Kaspersky researchers have uncovered a beforehand unknown cyberattack marketing campaign that has compromised authorities organizations and software program growth firms in a number of international locations.
They first stumbled onto the marketing campaign whereas investigating an assault on a diplomatic group in Indonesia. What initially appeared like an remoted incident revealed a world operation they’ve dubbed StrikeShark, because of the attackers’ use of a beforehand unknown dropper the researchers named SharkLoader.
How the attackers get in
The attackers acquire entry both by exploiting identified vulnerabilities in internet-facing functions, or by tricking customers into operating malware-laced recordsdata disguised as reputable software program.
The listing of exploited vulnerabilities is wide-ranging, spanning flaws in merchandise from Microsoft (SharePoint, Trade Server), Fortinet (FortiOS), Cisco (IOS XE), F5 (BIG-IP), Zimbra, Apache (Shiro), and Hikvision. A few of these date again so far as 2016.
All of the vulnerabilities recognized have publicly obtainable (proof-of-concept) exploit code, suggesting the attackers depend on current offensive assets moderately than creating their very own.
Although Kaspersky researchers had been unable to pinpoint how the attackers distributed the SharkLoader dropper on to workers at these organizations, they identified the attackers have been disguising it as a Cisco AnyConnect VPN installer and a Google Replace utility.
Some droppers displayed convincing decoy PDF paperwork, together with one showing to be a technical doc about liquid rocket engine design, and one other one associated to a organic remedy course of.
What occurs as soon as the attackers are inside
As soon as SharkLoader is operating, it installs a Cobalt Strike beacon, a business penetration-testing software that’s used for sustaining distant entry and shifting via networks.
The menace actor carried out in depth reconnaissance and credential theft, together with dumping credentials from Home windows reminiscence and from Lively Listing. Armed with these credentials, the attackers may doubtlessly transfer freely via a sufferer’s complete community.
The malware itself is designed to remain hidden: it disguises its elements as unusual Home windows system recordsdata, abuses a reputable Home windows utility to load itself, and goes to nice lengths to disable the safety logging that defenders depend on to detect intrusions.
Who’s behind these assaults?
The marketing campaign has hit authorities organizations in Taiwan, software program growth firms throughout a number of international locations, and varied entities in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, Serbia, and elsewhere.
Submit-exploitation instruments used within the marketing campaign had been developed by Chinese language-speaking builders on GitHub, however that’s not a powerful indicator that the attackers are additionally Chinese language-speaking.
“Focusing on of presidency and software program growth organizations might point out a cyber-espionage goal, though our confidence stays low because of the restricted post-compromise exercise noticed, which primarily consisted of credential entry, system reconnaissance, and lateral motion,” Kaspersky researchers noted.
“On the identical time, the usage of SharkLoader and Cobalt Strike, alongside the exploitation of public-facing functions and malicious installers and droppers, suggests the attacker may be opportunistically focusing on susceptible techniques. The absence of clear proof of knowledge exfiltration up to now doesn’t exclude this risk, as Cobalt Strike’s file operation and knowledge exfiltration modules may very well be employed at a later stage.”
The researchers weren’t capable of establich direct hyperlinks to any identified hacking group.
Subscribe to our breaking information e-mail alert to by no means miss out on the newest breaches, vulnerabilities and cybersecurity threats. Subscribe right here!