Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/27/2017
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Malware Investigation Leads to Sophisticated Mideast Threat Network

The infrastructure behind a Web shell used in an attack earlier this year suggests methodical and purposeful threat actors, Palo Alto Networks says.

A security vendor's investigation into the source of malware that was used in a recent security incident involving a Middle Eastern organization has revealed just how sophisticated and interlinked modern cyberattack infrastructures have become.

For the past several months, researchers at Palo Alto Networks have been investigating a Web shell dubbed TwoFace that was used in the Mideast incident to remotely access the victim's network and establish a persistent point for lateral movement.

In following IP addresses associated with the TwoFace attack, the researchers stumbled upon a much larger-than-expected adversary network that included multiple compromised websites, credential harvesting systems, command-and-control servers and post-exploitation tools.

Several of the credential harvesting websites were crafted to be identical replicas of legitimate websites belonging to organizations in Israel. The credential harvesting sites included those that purported to belong to the Institute of National Security Studies, a national security think tank, Tel Aviv University, strategic consulting firm Macro Advisory Partners, and the Hebrew University of Jerusalem.

The researchers also discovered a significant link between the operators of the TwoFace campaign and those behind OilRig, a malware used in a major data theft campaign targeting airline, financial services, government, and critical infrastructure organizations in Saudi Arabia last year.

Palo Alto Network researchers are still unraveling the full extent of the links between the two campaigns. But they have already found several overlaps in the targeting of organizations throughout the Middle East.

One possible scenario is that both OilRig and TwoFace are being used in conjunction to break into and infect systems on target networks and to enable additional post-exploitation tools to be uploaded to them, the researchers said. "While we cannot be absolutely certain that this is the same adversary in both attacks, we are able to ascertain that this specific entity does have access to OilRig tools," they noted.

Christopher Budd, senior threat communications manager at Palo Alto Networks, says the findings are important considering the extent to which the Middle East has become a hotbed of threat activity in recent times. "It’s significant because we don’t have a total picture of the scope and scale of these operations yet," Budd says. "It’s like pulling on a thread; the more we pull, the more it unravels."

Palo Alto Network's research showed that the networks of some victims of the two campaigns have been added as part of the attack infrastructure. For instance, one of the IPs interacting with the TwoFace web shell belonged to the Ministry of Oil of a Middle Eastern country. The IP address not only communicated with the TwoFace shell but was also used to upload post-exploitation tools to the network of a MidEast educational institution.

Budd says Palo Alto Networks researchers have been following these investigations for one-and-a-half years and have begun to gain better visibility of the operations of the threat actors behind OilRig and TwoFace.

"We see threat actors who are methodical in their approach," he says. "We also see threat actors that are purposeful in their approach. Our research traces these threat actors back to at least May 2016 and the infrastructure we’ve found takes time to assemble, deploy, and maintain."

There's a lot more that remains to be uncovered, he says. "The important thing is the more we understand, the more we can share that information so everyone can better prevent attacks," he says. The key takeaway from the research is that attacks don’t just "happen," Budd noted. "There is planning and staging, infrastructure, and logistical work involved in attacks."

Related content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...
CVE-2020-5242
PUBLISHED: 2020-02-20
openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file whic...
CVE-2020-8601
PUBLISHED: 2020-02-20
Trend Micro Vulnerability Protection 2.0 is affected by a vulnerability that could allow an attack to use the product installer to load other DLL files located in the same directory.