Lucene search

K
thn
The Hacker NewsTHN:E95B6A75073DA71CEC73B2E4F0B13622
HistoryOct 04, 2021 - 12:48 p.m.

A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries

2021-10-0412:48:00
The Hacker News
thehackernews.com
246

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

APT Hacking Group

A previously undocumented threat actor has been identified as behind a string of attacks targeting fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan with the goal of stealing data from compromised networks.

Cybersecurity company Positive Technologies dubbed the advanced persistent threat (APT) group ChamelGang — referring to their chameleellonic capabilities, including disguising “its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.”

“To achieve their goal, the attackers used a trending penetration method—supply chain,” the researchers said of one of the incidents investigated by the firm. “The group compromised a subsidiary and penetrated the target company’s network through it. Trusted relationship attacks are rare today due to the complexity of their execution. Using this method […], the ChamelGang group was able to achieve its goal and steal data from the compromised network.”

Intrusions mounted by the adversary are believed to have commenced at the end of March 2021, with later attacks in August leveraging what’s called the ProxyShell chain of vulnerabilities affecting Microsoft Exchange Servers, the technical details of which were first revealed at the Black Hat USA 2021 security conference earlier that month.

Microsoft

The attack in March is also notable for the fact that the operators breached a subsidiary organization to gain access to an unnamed energy company’s network by exploiting a flaw in Red Hat JBoss Enterprise Application (CVE-2017-12149) to remotely execute commands on the host and deploy malicious payloads that enable the actor to launch the malware with elevated privileges, laterally pivot across the network, and perform reconnaissance, before deploying a backdoor called DoorMe.

“The infected hosts were controlled by the attackers using the public utility FRP (fast reverse proxy), written in Golang,” the researchers said. “This utility allows connecting to a reverse proxy server. The attackers’ requests were routed using the socks5 plugin through the server address obtained from the configuration data.”

On the other hand, the August attack against a Russian company in the aviation production sector involved the exploitation of ProxyShell flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to drop additional web shells and conduct remote reconnaissance on the compromised node, ultimately leading to the installation of a modified version of the DoorMe implant that comes with expanded capabilities to run arbitrary commands and carry out file operations.

“Targeting the fuel and energy complex and aviation industry in Russia isn’t unique — this sector is one of the three most frequently attacked,” Positive Technologies’ Head of Threat Analysis, Denis Kuvshinov, said. “However, the consequences are serious: Most often such attacks lead to financial or data loss—in 84% of all cases last year, the attacks were specifically created to steal data, and that causes major financial and reputational damage.”

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Be first who know about 0-days in popular software

Do not waste time on finding information in tons of articles. Subscribe yourself and your colleagues on news and articles about products you need and you use!

Subscribe on news

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

Related for THN:E95B6A75073DA71CEC73B2E4F0B13622