U.S. Finance Sector Hit With Targeted Backdoor Campaign
The Department of Justice unsealed two indictments today charging four defendants, all Russian nationals who worked for the Russian government, with attempting, supporting and conducting computer intrusions that together, in two separate conspiracies, targeted the global energy sector between 2012 and 2018. In total, these hacking campaigns targeted thousands of computers, at hundreds of companies and organizations, in approximately 135 countries.
U.S. Finance Sector Hit With Targeted Backdoor Campaign
On August 17, Akamai, a global content delivery network, reported an ongoing campaign of RDoS (Ransom DDoS) attacks targeting the financial sector and other businesses. The extortion demands are similar to those used by DDoS ransom groups in the past. The actors claimed to be Fancy Bear and targeted businesses in multiple countries including the UK, the United States, and the APAC region.
Group-IB has reported that PerSwaysion, a cybercrime group operating since mid-2019, has breached the email accounts of high-ranking executives at more than 150 firms. The group appears to have primarily targeted the financial sector, although it has expanded into other verticals, and typically uses phishing campaigns to breach corporate email accounts. The group members appear to be based in Nigeria and South Africa.
APT41 continues to leverage advanced tradecraft to remain persistent and undetected. In multiple instances, the Windows version of the KEYPLUG backdoor leveraged dead drop resolvers on two separate tech community forums. The malware fetches its true C2 address from encoded data on a specific forum post. Notably, APT41 continues to update the community forum posts frequently with new dead drop resolvers during the campaign. APT41 has historically used this unique tradecraft during other intrusions to help keep their C2 infrastructure hidden.
The finance, media, and construction industries, then, appear to be of the biggest interest to Palmerworm in this campaign. There have been reports previously of Palmerworm targeting the media sector.
Overview: APT33 has targeted organizations, spanning multiple industries, headquartered in the U.S., Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.
Attack vectors: APT41 often relies on spear-phishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims. Once in a victim organization, APT41 can leverage more sophisticated TTPs and deploy additional malware. For example, in a campaign running almost a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware including backdoors, credential stealers, keyloggers, and rootkits. APT41 has also deployed rootkits and Master Boot Record (MBR) bootkits on a limited basis to hide their malware and maintain persistence on select victim systems.
Overview: APT15 has targeted organizations headquartered in multiple locations, including a number of European countries, the U.S., and South Africa. APT15 operators share resources, including backdoors as well as infrastructure, with other Chinese APTs.
June 2022. A phishing campaign targeted U.S. organizations in military, software, supply chain, healthcare, and pharmaceutical sectors to compromise Microsoft Office 365 and Outlook accounts.
April 2022. A social media platform disrupted two Iranian-linked cyber espionage campaigns that targeted activists, academics, and private companies. The campaign targeted businesses in the energy, semiconductor, and telecom sectors in countries including the U.S., Israel, Russia, and Canada by using phishing and other social engineering techniques.
March 2022. The U.S. Department of Justice charged four Russian government employees involved in hacking campaigns that took place between 2012 and 2018. The hacks targeted critical infrastructure companies and organizations largely in the energy sector. The hackers sought to install backdoors and deploy malware in the operational technology of their targets.
February 2022. Since October 2021, a hacking group targeted Palestinian individuals and organizations with malware. Researchers suggest that the operation could be connected to a broader campaign by a hacking group commonly attributed to the cyber arm of Hamas that started in 2017.
Symantec has strong indications of attacker activity in organizations in the U.S., Turkey, and Switzerland, with traces of activity in organizations outside of these countries. The U.S. and Turkey were also among the countries targeted by Dragonfly in its earlier campaign, though the focus on organizations in Turkey does appear to have increased dramatically in this more recent campaign.
Trojan.Heriplor is a backdoor that appears to be exclusively used by Dragonfly, and is one of the strongest indications that the group that targeted the western energy sector between 2011 and 2014 is the same group that is behind the more recent attacks. This custom malware is not available on the black market, and has not been observed being used by any other known attack groups. It has only ever been seen being used in attacks against targets in the energy sector.
The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations. The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.
Fin7 threat actor group has been active since 2015 targeting retail, restaurant, and hospitality sectors in the United States. The threat group has also targeted other sectors in the US and Europe including gaming, travel, education, telecommunications, construction, finance, energy, and IT.
In March 2017, FIN7 threat group launched a spear-phishing campaign that targeted personnel involved with U.S. Securities and Exchange Commission (SEC) filings at organizations from multiple sectors, including financial services, transportation, retail, education, IT services, and electronics.
As if cryptocurrency and decentralized finance (DeFi) players didn't have enough to worry about with the recent market crash, these companies are again under assault from a new malware that creates a backdoor to steal data, according to research from Proofpoint.
The finance sector has been increasingly targeted during the COVID-19 surge. Between February and March, we saw a 38% increase in cyberattacks against financial institutions. Of note, February shows that the retail sector led the majority of observed threats with just over 31%, but shrank to 1.6% in March, suggesting that as retail organizations shifted to remote business models, attacks actually went down and attackers shifted to target financial organizations.
The North Korean-aligned TA404 hacking group, better known as Lazarus, was also active in targeting American journalists. The group, which was recently linked to the $100 million Harmony bridge theft, is said to have targeted a media organization with job opportunity-themed phishing after it published an article critical of North Korean leader Kim Jong-un. While Proofpoint did not see follow-up emails, its researchers note that the attack shares indicators of compromise with a North Korean campaign observed by Google threat researchers earlier this year.