Category Archives: cyber espionage

Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide

A new report published by cybersecurity researchers has unveiled evidence of Iranian state-sponsored hackers targeting dozens of companies and organizations in Israel and around the world over the past three years. Dubbed "Fox Kitten," the cyber-espionage campaign is said to have been directed at companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors

Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign

Security experts from Yoroy-Cybaze ZLab have conducted a detailed analysis of an implant used by the Gamaredon APT group in a recent campaign.

Introduction 

Gamaredon Group is a Cyber Espionage persistent operation attributed to Russians FSB (Federal Security Service) in a long-term military and geo-political confrontation against the Ukrainian government and more in general against the Ukrainian military power. 

Gamaredon has been active since 2014, and during this time, the modus operandi has remained almost the same. The most used malware implant is dubbed Pteranodon or Pterodo and consists of a multistage backdoor designed to collect sensitive information or maintaining access on compromised machines. It is distributed in a spear-phishing campaign with a weaponized office document that appears to be designed to lure military personnel. 

In recent months, Ukrainian CERT (CERT-UA) reported an intensification of Gamaredon Cyberattacks against military targets. The new wave dates back to the end of November 2019 and was first analyzed by Vitali Kremez. Starting from those findings, Cybaze-Yoroi ZLab team decided to deep dive into a technical analysis of the latest Pterodo implant.

Technical Analysis

The complex infection chain begins with a weaponized Office document named “f.doc”. In the following table the initial malware information is provided.

Hash76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a
ThreatGamaredon Pteranodon weaponized document
Brief DescriptionDoc file weaponized with Exploit
Ssdeep768:u0foGtYZKQ5QZJQ6hKVsEEIHNDxpy3TI3dU4DKfLX9Eir:uG1aKQ5OwCrItq3TgGfLt9r

Table 1. Information about initial dropper

The decoy document is written using the ukrainian language mixed to many special chars aimed to lure the target to click on it, and, once opened, it appears as in the following figure.

Figure 1. Overview of the document

The document leverages the common exploit aka CVE-2017-0199 and tries to download a second stage from “hxxp://win-apu.]ddns.]net/apu.]dot”.

Figure 2. URL used by document to download the second stage

Thanks to this  exploit (Remote Code Execution exploit) the user interaction is not required, in fact the “enable macro” button is not shown. The downloaded document has a “.dot” extension, used by Microsoft Office to save templates for different documents with similar formats. Basic Information on the “.dot” file are provided:

Hashe2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8
ThreatGamaredon Pteranodon loader dot file
Brief DescriptionDot file enabling the infection of the Gamaredon Pteranodon
Ssdeep768:5KCB8tnh7oferuHpC0xw+hnF4J7EyKfJ:oI8XoWruHpp/P4

Table 2. Information about second stage

If we decide to open the document, we see that the document is empty, but it requires the enabling of the macro.

Figure 3. Overview of the second stage document

The body of the macro can be logically divided into two distinct parts: 

  • The first one is the setting of the registry key “HKEY_CURRENT_USER\Software\Microsoft\Office\” & Application.Version & _”\Word\Security\” and the declaration of some other variables, such as the dropurl “get-icons.]ddns.net”;
  • The second one is the setting of the persistence mechanism through the writing of the vbs code in the Startup folder with name “templates.vbs”. This vbs is properly the macro executed by the macro engine of word
Figure 4. Code of the “template.vbs” stored in the Startup folder

The evidence of the written file in the Startup folder:

Figure 5. Evidence of the “template.vbs” file in the Startup folder

Analyzing the content of “templates.vbs” it is possible to notice that it define a variable containing a URL like “hxxp://get-icons.]ddns.]net/ADMIN-PC_E42CAF54//autoindex.]php” obtained from “hxp://get-icons.]ddns.]net/” & NlnQCJG & “_” & uRDEJCn & “//autoindex.]php”, where “NlnQCJG” is the name that identifies the computer on the network and “uRDEJCn” is the serial number of drive in hexadecimal encoding. From this URL it tries to download another stage then storing it into “C:\Users\admin\AppData\Roaming\” path with random name. At the end, “templates.vbs” script will force the machine to reboot. 

Figure 6. Function used to force machine reboot

The dropped sample is an SFX archive, like the tradition of Gamaredon implants.

Hashc1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f
ThreatGamaredon Pteranodon implant SFX archive
Brief DescriptionSFX Archive First Stage 
Ssdeep24576:zXwOrRsTQlIIIIwIEuCRqKlF8kmh/ZGg4kAL/WUKN7UMOtcv:zgwR/lIIIIwI6RqoukmhxGgZ+WUKZUMv

Table 3. Information about first SFX archive

By simply opening the SFX archive, it is possible to notice two different files that are shown below and named respectively “8957.cmd” and “28847”. 

Figure 7. Content of the Gamaredon Pteranodon  SFX archive

When executed, the SFX archive will be extracted and the “8957.cmd” will be run. The batch script looks like the following screen:

Figure 8. Bat script source code (with junk instructions)

It contains several junk instructions with the attemption to make the analysis harder. Cleaning the script we obtain:

Figure 9. Batch script source code (cleaned)

At this point, the batch script renames the “28847” file in “28847.exe”, opens it using “pfljk,fkbcerbgblfhs” as password and the file contained inside the “28847.exe” file will be renamed in “WuaucltIC.exe”. Finally, it will be run using “-post.php” as argument.

The fact that the “28847.exe” file can be opened makes us understand that  the “28847” file is another SFX file. Some static information about SFX are:

Hash3dfadf9f23b4c5d17a0c5f5e89715d239c832dbe78551da67815e41e2000fdf1
ThreatGamaredon Pteranodon implant SFX archive
Brief DescriptionSFX Archive Second Stage
Ssdeep24576:vmoO8itbaZiW+qJnmCcpv5lKbbJAiUqKXM:OoZwxVvfoaPu

Table 4. Information about the second SFX archive

Exploring it, it is possible to see several files inside of it,  as well as the 6323 file. The following figure shows a complete list.

Figure 10. Content of the second SFX archive

In this case, the SFX archive contains 8 files: five of them are legit DLLs used by the “6323” executable to interoperate with the OLE format defined and used by Microsoft Office. The “ExcelMyMacros.txt” and “wordMacros.txt” files contain further macro script, described next. So, static analysis on the “6323” file shown as its nature: it is written using Microsoft Visual Studio .NET, therefore easily to reverse. Before reversing the executable, it is possible to clean it allowing the size reduction and the junk instruction reduction inside the code. The below image shows the information about the sample before and after the cleaning. 

Figure 11. Static information about .NET sample before and after the cleaning

The source code looks as follows. 

Figure 12. Part of .NET sample source code

The first check performed is on the arguments: if the arguments length is equal to zero, the malware terminates the execution. After that, the malware checks if the existence of the files “ExcelMyMacros.txt” and “wordMacros.txt” in the same path where it is executed: if true then it reads their contents otherwise it will exit. 

Figure 13. Function used by .NET sample to check the presence of the “WordMacros.txt” and the “ExcelMyMacros.txt” files”

Part of the content of the variable “xVGlMEP”:

Figure 14.Piece of the “WordMacros.txt” code

There is a thin difference between the two files. 

Figure 15. Difference between “WordMacros.txt” and  “ExcelMyMacros.txt” files”

As visible in the previous figure, the only difference between the files are in the variable, registry key and path used by Word rather than by Excel. Finally the macros are executed using the Office engine like in the following figure. 

Figure 16. Winword with malicious macro

So let’s start to dissect the macros. For a better comprehension we will be considering only one macro and in the specific case we will analyze “wordMacros.txt”  ones. First of all the macro will set the registry key “HKEY_CURRENT_USER\Software\Microsoft\Office\” & Application.Version & _”\Word\Security\” and then will set up two scheduled tasks that will start respectively every 12 and 15 minutes: the first one will run a “IndexOffice.vbs” in the path “%APPDATA%\Microsoft\Office\” and the second one will run “IndexOffice.exe” in the same path. 

Figure 17. Registry keys and Scheduled tasks set by malware

Finally, the malware will write the “IndexOffice.txt” file in the  “%APPDATA%\Microsoft\Office\” path. The following figure shows what has been previously described:

Figure 18. Part of “IndexOffice.txt” file

The script will check the presence of the  “IndexOffice.exe” artifact: if true then it will delete it and it will download a new file/script from “hxxp://masseffect.]space/<PC_Name>_<Hex_Drive_SN>/post.]php”. 

Figure 19. Domain “masseffect.]space” declaration and use of the Encode function

The malware tries to save the C2 response and encoding it using Encode function. This function accepts three parameters: the input file, the output file and the arrKey; arrKey is calculated thanks to  GetKey function that accepts as input the Hexadecimal value of the Driver SN installed on the machine and returns the key as results. Part of Encode function and complete code of GetKey function are shown below.

Figure 20. Encode function 
Figure 21. Function GetKey

Visiting the web page relative to C2, it shows a “Forbidden message” so this means that the domain is still active but refuses incoming requests.

Figure 22. Browser view of the URL “masseffect.]space” 

Conclusion

Gamaredon cyberwarfare operations against Ukraine are still active. This technical analysis reveals that the modus operandi of the Group has remained almost identical over the years. 

The massive use of weaponized Office documents, Office template injection, sfx archives, wmi and some VBA macro stages that dynamically changes,  make the Pterodon attack chain very malleable and adaptive. However, the introduction of a .Net component is a novelty compared to previous Pterodon samples.

Further technical details, including Indicators of Compromise and Yare rules, are reported in the analysis published by the experts at the Cybaz-Yoroi ZLAB

Pierluigi Paganini

(SecurityAffairs – hacking, Gamaredon)

The post Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign appeared first on Security Affairs.

The cyber attack against Austria’s foreign ministry has ended

Austria’s foreign ministry announced that the cyber attack against its systems, allegedly carried by a state actor has ended.

Earlier January, Austria’s foreign ministry announced it was facing a “serious cyberattack” and that it could be the work of a nation-state actor.

“Due to the gravity and nature of the attack, it cannot be ruled out that this is a targeted attack by a state actor,” the foreign ministry said at the time in a joint statement with the interior ministry.

“Despite all the intensive security measures, there is no 100-percent protection against cyberattacks.”

The attack took place on the evening of Saturday 4 January evening and it was quickly detected. Local reports revealed that the attack aimed at the ministry’s IT infrastructure.

Authorities immediately adopted the defensive measures to protect their infrastructure, it also set up a special committee to respond to the incident. It is not clear if the hackers gained access to sensitive data.

This week, the Austrian foreign ministry announced that the cyber attack against its systems has ended.

“After really intensive work and excellent cooperation between all the departments involved, last weekend we managed to clean up our IT systems and end the cyber attack on the Foreign Ministry,” said Foreign Minister Alexander Schallenberg. “The highest possible data security at the Foreign Ministry is guaranteed and no damage to the IT equipment could be detected.”

“According to current knowledge, this was a targeted attack against the Foreign Ministry with the intention of gathering information. However, due to the dimension and the high complexity, it cannot yet be said beyond doubt who is behind the attack.”

The authorities are still investigating the attack, the government experts have no doubt about the fact that it was a targeted cyber-espionage attack against the Foreign Ministry.

“Espionage is a serious offence, so such accusations should not be made lightly,” explained Schallenberg.

Intelligence experts speculated the involvement of Russian or Chinese cyber spies, but the local Russian ambassador Dmitri Ljubinski denied any involvement and demanded an apology.

A local radio station, the Österreichischer Rundfunk (ORF, state broadcaster Austrian Radio), reported in January that the attack was carried out by the Russia-linked Turla APT Group.

“The entire course of this cyberattack and above all the high-level target are characteristic of the “Turla” group, which operates aggressive “foreign intelligence”. After the discovery, Turla always delivers violent cyber battles to the technicians of the attacked networks. That still happens in the Republic’s Ministry of Foreign Affairs.” reported ORF. “The entire attack on a target network starts with a tiny command line module that sends a TCP request to an external command / control server, the command consisting of only four bytes of text [!]. This command brings in a so-called “dropper”, which then places the subsequent trojan in disguise.”

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

Major cyber ​​attacks are a rarity in Austria, only a few large-scale attacks were observed in the past years. In September 2019, before the National Council election, the ÖVP was hit by a “very targeted hacker attack” on the party headquarters. 

In 2018, the websites of the parliament and various ministries in Austria were targeted by DDoS attacks (Distributed Denial of Service). 

Other European countries suffered similar attacks in the past, in 2015 more than 20,000 computers belonging to the German Bundestag were infected with malware. Experts and media reported a possible involvement of Russian state-sponsored hackers

Pierluigi Paganini

(SecurityAffairs – Austria, hacking)

The post The cyber attack against Austria’s foreign ministry has ended appeared first on Security Affairs.

U.S. Charges Huawei with Stealing Trade Secrets from 6 Companies

The US Department of Justice (DoJ) and the Federal Bureau of Investigation (FBI) charged Huawei with racketeering and conspiring to steal trade secrets from six US firms, in a significant escalation of a lawsuit against the Chinese telecom giant that began last year. Accusing Huawei and its affiliates of "using fraud and deception to misappropriate sophisticated technology from US

Japanese defense contractors Pasco and Kobe Steel disclose security breaches

Japanese defense contractors Pasco and Kobe Steel have disclosed security breaches that they have suffered back in 2016 and 2018.

Pasco is Japan’s largest geospatial provider and Kobe Steel is one of the major steel manufacturers. Just last week, Japan’s Ministry of Defense announced in addition to Mitsubishi Electric and the NEC defense business division other two unnamed contractors suffered a data breach.

The Japanese Defense Minister Taro Kono said during a press conference on January 31 that four defense suppliers were hacked between 2016 and 2019,

After the announcement, both Pasco and Kobe Steel disclose the incidents, while Pasco declared that it had not found any evidence that personal or business information had been stolen by attackers, Kobe confirmed that some files may have been exfiltrated.

Kobe identified unauthorized access to its network in August 2016 and in June 2017, Pasco had detected the intrusion in May 2018.

However, contrary to what Kobel declared in the official statement, the Nikkei website reports that hackers have accessed to 250 files containing data related to the Ministry of Defense and personal info.

The Japanese Defense Minister Taro Kono added that there is no evidence that the attacks are related to each other.

In January, Mitsubishi Electric disclosed a security breach that might have exposed personal and confidential corporate data. According to the company, attackers did not obtain sensitive information about defense contracts.

The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs.

Two Japanese media outlets attributed the cyber attack to a China-linked cyber espionage group tracked as Tick (aka Bronze Butler).

The hacker group has been targeting Japanese heavy industry, manufacturing and international relations at least since 2012,

According to the experts, the group is linked to the People’s Republic of China and is focused on exfiltrating confidential data. The attackers have exploited a directory traversal and arbitrary file upload vulnerability, tracked as CVE-2019-18187, in the Trend Micro OfficeScan antivirus.

“According to people involved, Chinese hackers Tick may have been involved. According to Mitsubishi Electric, “logs (to check for leaks) have been deleted and it is not possible to confirm whether or not they actually leaked.” reported the Nikkei.

“According to the company, at least tens of PCs and servers in Japan and overseas have been found to have been compromised. The amount of unauthorized access is approximately 200 megabytes, mainly for documents.”

A few days later, the IT giant NEC confirmed that the company defense business division has suffered a security breach back in December 2016.

The Japanese firm confirmed the unauthorized access to its internal network after Japanese newspapers disclosed the security incident citing sources informed of the event.

NEC is a contractor for Japan’s defense industry and was involved in various defense projects.

Roughly 28,000 files were found by the company on one of the compromised servers, some of them containing info about defense equipment.

Experts believe that the attacks on Japanese Defense’s contractors were part of a cyber espionage campaign carried out by Chinese hackers.

Pierluigi Paganini

(SecurityAffairs – Pasco and Kobe Steel, hacking)

The post Japanese defense contractors Pasco and Kobe Steel disclose security breaches appeared first on Security Affairs.

Leaked confidential report states United Nations has been hacked

A leaked confidential report from the United Nations revealed that dozens of servers belonging to United Nations were “compromised” at offices in Geneva and Vienna.

An internal confidential report from the United Nations that was leaked to The New Humanitarian revealed that dozens of servers of the organization were “compromised” at offices in Geneva and Vienna.

One of the offices that were hit by a sophisticated cyber attack is the U.N. human rights office, the hackers were able to compromise active directory and access a staff list and details like e-mail addresses. According to the report, attackers did not access passwords.

“One U.N. official told the AP that the hack, which was first detected over the summer, appeared “sophisticated” and that the extent of the damage remains unclear, especially in terms of personal, secret or compromising information that may have been stolen.” reported the Associated Press, which has seen the report.

The level of sophistication of the attack and the specific nature of the target suggests the involvement of a nation-state actor.

“We were hacked,” declared U.N. human rights office spokesman Rupert Colville. “We face daily attempts to get into our computer systems. This time, they managed, but it did not get very far. Nothing confidential was compromised.”

united nations cybercrime resolution

The report states that at least 42 servers were “compromised,” three of them belonged to the Office of the High Commissioner for Human Rights. Experts suspect that another 25 servers located at the United Nations offices in Geneva and Vienna were also compromised.

“Technicians at the United Nations office in Geneva, the world body’s European hub, on at least two occasions worked through weekends in recent months to isolate the local U.N. data center from the Internet, re-write passwords and ensure the systems were clean.” continues AP News.

The U.N. confidential report speculates that attackers could have exploited a vulnerability in Microsoft Sharepoint.

Pierluigi Paganini

(SecurityAffairs – United Nations, hacking)

The post Leaked confidential report states United Nations has been hacked appeared first on Security Affairs.

Healthcare: Research Data and PII Continuously Targeted by Multiple Threat Actors

The healthcare industry faces a range of threat groups and malicious activity. Given the critical role that healthcare plays within society and its relationship with our most sensitive information, the risk to this sector is especially consequential. It may also be one of the major reasons why we find healthcare to be one of the most retargeted industries.

In our new report, Beyond Compliance: Cyber Threats and Healthcare, we share an update on the types of threats observed affecting healthcare organizations: from criminal targeting of patient data to less frequent – but still high impact – cyber espionage intrusions, as well as disruptive and destructive threats. We urge you to review the full report for these insights, however, these are two key areas to keep in mind.

  • Chinese espionage targeting of medical researchers: We’ve seen medical research – specifically cancer research – continue to be a focus of multiple Chinese espionage groups. While difficult to fully assess the extent, years of cyber-enabled theft of research trial data might be starting to have an impact, as Chinese companies are reportedly now manufacturing cancer drugs at a lower cost to Western firms.
  • Healthcare databases for sale under $2,000:  The sheer number of healthcare-associated databases for sale in the underground is outrageous. Even more concerning, many of these databases can be purchased for under $2,000 dollars (based on sales we observed over a six-month period).

To learn more about the types of financially motivated cyber threat activity impacting healthcare organizations, nation state threats the healthcare sector should be aware of, and how the threat landscape is expected to evolve in the future, check out the full report here, or give a listen to this podcast conversation between Principal Analyst Luke McNamara and Grady Summers, EVP, Products:

For a closer look at the latest breach and threat landscape trends facing the healthcare sector, register for our Sept. 17, 2019, webinar.

For more details around an actor who has targeted healthcare, read about our newly revealed APT group, APT41.