but based on the group’s previous campaigns, the attacks were likely aimed at one of China’s “Five Poisons:” Uyghurs, Tibetans, Falun Gong, the Chinese democracy movement, and the movement for Taiwan’s independence.
The malware abuses the Control Panel utility in Windows, control.exe, to load the Reaver payload. The first version of the threat uses HTTP for communication, while the newer versions rely on TCP.
Once it infects a device, Reaver can help its operators collect information about the compromised system, including CPU speed, computer name, username, IP, memory information and Windows version. The malware can also read and write files, alter files and registries, spawn and terminate processes, and modify services.
The hackers started using Reaver sometime in late 2016 alongside SunOrcal. Both pieces of malware have been seen in attacks as recent as November 2017.
Palo Alto Networks has published a detailed analysis of Reaver, along with indicators of compromise (IoC) and information on overlaps with SunOrcal.
Newly Uncovered 'SowBug' Cyber-Espionage Group Stealing Diplomatic Secrets Since 2015
8.11.2017 thehackernews CyberSpy
A previously unknown hacking and cyber-espionage group that has been in operation since at least 2015 have conducted a series of highly targeted attacks against a host of government organizations in South America and Southeast Asia to steal their sensitive data.
Codenamed Sowbug, the hacking group has been exposed by Symantec security researchers, who spotted the group conducting clandestine attacks against foreign policy institutions, government bodies and diplomatic targets in countries, including Argentina, Brazil, Ecuador, Peru and Malaysia.
Symantec analysis found that the Sowbug hacking group uses a piece of malware dubbed "Felismus" to launch its attacks and infiltrate their targets.
First identified in late March of this year, Felismus is a sophisticated, well-written piece of remote access Trojan (RAT) with a modular construction that allows the backdoor trojan to hide and or extend its capabilities.
The malware allows malicious actors to take complete control of an infected system and like most RATs, Felismus also allows attackers to communicate with a remote server, download files, and execute shell commands.
By analysing Felismus, researchers were able to connect previous attack campaigns with the Sowbug hacking group, indicating that it had been active since at least early-2015 and may have been operating even earlier.
"To date, Sowbug appears to be focused mainly on government entities in South America and Southeast Asia and has infiltrated organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia," the Symantec report said.
"The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organisations."
Although it is still unclear how the Sowbug hackers managed to gain a foothold in computer networks, evidence gathered by researchers suggested the hackers have made use of fake, malicious software updates of Windows or Adobe Reader.
The researchers also found that the group have used a tool known as Starloader to deploy additional malware and tools, such as credential dumpers and keyloggers, on victims' networks.
Symantec researchers have found evidence of Starloader files being spread as software updates entitled AdobeUpdate.exe, AcrobatUpdate.exe, and INTELUPDATE.EXE among others.
Instead of compromising the software itself, Sowbug gives its hacking tools file names "similar to those used by software and places them in directory trees that could be mistaken for those used by the legitimate software."
This trick allows the hackers to hide in plain sight, "as their appearance is unlikely to arouse suspicion."
The Sowbug hackers took several measures to remain under-the-radar by carrying out their espionage operations outside of standard office hours to maintain the presence on targeted networks for months at a time.
In one instance, the hacking group remained undetected on the target’s network for up to six months between September 2016 and March 2017.
Besides the Felismus malware's distribution method used in the Sowbug operation, the identity of Sowbug attackers also remains unknown.
Paradise Papers were the result of the hack of external attackers
7.11.2017 securityaffairs CyberSpy
Most of the Paradise Papers came from offshore legal firm Appleby, which confirms the leak came from a hack on its network and no insiders were involved.
The Paradise Papers is a collection of more than 13.4 million financial documents leaked online that has shed light on how major figures in the world of business, politics, entertainment, and sport move their funds through offshore tax havens.
Many stories emerged from the huge trove of documents, such as the allegations that Russia funded Facebook and Twitter investments through a business associate of Jared Kushner, President Donald Trump’s son-in-law and senior White House adviser.
“The investments were made through a Russian technology magnate, Yuri Milner, who also holds a stake in a company co-owned by Kushner, Donald Trump’s son-in-law and senior White House adviser.” reported The Guardian.
“The discovery is likely to stir concerns over Russian influence in US politics and the role played by social media in last year’s presidential election.”
Other documents analyzed by the BBC linked the Donald Trump’s commerce secretary, Wilbur Ross, to a shipping company firm transporting oil and gas for a firm whose shareholders include Vladimir Putin’s son-in-law and two men subject to US sanctions.
The Paradise Papers also revealed the £10m investment made by the UK Queen into funds in the Cayman Islands and Bermuda.
Most of the leaked documents came from the hack of the offshore legal firm Appleby.
The documents were first obtained by the German newspaper Süddeutsche Zeitung, the same that analyzed for first the Panama Papers last year.
The German newspaper did not reveal the source of the leak, however, Appleby blamed external hackers for the intrusion in its systems.
In a statement, Appleby said the leaked information came from a criminal hack on its computer systems, a subsequent forensic investigation excluded the incident was caused by insiders.
“We wish to reiterate that our firm was not the subject of a leak but of a serious criminal act. This was an illegal computer hack. Our systems were accessed by an intruder who deployed the tactics of a professional hacker and covered his/her tracks to the extent that a forensic investigation by a leading international Cyber & Threats team concluded that there was no definitive evidence that any data had left our systems. This was not the work of anybody who works at Appleby.” reported Appleby.
Appleby highlighted that it has done anything unlawful, anyway the incident could trigger serious legal repercussions against the company.
Cyber espionage – China-Linked group leverages recently patched .NET Flaw
19.20.2017 securityaffairs CyberSpy
Security researchers at Proofpoint spotted a cyber espionage campaign conducted by a group previously linked to China.
The hackers have been using a recently patched .NET vulnerability, tracked as CVE-2017-8759, in attacks aimed at organizations in the United States.
“Proofpoint researchers are tracking an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.” reads the report published by Proofpoint.
The attackers have been active since at least 2014, they are known for the use of a remote access trojan (RAT) named NanHaiShu. The threat actors targeted various U.S. and Western European organizations with ties to the maritime sector, including naval defense contractors and research institutions.
Last year, experts at security firm F-Secure analyzed the attacks conducted by the group against the participants of a Permanent Court of Arbitration case focusing on a dispute between China and the Philippines over the South China Sea.
According to the report published by F-Secure, the NanHaiShu malware had Chinese origins.
In the last campaign spotted in mid-September, attackers targeted various US entities, including a shipbuilding company and a university research center with ties to the military.
According to researchers at Proofpoint, threat actors attacker sent spear-phishing emails to the victims, the messages use documents crafted to exploit the CVE-2017-8759. The CVE-2017-8759 flaw is a .NET vulnerability patched by Microsoft just a few days before the hacker crew launched the attacks.
The CVE-2017-8759 flaw is a .NET vulnerability patched by Microsoft just a few days before the hacker crew launched the attacks.
According to FireEye, the CVE-2017-8759 has actively been exploited by an APT group to deliver the surveillance malware FinFisher Spyware (FinSpy) to a Russian-speaking “entity” via malicious Microsoft Office RTF files in July.
Proofpoint discovered other attacks launched by the cyber espionage group in early August when hackers exploited the CVE-2017-0199 flaw, an Office vulnerability that had also been exploited in attacks since April.
The hackers targeted several defense contractors, they leveraged malicious Microsoft Publisher files, PowerPoint docs, and domains set up to mimic ones belonging to an important provider of military ships and submarines.
The arsenal of the group also includes a backdoor dubbed “Orz,” which was used in past attacks and in the August 2017 campaigns, the SeDLL and MockDLL loaders, and a publicly available commercial software for “Adversary Simulations and Red Team Operations.” Cobalt Strike.
The actor sometimes leverages the access at one compromised organization for lateral movements and target another organization in the same industry.
“Similarly the actor attempts to compromise servers within victim organizations and use them for command and control (C&C) for their malware.” continues the analysis.
“The tools, techniques, and targets consistently connect their work, particular given their attention to naval and maritime defense interests and use of custom backdoors,” concluded the researchers. “While defense contractors and academic research centers with military ties should always be cognizant of the potential for cyberattacks, organizations fitting their targeting profiles should be especially wary of legitimate-looking but unsolicited emails from outside entities.”