Malware Investigation Leads to Sophisticated Mideast Threat NetworkMalware Investigation Leads to Sophisticated Mideast Threat Network
The infrastructure behind a Web shell used in an attack earlier this year suggests methodical and purposeful threat actors, Palo Alto Networks says.
September 27, 2017
A security vendor's investigation into the source of malware that was used in a recent security incident involving a Middle Eastern organization has revealed just how sophisticated and interlinked modern cyberattack infrastructures have become.
For the past several months, researchers at Palo Alto Networks have been investigating a Web shell dubbed TwoFace that was used in the Mideast incident to remotely access the victim's network and establish a persistent point for lateral movement.
In following IP addresses associated with the TwoFace attack, the researchers stumbled upon a much larger-than-expected adversary network that included multiple compromised websites, credential harvesting systems, command-and-control servers and post-exploitation tools.
Several of the credential harvesting websites were crafted to be identical replicas of legitimate websites belonging to organizations in Israel. The credential harvesting sites included those that purported to belong to the Institute of National Security Studies, a national security think tank, Tel Aviv University, strategic consulting firm Macro Advisory Partners, and the Hebrew University of Jerusalem.
The researchers also discovered a significant link between the operators of the TwoFace campaign and those behind OilRig, a malware used in a major data theft campaign targeting airline, financial services, government, and critical infrastructure organizations in Saudi Arabia last year.
Palo Alto Network researchers are still unraveling the full extent of the links between the two campaigns. But they have already found several overlaps in the targeting of organizations throughout the Middle East.
One possible scenario is that both OilRig and TwoFace are being used in conjunction to break into and infect systems on target networks and to enable additional post-exploitation tools to be uploaded to them, the researchers said. "While we cannot be absolutely certain that this is the same adversary in both attacks, we are able to ascertain that this specific entity does have access to OilRig tools," they noted.
Christopher Budd, senior threat communications manager at Palo Alto Networks, says the findings are important considering the extent to which the Middle East has become a hotbed of threat activity in recent times. "It’s significant because we don’t have a total picture of the scope and scale of these operations yet," Budd says. "It’s like pulling on a thread; the more we pull, the more it unravels."
Palo Alto Network's research showed that the networks of some victims of the two campaigns have been added as part of the attack infrastructure. For instance, one of the IPs interacting with the TwoFace web shell belonged to the Ministry of Oil of a Middle Eastern country. The IP address not only communicated with the TwoFace shell but was also used to upload post-exploitation tools to the network of a MidEast educational institution.
Budd says Palo Alto Networks researchers have been following these investigations for one-and-a-half years and have begun to gain better visibility of the operations of the threat actors behind OilRig and TwoFace.
"We see threat actors who are methodical in their approach," he says. "We also see threat actors that are purposeful in their approach. Our research traces these threat actors back to at least May 2016 and the infrastructure we’ve found takes time to assemble, deploy, and maintain."
There's a lot more that remains to be uncovered, he says. "The important thing is the more we understand, the more we can share that information so everyone can better prevent attacks," he says. The key takeaway from the research is that attacks don’t just "happen," Budd noted. "There is planning and staging, infrastructure, and logistical work involved in attacks."
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023