Attacks/Breaches

9/27/2017
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Malware Investigation Leads to Sophisticated Mideast Threat Network

The infrastructure behind a Web shell used in an attack earlier this year suggests methodical and purposeful threat actors, Palo Alto Networks says.

A security vendor's investigation into the source of malware that was used in a recent security incident involving a Middle Eastern organization has revealed just how sophisticated and interlinked modern cyberattack infrastructures have become.

For the past several months, researchers at Palo Alto Networks have been investigating a Web shell dubbed TwoFace that was used in the Mideast incident to remotely access the victim's network and establish a persistent point for lateral movement.

In following IP addresses associated with the TwoFace attack, the researchers stumbled upon a much larger-than-expected adversary network that included multiple compromised websites, credential harvesting systems, command-and-control servers and post-exploitation tools.

Several of the credential harvesting websites were crafted to be identical replicas of legitimate websites belonging to organizations in Israel. The credential harvesting sites included those that purported to belong to the Institute of National Security Studies, a national security think tank, Tel Aviv University, strategic consulting firm Macro Advisory Partners, and the Hebrew University of Jerusalem.

The researchers also discovered a significant link between the operators of the TwoFace campaign and those behind OilRig, a malware used in a major data theft campaign targeting airline, financial services, government, and critical infrastructure organizations in Saudi Arabia last year.

Palo Alto Network researchers are still unraveling the full extent of the links between the two campaigns. But they have already found several overlaps in the targeting of organizations throughout the Middle East.

One possible scenario is that both OilRig and TwoFace are being used in conjunction to break into and infect systems on target networks and to enable additional post-exploitation tools to be uploaded to them, the researchers said. "While we cannot be absolutely certain that this is the same adversary in both attacks, we are able to ascertain that this specific entity does have access to OilRig tools," they noted.

Christopher Budd, senior threat communications manager at Palo Alto Networks, says the findings are important considering the extent to which the Middle East has become a hotbed of threat activity in recent times. "It’s significant because we don’t have a total picture of the scope and scale of these operations yet," Budd says. "It’s like pulling on a thread; the more we pull, the more it unravels."

Palo Alto Network's research showed that the networks of some victims of the two campaigns have been added as part of the attack infrastructure. For instance, one of the IPs interacting with the TwoFace web shell belonged to the Ministry of Oil of a Middle Eastern country. The IP address not only communicated with the TwoFace shell but was also used to upload post-exploitation tools to the network of a MidEast educational institution.

Budd says Palo Alto Networks researchers have been following these investigations for one-and-a-half years and have begun to gain better visibility of the operations of the threat actors behind OilRig and TwoFace.

"We see threat actors who are methodical in their approach," he says. "We also see threat actors that are purposeful in their approach. Our research traces these threat actors back to at least May 2016 and the infrastructure we’ve found takes time to assemble, deploy, and maintain."

There's a lot more that remains to be uncovered, he says. "The important thing is the more we understand, the more we can share that information so everyone can better prevent attacks," he says. The key takeaway from the research is that attacks don’t just "happen," Budd noted. "There is planning and staging, infrastructure, and logistical work involved in attacks."

Related content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12294
PUBLISHED: 2018-06-19
WebCore/platform/graphics/texmap/TextureMapperLayer.cpp in WebKit, as used in WebKitGTK+ prior to version 2.20.2, is vulnerable to a use after free for a WebCore::TextureMapperLayer object.
CVE-2018-12519
PUBLISHED: 2018-06-19
An issue was discovered in ShopNx through 2017-11-17. The vulnerability allows a remote attacker to upload any malicious file to a Node.js application. An attacker can upload a malicious HTML file that contains a JavaScript payload to steal a user's credentials.
CVE-2018-12588
PUBLISHED: 2018-06-19
Cross-site scripting (XSS) vulnerability in templates/frontend/pages/searchResults.tpl in Public Knowledge Project (PKP) Open Monograph Press (OMP) v1.2.0 through 3.1.1-1 before 3.1.1-2 allows remote attackers to inject arbitrary web script or HTML via the catalog.noTitlesSearch parameter (aka the S...
CVE-2018-10811
PUBLISHED: 2018-06-19
strongSwan 5.6.0 and older allows Remote Denial of Service because of Missing Initialization of a Variable.
CVE-2018-10945
PUBLISHED: 2018-06-19
The mg_handle_cgi function in mongoose.c in Mongoose 6.11 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash, or NULL pointer dereference) via an HTTP request, related to the mbuf_insert function.