Attacks/Breaches

5/13/2015
03:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Oil & Gas Firms Hit By Cyberattacks That Forgo Malware

New spin on the 'Nigerian scam' scams crude oil buyers out of money with bait-and-switch.

An unusual type of targeted attack underway for two years uses legitimate Windows file functions and a few homemade scripts -- but no malware -- to infiltrate companies in the oil and gas maritime transportation industry.

Researchers at Panda Labs first discovered the attack campaign early last year, which had slipped by antivirus software and hit around 10 companies since it launched in August of 2013. The attackers are stealing information from oil cargo organizations and then using that information to pose as legitimate firms in scams against oil brokers.

"This is an innovative targeted attack" but not an APT (advance persistent threat) or cyberespionage, says Luis Corrons, technical director of Panda Labs. "They use no malware; I'm not sure if they're not using malware because they don't know how to … They were stealing credentials without malware."

The attack campaign, dubbed Phantom Menace by Panda, was first spotted by the security team at an oil and gas transportation company in the U.K.  It began with a convincing-looking spearphishing email with a phony PDF file that when opened by the victim user, was empty. "It has a self-destructor file, and it creates a folder where it puts files inside. It runs one of the batch files and that's it. There are no malicious" code tools, he says.

Panda was able to root out the stolen files from an FTP server used by the attackers, and drill down into the attack itself, which turns out to be a new spin on the Nigerian scam. It works like this: the scammer contacts an oil broker and offers them anywhere from 1- 2 million barrels of Bonny Light Crude Oil (BLCO) -- at a bargain price -- from a town in Nigeria called Bonny that's well-known for oil with low sulfur content, which makes it a low-corrosive grade product.

"They have to show proof the product, quantity and quality of the oil, and they ask for $50- 100,000 in payment to close the agreement," Corrons says. "They [the broker] goes there, and there is nothing," no oil or supplier, he says.

"Our guess here is that they were interested in [oil cargo transportation company] user credentials so they can steal and copy real certificates from those companies" that they can use in the scam to pose as legitimate oil firms, he says.

Most of the victim organizations were in Europe, including Spain, Germany, and Belgium. There also were victims in Asia, he says.

The initial infiltration of the victim systems once the phony PDF is opened works like this: an executable file using an Adobe Acrobat Reader icon self-extracts, creates the folder, and moves six files into that folder. It runs a series of files it planted, and ultimately uses a .bat file to modify the Windows registry such that each time the computer starts, it runs its .bat file to grab usernames and passwords from the mail client and browser, and then save them in a text file.

There are additional steps to mask the folders, including disabling the Windows firewall. The last step is using FTP to upload the stolen files to the attackers' own FTP server.

"Why would you bother to buy or build a Trojan," which could be detected, Corrons says. The legit files fly under the radar.

Corrons and his team found some 865 unique files of stolen information in the FTP server, all of which were from the oil and gas maritime transportation sector.

Unmasking An Attacker

The researchers also have been able to identify one of the likely attackers involved. But in the end, that may not matter: none of the victims will report the attack to law enforcement. Panda's theory is that's because they don't see it as a pure breach: none of the information and credentials stolen from the victims was actually used against them, but instead was used against other companies. They don't want to report that they were duped for fear of negative publicity, according to Panda. "They prefer to keep a low profile, change their credentials, and continue to operate just as if nothing had happened."

And if law enforcement has no official complaints filed, there's no investigation, Corrons notes. "The broker who lost the money was unofficially buying the oil … from the underground," he says.

"The guy [attacker] leaves free," he says.

Panda began tracking the attackers by following the FTP connection used to send the stolen credentials. That took them to a free FTP service, where one of the attackers had registered for it. While his name and location information was fake, it appears the city was not -- the village of Ikeja in Nigeria, which is also known as "computer village" in the country, due to its large concentration of technology vendors.

They also traced his gmail.com address, and they were able to decipher his name: "We took the 9 characters that made up the email address and started combining them to see if we could form an alias, a first name, a last name or similar. And we got it," Panda says in a report on the campaign.

The suspected attacker is a Nigerian national, and they found his Twitter, Facebook and LinkedIn accounts as well. He's a resident of Ikeja who owns a goods transport company. "Too many coincidences. So, even though all the evidence seems to indicate that this is the person responsible for the attack, there is no way for us to prove it. It would require the police to launch an investigation and obtain information about the FTP connections, etc., in order to get the IP address of the person who signed up to the service and find the culprit," Panda said.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7399
PUBLISHED: 2019-02-17
Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack against HTTP requests for "Terms of Use" and Privacy pages.
CVE-2019-8392
PUBLISHED: 2019-02-17
An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to enable Guest Wi-Fi via the SetWLanRadioSettings HNAP API to the web service provided by /bin/goahead.
CVE-2019-8394
PUBLISHED: 2019-02-17
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
CVE-2019-8395
PUBLISHED: 2019-02-17
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
CVE-2019-8389
PUBLISHED: 2019-02-17
A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) ...