Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Teamviewer. Show all posts

Iranian Hackers Employed a New Marlin Backdoor in a Surveillance Operation 

 

Iranian hackers are using the New Marlin backdoor as part of a long-running surveillance operation that began in April 2018. ESET, a Slovak cybersecurity firm, linked the attacks, entitled "Out to Sea," to a threat actor known as OilRig (aka APT34), firmly linking its actions to another Iranian group known as Lyceum as well (Hexane aka SiameseKitten).

Since 2014, the hacking organization has attacked Middle Eastern governments as well as a range of industry verticals, including chemical, oil, finance, and telecommunications. In April 2021, the threat actors used an implant dubbed SideTwist to assault a Lebanese company. 

"Victims of the campaign include diplomatic institutions, technological businesses, and medical organizations in Israel, Tunisia, and the United Arab Emirates," according to a report by ESET.

Lyceum has previously conducted campaigns in Israel, Morocco, Tunisia, and Saudi Arabia to single out IT companies. Since the campaign's discovery in 2018, the Lyceum infecting chains have developed to drop many backdoors, starting with DanBot and progressing to Shark and Milan in 2021. Later attacks, utilizing a new data harvesting virus dubbed Marlin, were detected in August 2021. 

The hacking organization discarded the old OilRig TTPs, which comprised command-and-control (C&C) connections over DNS and HTTPS. For its C2 activities, Marlin relies on Microsoft's OneDrive API. ESET identified parallels in tools and tactics between OilRig's backdoors and those of Lyceum as "too numerous and specific," stating the initial access to the network was gained through spear-phishing and management applications like ITbrain and TeamViewer. 

"The ToneDeaf backdoor connected with its C&C primarily over HTTP/S, but featured a secondary route, DNS tunneling, which did not work effectively," the researcher indicated. "Shark has similar problems, with DNS as its primary communication channel and an HTTP/S secondary one which isn't working." 

Marlin randomly selects the executable code's internal structure, denying the attacker a comprehensive assessment of instruction addresses needed to build the intended exploit payload. The findings also revealed the usage of several folders in a backdoor's file menu for sending and receiving data from the C&C server, the concurrent use of DNS as a C&C communication route while also utilizing HTTP/S as a backup communication mechanism.

FBI Warns About Using TeamViewer and Windows 7

 

The FBI issued this week a Private Industry Notification (PIN) caution to warn organizations about the dangers of utilizing obsolete Windows 7 systems, poor account passwords, and desktop sharing software TeamViewer. The alert comes after the recent assaults on the Oldsmar water treatment plant's network where assailants attempted to raise levels of sodium hydroxide, by a factor of more than 100. The investigation into the occurrence uncovered that operators at the plant were utilizing obsolete Windows 7 systems and poor account passwords, and the desktop sharing software TeamViewer which was utilized by the assailants to penetrate the network of the plant. 

“The attempt on Friday was thwarted. The hackers remotely gained access to a software program, named TeamViewer, on the computer of an employee at the facility for the town of Oldsmar to gain control of other systems, Sheriff Bob Gualtieri said in an interview,” reported Reuters. 

The FBI alert doesn't explicitly advise associations to uninstall TeamViewer or some other sort of desktop sharing software but cautions that TeamViewer and other similar software can be abused if assailants gain access to employee account credentials or if remote access accounts, (for example, those utilized for Windows RDP access) are secured with frail passwords. 

Moreover, the FBI alert likewise cautions about the continued use of Windows 7, an operating system that has reached end-of-life a year ago, on January 14, 2020, an issue the FBI cautioned US organizations about a year ago. This part of the warning was incorporated in light of the fact that the Oldsmar water treatment plant was all the while utilizing Windows 7 systems on its network, as indicated by a report from the Massachusetts government. 

While there is no proof to suggest that the attackers abused Windows 7-explicit bugs, the FBI says that continuing to utilize the old operating system is risky as the OS is unsupported and doesn't get security updates, which presently leaves numerous systems exposed to assaults via newly discovered vulnerabilities. While the FBI cautions against the utilization of Windows 7 for valid reasons, numerous organizations and US federal and state agencies might not be able to do anything about it, barring a serious financial investment into modernizing IT foundation from upper management, something that is not expected at any point soon in many locations.

Hackers Use RMS and Teamviewer To Attack Industrial Enterprises

 

In a recent report by cybersecurity firm Kaspersky, experts explained how there were certain modifications in attack campaign strategies and plans against industrial organizations. In 2018, Kaspersky had issued a report describing the use of Teamviewer and RMS (Remote Manipulator System) related to the attack campaign. However, since that attack, the hackers have evolved in techniques and attack strategies, becoming more effective and sophisticated. 

Attack Details 
  • Experts believe that the hackers have been found using fakes of legal documents that work as an instructional manual for industrial enterprises in recent attacks. The records, experts believe, were hacked in the earlier threats that hackers use to target industries. 
  • In a recent threat, hackers targeted various industries in Russia, and their primary target was the energy sector. Besides this, the hackers attacked logistics, mining, construction, engineering, metal industry, manufacturing, and oil sectors. 
  • The hackers use remote control softwares like Teamviewer and RMS for communicating during the attacks. Earlier, hackers used c2c (command-and-control) servers for the attacks. 
  • Hackers use Mimikatz utility and spyware to steal login credentials for the attacks. They also use it to attack other systems in industrial enterprises. 
  • The final aim of hackers is to take out money from industrial organizations. 

Recent attack details 
  • In recent attacks, experts noticed that various APT groups used simple hacking methods that were very effective in targetting industrial infrastructure. 
  • In a recent incident, Hacking group MontysThree APT deployed espionage attacks against an international video production and architecture company. They used PhysXPluginMfx (a third-party MAXScript exploit) and steganography for the attacks. 
  • In a similar espionage attack, hackers used infected payload as a plugin for the attacks against industrial enterprises. 

Summary 
While attacking industrial organizations, threat actors use simple but effective hacking methods that yield brilliant results. The change in hacking methods has put cybersecurity on an alert. To be safe from these attacks, experts recommend organizations to keep their cybersecurity operations updated and make it their priority. Kaspersky says, "Phishing emails used in this attack are, in most cases, disguised as business correspondence between organizations. Specifically, the attackers send claim letters on behalf of a large industrial company."