Malware Investigation Leads To Sophisticated Mideast Threat Network
A
security vendor's investigation into the source of malware that was
used in a recent security incident involving a Middle Eastern
organization has revealed just how sophisticated and interlinked modern
cyber attack infrastructures have become.
For the past several months, researchers at Palo Alto Networks have been investigating
a web shell dubbed TwoFace that was used in the Mideast incident to
remotely access the victim's network and establish a persistent point
for lateral movement.
In following IP addresses associated with the TwoFace
attack, the researchers stumbled upon a much larger-than-expected
adversary network that included multiple compromised websites,
credential harvesting systems, command-and-control servers and
post-exploitation tools.
Several of the credential harvesting websites were crafted
to be identical replicas of legitimate websites belonging to
organizations in Israel. The credential harvesting sites included those
that purported to belong to the Institute of National Security Studies, a
national security think tank, Tel Aviv University, strategic consulting
firm Macro Advisory Partners, and the Hebrew University of Jerusalem.
The researchers also discovered a significant link between the operators of the TwoFace campaign and those behind OilRig,
a malware used in a major data theft campaign targeting airline,
financial services, government, and critical infrastructure
organizations in Saudi Arabia last year.
Palo Alto Network researchers are still unraveling the full
extent of the links between the two campaigns. But they have already
found several overlaps in the targeting of organizations throughout the
Middle East.
One possible scenario is that both OilRig and TwoFace are
being used in conjunction to break into and infect systems on target
networks and to enable additional post-exploitation tools to be uploaded
to them, the researchers said. "While we cannot be absolutely certain
that this is the same adversary in both attacks, we are able to
ascertain that this specific entity does have access to OilRig tools,"
they noted.
Christopher Budd, senior threat communications manager at
Palo Alto Networks says the findings are important considering the
extent to which the Middle East has become a hotbed of threat activity
in recent times. "It’s significant because we don’t have a total picture
of the scope and scale of these operations yet," Budd says. "It’s like
pulling on a thread; the more we pull, the more it unravels."
Palo Alto Network's research showed that the networks of
some victims of the two campaigns have been added as part of the attack
infrastructure. For instance, one of the IPs interacting with the
TwoFace web shell belonged to the Ministry of Oil of a Middle Eastern
country. The IP address not only communicated with the TwoFace shell but
was also used to upload post-exploitation tools to the network of a
MidEast educational institution.
Budd says Palo Alto Networks researchers have been following
these investigations for one-and-a-half years and have begun to gain
better visibility of the operations of the threat actors behind OilRig
and TwoFace.
"We see threat actors who are methodical in their approach,"
he says. "We also see threat actors that are purposeful in their
approach. Our research traces these threat actors back to at least May
2016 and the infrastructure we’ve found takes time to assemble, deploy,
and maintain."
There's a lot more that remains to be uncovered, he says.
"The important thing is the more we understand, the more we can share
that information so everyone can better prevent attacks," he says. The
key takeaway from the research is that attacks don’t just "happen," Budd
noted. "There is planning and staging, infrastructure, and logistical
work involved in attacks.
Comments
Post a Comment