Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/25/2019
02:00 PM
Saumitra Das
Saumitra Das
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Long-Lining: Reeling In the Big Fish in Your Supply Chain

The object of this new attack campaign is not swordfish or tuna but high-ranking executives within target organizations.

Supply chain attacks are becoming an increasingly popular strategy for threat actors. According to Symantec, supply chain attacks rose by 78% in 2018, and a similar report by Carbon Black estimates that half of cyberattacks now target supply chains. From a hacker's perspective, it makes sense. Just as trusted insiders can inflict the most damage to an enterprise, compromising and exploiting a trusted business relationship can also be devastatingly effective. By targeting companies that provide outsourced services, attackers can exploit an organization with fewer security resources to get behind the firewalls of a more-secure partner.

Recently, Blue Hexagon's security researchers caught an attack in progress at a Silicon Valley firm that provides outsourced software development services. Aided by a deep learning-aided analysis of the attack, we found a number of novel aspects to the campaign that, despite being designed to appear as multiple, discrete attacks, were determined to be a sophisticated, well-designed and researched campaign carried out by a single threat actor. Through this analysis, we believe we have uncovered a previously unknown strategy by threat actors and that we have named "Long-Line," a reference to the method of offshore commercial fishing whereby a single vessel sets multiple baited hooks suspended from a cable that is miles in length.

The intent of long-lining is to catch big fish, such as swordfish and tuna. Similarly, long-line threat campaigns are carried out by a single threat actor using multiple elements designed specifically to catch high-ranking executives within the target organization. As a permutation of a supply chain attack, the goal of a long-line attack is to use the compromised organization as a platform for conducting further attacks on companies in the victim's business network, taking advantage of the trusted business relationship with the brand and the individual executive.

In our analysis of this attack, we found that the threat actor involved assumed five distinct identities, each identity created to appear as a company already engaged in a business relationship with the target organization, including two companies involved in transportation, and companies in textiles, electronics, and construction.

Correspondence directed to the targeted executive reflected a great deal of research and included subject lines and attachments consistent with the businesses and the executive's role, and did not appear to be random, over-the-transom messages. In each case, the attack vector was a weaponized document infected with Agent Tesla malware. Agent Tesla is an information stealer designed to steal sensitive information including, but not limited to, data associated with the following categories of software:

  • Web browsers: Google Chrome, Mozilla Firefox, Opera, Chromium, Chrome Plus by Maple Studio, Yandex, Orbitum 
  • Email clients: Mozilla Thunderbird, Microsoft Outlook, Aerofox Foxmail, IncrediMail, Qualcomm Eudora
  • FTP clients: WinSCP, SmartFTP, FileZilla, WS_FTP by IPSwitch, CoreFTP by FTPWare 
  • Internet Download Manager 

If clicked, the exploit would execute code and infect the victim's system via different Windows executables hosted on the domain tvfn.com.vn, which impersonates the Vietnamese website for a leading Japanese company that makes metal hoses and expansion joints.

Impersonated website: TF Vietnam Corp: https://tfvn.com.vn/ 

Real website: http://www.tfv.com.vn/index.php?Bcat=1&start=0&lg=vn

The "whois" information for this domain indicates that it was registered by the "Ministry of Information and Communications (Vietnam)," which is a branch of the government in Vietnam that oversees telecommunications and Internet. It is important to note that the Vietnamese government does not publish registrar information for domains registered in Vietnam. The threat actors behind this were aware of this and used it to their advantage.

Despite obvious attempts to mask the campaign's origin as coming from a single source, we were able to use deep learning to positively attribute the attack to a single threat group. We are in the process of conducting further analysis to attempt to identify the country of origin and whether the threat group is a known entity or a new group. We are also conducting further research in an attempt to learn more about this type of attack and who is behind it and will announce our findings when we do.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'Playing Around' with Code Keeps Security, DevOps Skills Sharp."

Saumitra Das is the CTO and Co-Founder of Blue Hexagon. He has worked on machine learning and cybersecurity for 18 years. As an engineering leader at Qualcomm, he led teams of machine learning scientists and developers in the development of ML-based products shipped in ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.