Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/25/2019
02:00 PM
Saumitra Das
Saumitra Das
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Long-Lining: Reeling In the Big Fish in Your Supply Chain

The object of this new attack campaign is not swordfish or tuna but high-ranking executives within target organizations.

Supply chain attacks are becoming an increasingly popular strategy for threat actors. According to Symantec, supply chain attacks rose by 78% in 2018, and a similar report by Carbon Black estimates that half of cyberattacks now target supply chains. From a hacker's perspective, it makes sense. Just as trusted insiders can inflict the most damage to an enterprise, compromising and exploiting a trusted business relationship can also be devastatingly effective. By targeting companies that provide outsourced services, attackers can exploit an organization with fewer security resources to get behind the firewalls of a more-secure partner.

Recently, Blue Hexagon's security researchers caught an attack in progress at a Silicon Valley firm that provides outsourced software development services. Aided by a deep learning-aided analysis of the attack, we found a number of novel aspects to the campaign that, despite being designed to appear as multiple, discrete attacks, were determined to be a sophisticated, well-designed and researched campaign carried out by a single threat actor. Through this analysis, we believe we have uncovered a previously unknown strategy by threat actors and that we have named "Long-Line," a reference to the method of offshore commercial fishing whereby a single vessel sets multiple baited hooks suspended from a cable that is miles in length.

The intent of long-lining is to catch big fish, such as swordfish and tuna. Similarly, long-line threat campaigns are carried out by a single threat actor using multiple elements designed specifically to catch high-ranking executives within the target organization. As a permutation of a supply chain attack, the goal of a long-line attack is to use the compromised organization as a platform for conducting further attacks on companies in the victim's business network, taking advantage of the trusted business relationship with the brand and the individual executive.

In our analysis of this attack, we found that the threat actor involved assumed five distinct identities, each identity created to appear as a company already engaged in a business relationship with the target organization, including two companies involved in transportation, and companies in textiles, electronics, and construction.

Correspondence directed to the targeted executive reflected a great deal of research and included subject lines and attachments consistent with the businesses and the executive's role, and did not appear to be random, over-the-transom messages. In each case, the attack vector was a weaponized document infected with Agent Tesla malware. Agent Tesla is an information stealer designed to steal sensitive information including, but not limited to, data associated with the following categories of software:

  • Web browsers: Google Chrome, Mozilla Firefox, Opera, Chromium, Chrome Plus by Maple Studio, Yandex, Orbitum 
  • Email clients: Mozilla Thunderbird, Microsoft Outlook, Aerofox Foxmail, IncrediMail, Qualcomm Eudora
  • FTP clients: WinSCP, SmartFTP, FileZilla, WS_FTP by IPSwitch, CoreFTP by FTPWare 
  • Internet Download Manager 

If clicked, the exploit would execute code and infect the victim's system via different Windows executables hosted on the domain tvfn.com.vn, which impersonates the Vietnamese website for a leading Japanese company that makes metal hoses and expansion joints.

Impersonated website: TF Vietnam Corp: https://tfvn.com.vn/ 

Real website: http://www.tfv.com.vn/index.php?Bcat=1&start=0&lg=vn

The "whois" information for this domain indicates that it was registered by the "Ministry of Information and Communications (Vietnam)," which is a branch of the government in Vietnam that oversees telecommunications and Internet. It is important to note that the Vietnamese government does not publish registrar information for domains registered in Vietnam. The threat actors behind this were aware of this and used it to their advantage.

Despite obvious attempts to mask the campaign's origin as coming from a single source, we were able to use deep learning to positively attribute the attack to a single threat group. We are in the process of conducting further analysis to attempt to identify the country of origin and whether the threat group is a known entity or a new group. We are also conducting further research in an attempt to learn more about this type of attack and who is behind it and will announce our findings when we do.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'Playing Around' with Code Keeps Security, DevOps Skills Sharp."

Saumitra Das is the CTO and Co-Founder of Blue Hexagon. He has worked on machine learning and cybersecurity for 18 years. As an engineering leader at Qualcomm, he led teams of machine learning scientists and developers in the development of ML-based products shipped in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7989
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/user/add userUsername XSS.
CVE-2020-7990
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/user/add userName XSS.
CVE-2020-7991
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/config CSRF to change the Administrator password.
CVE-2020-7984
PUBLISHED: 2020-01-26
SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information. The attacker can use a customer ID to self register and read any aspects of the agent/a...
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...