Search This Blog

Showing posts with label Mandiant Threat Intelligence. Show all posts

Researchers Found Three New Malware Strains in a Phishing Campaign

 

A global phishing program used never-before-seen malware strains distributed by specially-tailored lures to attack global organizations across a broad range of industries. According to a Mandiant report released today, the attacks targeted at least 50 organizations from a diverse range of sectors in two waves, on December 2nd and between December 11th and 18th. 

UNC2529 is the name of the threat actors behind the malware, who are identified as "experienced and well-resourced." Organizations in the United States, the EMEA zone, Asia, and Australia have been attacked in two waves so far. 

Threat actors would also pose as account executives touting services suitable for various industries, such as security, medication, transportation, the military, and electronics, in phishing messages sent to prospective victims. 

The global phishing scheme was controlled by over 50 domains in total. UNC2529 hacked a domain owned by a US heating and cooling services company, tampered with its DNS data, and used this structure to conduct phishing attacks against at least 22 entities in one successful attack. The lure emails included links to URLs that led to malicious.PDF payloads and a JavaScript file stored in a.zip folder. The records, which were obtained from public databases, were compromised to the point that they were unreadable, prompting victims to double-click the.js file in an effort to read the content. 

"The threat actor made extensive use of obfuscation and file-less malware to complicate detection to deliver a well-coded and extensible backdoor," Mandiant said. 

The threat group used phishing emails with links to a JavaScript-based downloader (labeled DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (labeled DOUBLEDROP) from attackers' command-and-control (C2) servers during the two waves of attacks. The DOUBLEDROP dropper includes 32-bit and 64-bit versions of the DOUBLEBACK backdoor, which is implemented as a PE dynamic library. 

"The backdoor, once it has the execution control, loads its plugins and then enters a communication loop, fetching commands from its [command-and-control] C2 server and dispatching them," Mandiant notes. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system. The rest of the components are serialized in the registry database, which makes their detection somewhat harder, especially by file-based antivirus engines."

Hacker Attacked a Water Plant in Florida

 

A hacker penetrated computer networks at Oldsmar, Florida, water treatment plant, remotely delivering a 100-fold boost in a chemical that is exceptionally perilous in concentrated sums. In an assault with the possibility to harm public health, the hacker on February 5 accessed a city computer and changed the level of sodium hydroxide which is utilized to eliminate metals and control acidity, from 100 parts for each million to 11,100 parts for every million, as per Bob Gualtieri, who serves as the sheriff of Pinellas County. 

This is a “significant and potentially dangerous increase,” Gualtieri said at a Monday press conference. The attacker momentarily entered the computer system at 8 a.m. on Feb. 5, before leaving and returning at about 1:30 p.m. for roughly three to five minutes, Gualtieri said. In that window, the operator of the water plant could see the attacker on screen, “with the mouse being moved about to open various software functions that control the water being treated in the system,” Gualtieri said. 

When the hacker left the computer system, the operator whose computer was remotely taken over promptly brought down the level of the chemical, otherwise called lye. This move forestalled any harm to people in general and the drinking water, Gualtieri said. He said there were extra counteraction measures inside the water system that would have kept polluted water from reaching the public. It isn't yet known whether the break originated from the U.S., or outside of the country, Gualtieri said. Oldsmar, with a population of almost 15,000, is situated around 15 miles northwest of Tampa.

“Many of the victims appear to have been selected arbitrarily, such as small critical infrastructure asset owners and operators who serve a limited population set,” said Daniel Kapellmann Zafra, manager of analysis at Mandiant Threat Intelligence. Through “remote interaction with these systems,” the hackers have engaged in “limited-impact operations.” None of those examples brought about any damage to individuals or infrastructure, Zafra said. “We believe that the increasing interest of low sophisticated actors in industrial control systems is the result of the increased availability of tools and resources that allow malicious actors to learn about interactions with these systems,” he added.