Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/25/2019
02:00 PM
Saumitra Das
Saumitra Das
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Long-Lining: Reeling In the Big Fish in Your Supply Chain

The object of this new attack campaign is not swordfish or tuna but high-ranking executives within target organizations.

Supply chain attacks are becoming an increasingly popular strategy for threat actors. According to Symantec, supply chain attacks rose by 78% in 2018, and a similar report by Carbon Black estimates that half of cyberattacks now target supply chains. From a hacker's perspective, it makes sense. Just as trusted insiders can inflict the most damage to an enterprise, compromising and exploiting a trusted business relationship can also be devastatingly effective. By targeting companies that provide outsourced services, attackers can exploit an organization with fewer security resources to get behind the firewalls of a more-secure partner.

Recently, Blue Hexagon's security researchers caught an attack in progress at a Silicon Valley firm that provides outsourced software development services. Aided by a deep learning-aided analysis of the attack, we found a number of novel aspects to the campaign that, despite being designed to appear as multiple, discrete attacks, were determined to be a sophisticated, well-designed and researched campaign carried out by a single threat actor. Through this analysis, we believe we have uncovered a previously unknown strategy by threat actors and that we have named "Long-Line," a reference to the method of offshore commercial fishing whereby a single vessel sets multiple baited hooks suspended from a cable that is miles in length.

The intent of long-lining is to catch big fish, such as swordfish and tuna. Similarly, long-line threat campaigns are carried out by a single threat actor using multiple elements designed specifically to catch high-ranking executives within the target organization. As a permutation of a supply chain attack, the goal of a long-line attack is to use the compromised organization as a platform for conducting further attacks on companies in the victim's business network, taking advantage of the trusted business relationship with the brand and the individual executive.

In our analysis of this attack, we found that the threat actor involved assumed five distinct identities, each identity created to appear as a company already engaged in a business relationship with the target organization, including two companies involved in transportation, and companies in textiles, electronics, and construction.

Correspondence directed to the targeted executive reflected a great deal of research and included subject lines and attachments consistent with the businesses and the executive's role, and did not appear to be random, over-the-transom messages. In each case, the attack vector was a weaponized document infected with Agent Tesla malware. Agent Tesla is an information stealer designed to steal sensitive information including, but not limited to, data associated with the following categories of software:

  • Web browsers: Google Chrome, Mozilla Firefox, Opera, Chromium, Chrome Plus by Maple Studio, Yandex, Orbitum 
  • Email clients: Mozilla Thunderbird, Microsoft Outlook, Aerofox Foxmail, IncrediMail, Qualcomm Eudora
  • FTP clients: WinSCP, SmartFTP, FileZilla, WS_FTP by IPSwitch, CoreFTP by FTPWare 
  • Internet Download Manager 

If clicked, the exploit would execute code and infect the victim's system via different Windows executables hosted on the domain tvfn.com.vn, which impersonates the Vietnamese website for a leading Japanese company that makes metal hoses and expansion joints.

Impersonated website: TF Vietnam Corp: https://tfvn.com.vn/ 

Real website: http://www.tfv.com.vn/index.php?Bcat=1&start=0&lg=vn

The "whois" information for this domain indicates that it was registered by the "Ministry of Information and Communications (Vietnam)," which is a branch of the government in Vietnam that oversees telecommunications and Internet. It is important to note that the Vietnamese government does not publish registrar information for domains registered in Vietnam. The threat actors behind this were aware of this and used it to their advantage.

Despite obvious attempts to mask the campaign's origin as coming from a single source, we were able to use deep learning to positively attribute the attack to a single threat group. We are in the process of conducting further analysis to attempt to identify the country of origin and whether the threat group is a known entity or a new group. We are also conducting further research in an attempt to learn more about this type of attack and who is behind it and will announce our findings when we do.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'Playing Around' with Code Keeps Security, DevOps Skills Sharp."

Saumitra Das is the CTO and Co-Founder of Blue Hexagon. He has worked on machine learning and cybersecurity for 18 years. As an engineering leader at Qualcomm, he led teams of machine learning scientists and developers in the development of ML-based products shipped in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13157
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...