A new advanced persistent threat (APT) group dubbed ChamelGang has been targeting Russian Energy and Aviation industries, as well as entities in 9 other countries.
Security researchers at the Positive Technologies Expert Security Center (PT ESC) discovered the ChamelGang group “has systematically attacked mainly the fuel and energy complex and aviation industry in Russia.”
The actors have also attacked organizations, to include some government servers, in the United States, India, Nepal, Taiwan, and Japan.
ChamelGang (derived from chameleon) started exploiting ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) on unpatched Microsoft Exchange servers just over a month ago.
Additionally, the actors appear to be focused on stealing data from compromised networks and launching “trusted relationship” attacks starting in March 2021.
A trusted relationship attack is where cybercriminals compromise third-party infrastructure and employees who have access to the target victim’s resources.
For example, the PT ESC team described in a blog post how ChamelGang exploited a vulnerable web application running JBoss Application Server to compromise a subsidiary organization:
By exploiting vulnerability CVE-2017-12149 (which had been fixed by RedHat more than four years ago), the criminals were able to remotely execute commands on the node. Two weeks later, which in this dynamic represents a relatively short time period, the group was able to compromise the parent company. The attackers obtained the dictionary password of the local administrator on one of the servers in an isolated segment, and penetrated the network via the Remote Desktop Protocol (RDP).
Positive Technologies
Moreover, the attackers went unnoticed while on the victim’s corporate network for three months. As a result, they compromised most of the network, to include critical systems.
“The investigation reveals that the APT group was specifically pursuing data, and succeeded in stealing it,” PT ESC added.
The Positive Technologies team also noticed ChamelGang used new malware in their recent attacks: ProxyT, BeaconLoader, and the DoorMe backdoor. The latter went undetected with standard anti-virus tools. DoorMe allows attackers to use cmd.exe, create new processes, write files and copy timestamps.
In addition, the cybergang also used previously known FRP, Cobalt Strike Beacon, and Tiny shell malware.
The Cobalt Strike was used in other attacks such as APT 41 and Nobelium campaigns. According to a Cisco report published last year, this malware was a good example of the second most popular endpoint threat “dual-use” tools used by attackers in 2020.
Readers can check out the Positive Technologies report on the ChamelGang APT for more details.
Related Articles
- Cyberattackers exploiting ProxyShell vulnerabilities
- The top 3 endpoint threats used in 2020 cyberattacks
- Microsoft uncovers NOBELIUM ‘sophisticated email-based attack’
- FBI identifies 16 Conti ransomware attacks targeting US healthcare and first responder networks
- APT41 launches broad cyber campaign with multiple exploits