New group of cybercriminals discovered targeting government servers, fuel, energy and aviation companies


Researchers have identified a new, previously unknown group that has systematically attacked Russia’s oil and energy complex and its aviation industry.

Additional attacks by the group, discovered by the Positive Technologies Expert Security Center (PT ESC), targeted institutions in nine other countries, including the United States, India, Nepal, Taiwan and Japan. In some cases, researchers have discovered compromised government servers.

The group has started exploiting vulnerabilities in ProxyShell in attacks aimed at infecting Microsoft Exchange, and PT ESC says vulnerable servers in the UK may be affected in the future as well. The group, known as ChamelGang, appears to be focused on stealing data from compromised networks. His first attacks on trusting relationships were recorded in March 2021.

“Targeting the oil and energy complex and the aviation industry in Russia is not unique, as this sector is one of the three most frequently attacked,” said Denis Kuvshinov, threat analysis manager at Positive Technologies.

“However, the consequences are serious and such attacks resulted in financial or data loss in 84% of all cases last year. The attacks were specifically created to steal data, causing financial and personal damage. major reputation.

“Industrial companies often cannot detect a targeted cyber attack on their own. They believe that their defenses are strong and that such disturbances are highly unlikely. But in practice, attackers can penetrate an industrial company’s corporate network more than 90% of the time. , and almost all of these invasions result in a total loss of control over the infrastructure.

“More than half of these attacks lead to the theft of data about company partners and employees, mail correspondence and internal documentation,” he says.

The PT ESC Incident Response Team discovered the existence of ChamelGang while investigating security vulnerabilities in Russia’s fuel, power and aviation production sectors .

The team discovered that to gain access to the target company’s network, ChamelGang compromised a branch organization by using a vulnerable version of a web application on the open source JBoss Application Server platform. By exploiting vulnerability CVE-2017-12149 (which was patched by RedHat over four years ago), criminals could remotely execute commands on the node.

Two weeks later, which is a relatively short period, the group compromised the parent company. The attackers obtained the password for the local administrator’s dictionary on one of the servers in an isolated segment and entered the network via the Remote Desktop protocol. The attackers went unnoticed in the corporate network for three months, and after examining it, they took control of most of it, including critical servers and nodes in different segments. The investigation reveals that the APT group was specifically looking for data and managed to steal it.

A distinguishing feature of ChamelGang attacks is the use of previously unknown malware, including ProxyT, BeaconLoader, and the DoorMe backdoor. The latter is a passive backdoor, which considerably complicates its detection. The group also uses more well-known variants such as FRP, Cobalt Strike Beacon, and Tiny Shell.

“Of the malware samples we found, the most interesting is the DoorMe backdoor,” says Denis Goydenko, Information Security Threat Response Manager at Positive Technologies.

“This is a native IIS module registered as a filter through which HTTP requests and responses are processed. Its principle of operation is unusual; the backdoor only processes requests in which the correct cookie setting is At the time of the incident investigating, DoorMe was not detected by anti-virus tools, and although the technique for installing this backdoor is known, we have not seen its use in recent times. “

He says the backdoor offers attackers vast opportunities in captured systems. It can run commands using cmd.exe and create a new process, write files in two ways, and copy timestamps. A total of six different commands have been implemented.

Positive Technologies has not yet linked ChamelGang to a specific country. The national CERTs notified all the organizations concerned by the attacks.


Leave A Reply