A Russian government supports hacker groups who work with the SolarWinds supply chain attack developed a new piece of malware that was used to launch attacks against businesses and governments in North America and Europe in a campaign aimed at stealthily compromising networks, stealing information, and laying the groundwork for future attacks.
The attacks also include the compromising of several cloud and managed service providers as part of a campaign designed to enable the hackers to gain access to customers who are downstream of the providers in the United States Attacks on the supply chain.
The broad-based campaign was detailed by cybersecurity researchers at Mandiant who linked it to two groups of hackers they refer to as UNC3004 and UNC2652.
Mandiant connects these groups with UNC2452 – Also known as Nobelium in reports from Microsoft – a hacking operation working on behalf of the Russian foreign intelligence service and behind the cyber attack against SolarWinds.
While each of these hacking operations operate out of Russia and appear to have similar goals, researchers cannot say with certainty that they are all part of a unit.
“While it is plausible that they are the same group, Mandiant does not currently have enough evidence to make this decision with high confidence,” the report said.
The newly detailed campaigns include the use of a specially developed one Malware Downloader that researchers have named Ceeloader.
Written in C programming language, the malware decrypts the shellcode payloads that run in the memory of the victim’s Windows computer, allowing further malware to spread. Ceeloader hides from detection by using large chunks of junk code that make the malicious code undetectable by antivirus software.
“A obfuscation tool was used to hide the code in Ceeloader between large chunks of junk code with meaningless calls to the Windows API. The meaningful calls to the Windows API are hidden in obfuscated wrapper functions that contain the name of the API decrypt and dynamically resolve it before you call, “the report said.
SEE: A successful cybersecurity strategy (ZDNet special report)
It’s not clear how Ceeloader is distributed, but it provides a stealth gateway for further malicious activity.
Other tactics that the attackers use include the abuse of legitimate penetration testing tool Cobalt Strike to put a back door on the compromised system that can be used to execute commands and transfer files, as well as to provide a keylogger that can be used to steal usernames and passwords.
In addition to using malware, the attackers compromised targets using cloud services.
Like other Russia-related hacking campaigns, these are also targeted at attacks Remote Desktop Protocol (RDP) credentials.
But no matter how the network was compromised, the attacked organizations seem to be associated with those that were attributed to the Russian state in previous campaigns.
“We have seen that this threat actor is ultimately targeting government agencies, advisory organizations and NGOs in North America and Europe that have direct data of interest to the Russian government. In some cases, they first compromise technology solutions, services and resellers in North America “and Europe that have access to destinations that are of greatest interest to them,” Douglas Bienstock, manager of consulting at Mandiant, told ZDNet.
For the attackers Orientation towards cloud service providers The new and existing compromise methods described in the report remain one of the most important methods of compromising a wide range of organizations. By compromising the supplier, they have the potential to gain access to the customers’ systems.
Incidents like the attack on the SolarWinds supply chain attributed to the Russian state, as well as cybercriminal activities such as the Kaseya supply chain compromise and ransomware attack have shown what a powerful tool this can be for hostile cyber campaigns – this is why cloud providers and their services remain a prominent target.
“By compromising the environment of a single cloud service provider, the threat actor can potentially access the networks of multiple organizations that they are interested in and are that provider’s customers. That way, the threat actor can focus its efforts on a small area, many organizations, and then reap huge rewards, “said Bienstock.
Mandiant researchers say they are aware of a few dozen organizations that were hit by campaigns in 2021, and steps have been taken to notify them in cases where they were compromised by attackers.
Russia-related hackers – and other offensive cyber operations – are expected to continue targeting organizations, supply chains and cloud providers around the world. Mandiant previously posted advice on how to harden networks against attacks. This includes enforcing multi-factor authentication for all users.
MORE ABOUT CYBER SECURITY
#Hackers #malware #hides #blocks #junk #code #ZDNet