Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/25/2019
02:00 PM
Saumitra Das
Saumitra Das
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Long-Lining: Reeling In the Big Fish in Your Supply Chain

The object of this new attack campaign is not swordfish or tuna but high-ranking executives within target organizations.

Supply chain attacks are becoming an increasingly popular strategy for threat actors. According to Symantec, supply chain attacks rose by 78% in 2018, and a similar report by Carbon Black estimates that half of cyberattacks now target supply chains. From a hacker's perspective, it makes sense. Just as trusted insiders can inflict the most damage to an enterprise, compromising and exploiting a trusted business relationship can also be devastatingly effective. By targeting companies that provide outsourced services, attackers can exploit an organization with fewer security resources to get behind the firewalls of a more-secure partner.

Recently, Blue Hexagon's security researchers caught an attack in progress at a Silicon Valley firm that provides outsourced software development services. Aided by a deep learning-aided analysis of the attack, we found a number of novel aspects to the campaign that, despite being designed to appear as multiple, discrete attacks, were determined to be a sophisticated, well-designed and researched campaign carried out by a single threat actor. Through this analysis, we believe we have uncovered a previously unknown strategy by threat actors and that we have named "Long-Line," a reference to the method of offshore commercial fishing whereby a single vessel sets multiple baited hooks suspended from a cable that is miles in length.

The intent of long-lining is to catch big fish, such as swordfish and tuna. Similarly, long-line threat campaigns are carried out by a single threat actor using multiple elements designed specifically to catch high-ranking executives within the target organization. As a permutation of a supply chain attack, the goal of a long-line attack is to use the compromised organization as a platform for conducting further attacks on companies in the victim's business network, taking advantage of the trusted business relationship with the brand and the individual executive.

In our analysis of this attack, we found that the threat actor involved assumed five distinct identities, each identity created to appear as a company already engaged in a business relationship with the target organization, including two companies involved in transportation, and companies in textiles, electronics, and construction.

Correspondence directed to the targeted executive reflected a great deal of research and included subject lines and attachments consistent with the businesses and the executive's role, and did not appear to be random, over-the-transom messages. In each case, the attack vector was a weaponized document infected with Agent Tesla malware. Agent Tesla is an information stealer designed to steal sensitive information including, but not limited to, data associated with the following categories of software:

  • Web browsers: Google Chrome, Mozilla Firefox, Opera, Chromium, Chrome Plus by Maple Studio, Yandex, Orbitum 
  • Email clients: Mozilla Thunderbird, Microsoft Outlook, Aerofox Foxmail, IncrediMail, Qualcomm Eudora
  • FTP clients: WinSCP, SmartFTP, FileZilla, WS_FTP by IPSwitch, CoreFTP by FTPWare 
  • Internet Download Manager 

If clicked, the exploit would execute code and infect the victim's system via different Windows executables hosted on the domain tvfn.com.vn, which impersonates the Vietnamese website for a leading Japanese company that makes metal hoses and expansion joints.

Impersonated website: TF Vietnam Corp: https://tfvn.com.vn/ 

Real website: http://www.tfv.com.vn/index.php?Bcat=1&start=0&lg=vn

The "whois" information for this domain indicates that it was registered by the "Ministry of Information and Communications (Vietnam)," which is a branch of the government in Vietnam that oversees telecommunications and Internet. It is important to note that the Vietnamese government does not publish registrar information for domains registered in Vietnam. The threat actors behind this were aware of this and used it to their advantage.

Despite obvious attempts to mask the campaign's origin as coming from a single source, we were able to use deep learning to positively attribute the attack to a single threat group. We are in the process of conducting further analysis to attempt to identify the country of origin and whether the threat group is a known entity or a new group. We are also conducting further research in an attempt to learn more about this type of attack and who is behind it and will announce our findings when we do.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'Playing Around' with Code Keeps Security, DevOps Skills Sharp."

Saumitra Das is the CTO and Co-Founder of Blue Hexagon. He has worked on machine learning and cybersecurity for 18 years. As an engineering leader at Qualcomm, he led teams of machine learning scientists and developers in the development of ML-based products shipped in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...