Attacks/Breaches

9/27/2017
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Malware Investigation Leads to Sophisticated Mideast Threat Network

The infrastructure behind a Web shell used in an attack earlier this year suggests methodical and purposeful threat actors, Palo Alto Networks says.

A security vendor's investigation into the source of malware that was used in a recent security incident involving a Middle Eastern organization has revealed just how sophisticated and interlinked modern cyberattack infrastructures have become.

For the past several months, researchers at Palo Alto Networks have been investigating a Web shell dubbed TwoFace that was used in the Mideast incident to remotely access the victim's network and establish a persistent point for lateral movement.

In following IP addresses associated with the TwoFace attack, the researchers stumbled upon a much larger-than-expected adversary network that included multiple compromised websites, credential harvesting systems, command-and-control servers and post-exploitation tools.

Several of the credential harvesting websites were crafted to be identical replicas of legitimate websites belonging to organizations in Israel. The credential harvesting sites included those that purported to belong to the Institute of National Security Studies, a national security think tank, Tel Aviv University, strategic consulting firm Macro Advisory Partners, and the Hebrew University of Jerusalem.

The researchers also discovered a significant link between the operators of the TwoFace campaign and those behind OilRig, a malware used in a major data theft campaign targeting airline, financial services, government, and critical infrastructure organizations in Saudi Arabia last year.

Palo Alto Network researchers are still unraveling the full extent of the links between the two campaigns. But they have already found several overlaps in the targeting of organizations throughout the Middle East.

One possible scenario is that both OilRig and TwoFace are being used in conjunction to break into and infect systems on target networks and to enable additional post-exploitation tools to be uploaded to them, the researchers said. "While we cannot be absolutely certain that this is the same adversary in both attacks, we are able to ascertain that this specific entity does have access to OilRig tools," they noted.

Christopher Budd, senior threat communications manager at Palo Alto Networks, says the findings are important considering the extent to which the Middle East has become a hotbed of threat activity in recent times. "It’s significant because we don’t have a total picture of the scope and scale of these operations yet," Budd says. "It’s like pulling on a thread; the more we pull, the more it unravels."

Palo Alto Network's research showed that the networks of some victims of the two campaigns have been added as part of the attack infrastructure. For instance, one of the IPs interacting with the TwoFace web shell belonged to the Ministry of Oil of a Middle Eastern country. The IP address not only communicated with the TwoFace shell but was also used to upload post-exploitation tools to the network of a MidEast educational institution.

Budd says Palo Alto Networks researchers have been following these investigations for one-and-a-half years and have begun to gain better visibility of the operations of the threat actors behind OilRig and TwoFace.

"We see threat actors who are methodical in their approach," he says. "We also see threat actors that are purposeful in their approach. Our research traces these threat actors back to at least May 2016 and the infrastructure we’ve found takes time to assemble, deploy, and maintain."

There's a lot more that remains to be uncovered, he says. "The important thing is the more we understand, the more we can share that information so everyone can better prevent attacks," he says. The key takeaway from the research is that attacks don’t just "happen," Budd noted. "There is planning and staging, infrastructure, and logistical work involved in attacks."

Related content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7629
PUBLISHED: 2019-02-18
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.
CVE-2019-8919
PUBLISHED: 2019-02-18
The seadroid (aka Seafile Android Client) application through 2.2.13 for Android always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2019-8917
PUBLISHED: 2019-02-18
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may b...
CVE-2019-8908
PUBLISHED: 2019-02-18
An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting -> Mailbox configuration -> Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/g...
CVE-2019-8909
PUBLISHED: 2019-02-18
An issue was discovered in WTCMS 1.0. It allows remote attackers to cause a denial of service (resource consumption) via crafted dimensions for the verification code image.