At a glance.
- Spearphishing campaigns target the oil & gas industry.
- Hundreds of malicious Ruby packages found.
- PoetRAT targets SCADA sector and government officials in Azerbaijan.
- An analysis of a critical VMware vulnerability.
- Malicious bot activity is on the rise.
Spearphishing campaigns target oil & gas industry.
Bitdefender warns that two spearphishing campaigns recently targeted the oil & gas industry attempting to deliver the Agent Tesla information-stealing Trojan. The first campaign used emails that purported to come from Engineering for Petroleum and Process Industries (Enppi), an engineering subsidiary of Egypt's national oil company. The emails appear to be well-crafted and convincing RFQs related to the Rosetta Sharing Facilities Project, a real project aimed at expanding gas fields in the West Delta Deep Marine area. The emails also reference Burullus Gas Company, the half-state-owned Egyptian contractor that's working on the Rosetta project. Bitdefender notes that the targeted employees would likely be familiar with these references.
This first campaign began on March 31st, when more than one-hundred emails were sent out to organizations in at least twenty-four countries. The largest focus was on Malaysia, the United States, Iran, South Africa, Oman, Turkey, and Italy. In addition to oil & gas, the campaign targeted organizations that conduct "charcoal processing, hydraulic plants, manufacturers of raw materials, and transporters of large merchandise."
The second campaign, which began on April 12th, was much smaller in scope and "targeted only a handful of shipping companies based in the Philippines over the course of two days." As in the first campaign, this operation used industry-specific jargon and relevant requests that demonstrated the attackers' understanding of the targeted organizations and industry. One of the emails made reference to a real Indonesian ship that had set sail on April 12th.
The researchers don't guess at who might be behind the campaigns, but they note that the timing of the operation—occurring during a meeting between OPEC+ and the Group of 20 regarding oil production and pricing during the COVID-19 pandemic—"suggests motivation and interest in knowing how specific countries plan to address the issue."
Hundreds of malicious typosquatting Ruby gems identified.
Researchers at ReversingLabs found 761 malicious packages residing in RubyGems, the default package manager for the Ruby programming language. These packages, or "gems," had been collectively downloaded more than 95,000 times. All of the packages had been created by just two accounts, which the researchers believe are controlled by the same person. The purpose of the malicious packages was to redirect cryptocurrency payments to the attacker's Bitcoin address, although the attacker doesn't seem to have enjoyed much success.
The attacker relied on typosquatting to dupe developers into installing the malicious packages. Software developers generally install application packages manually by either clicking a button or typing in a command. Attackers take advantage of this by creating malicious packages with names that closely resemble popular, legitimate packages. In this case, for example, the threat actor's most successful package was named "atlas-client," mimicking the legitimate "atlas_client" package. The malicious package had 2,100 downloads, while the legitimate one had 6,496.
ReversingLabs's researchers discovered the malicious Ruby packages by flagging gems that potentially mimicked the most popular Ruby gems, and then unpacking the file types within those gems. All of the suspicious gems they identified contained an executable named "aaa.png," which the researchers concluded was likely malicious since it was posing as an image file. Once installed, the malware would monitor the victim's clipboard for Bitcoin wallet addresses and replace them with the attacker's address.
Despite the high number of downloads, the attacker's wallet hasn't received any payments to date. The researchers suspect this is due to the campaign's narrow target pool: the attack can only succeed if a malicious package is installed by "a Ruby developer whose environment of choice is a Windows system that’s also periodically being used to make BitCoin transactions."
The Register notes that, while this threat actor doesn't seem particularly sophisticated, the broader takeaway from the research is "how easy it is to get malware into one of the most widely used package managers."
PoetRAT targets SCADA sector in Azerbaijan.
Cisco Talos discovered a previously unobserved malware family that's being used by an unknown actor to target Azerbaijan's government and energy sector. The attacker is interested in "private companies in the SCADA sector," primarily those related to wind turbines. The threat actor also appeared to go after Azerbaijan government officials using a credential-stealing website that imitated the webmail login portal used by the Azerbaijan government. The researchers conclude that the attacker is "highly motivated and focused on the victims it targets," adding that "the quantity and diversification of tools available in its toolkit denote a carefully planned attack."
PoetRAT is a Python-based remote access Trojan the researchers have named "PoetRAT" due to references to William Shakespeare within its code. It's installed by being appended to a Microsoft Word document and then extracted by a macro. The researchers aren't sure how these documents are distributed, but they think phishing is a likely possibility. Most of the documents were COVID-19 themed and purported to come from government sources. PoetRAT uses FTP to exfiltrate data, which the researchers say "denotes an intention to transfer large amounts of data."
Analyzing a critical VMware vulnerability.
VMware released a patch last week for a "sensitive information disclosure vulnerability" in its VMware Directory Service (vmdir). Notably, the flaw (tracked as CVE-2020-3952) received a CVSS score of 10.0, which Decipher notes is unusually high for an information disclosure vulnerability. VMware explained that a "malicious actor with network access to port 389 on an affected vmdir deployment may be able to extract highly sensitive information such as administrative account credentials which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication. Variant attack vectors such as creating new attacker-controlled administrative accounts are also possible."
Guardicore researchers took a closer look to find out why the flaw was so severe, and their analysis found that "with three simple unauthenticated LDAP commands, an attacker with nothing more than network access to the vCenter Directory Service can add an administrator account to the vCenter Directory." They explain that the vulnerability is a result of two bugs in the vmdir code. The first was in a function that mistakenly returned "access granted," even if the permissions check failed. The second was a design error that granted "root privileges to an LDAP session with no token, under the assumption that it is an internal operation."
Guardicore also published a proof-of-concept exploit for the vulnerability. Users are urged to implement VMware's patch, and Guardicore also recommends "blocking any access over the LDAP port (389) except for administrative use."
Malicious bot activity is on the rise.
Imperva released a report on malicious bot activity at the application layer of the OSI model. These types of bots are used to exploit APIs, websites, and mobile apps for various reasons, including credential stuffing, credit card fraud, ticket scalping, data scraping, ad fraud, and propaganda distribution. Imperva found that malicious bots made up 24% of all internet traffic in 2019, up from 20.4% in 2018. Imperva describes 20% of these bots as "sophisticated," meaning they can imitate human behavior using "mouse movements and clicks that fool even sophisticated detection methods." The sectors most affected by malicious bots are financial, education, IT & services, marketplaces, and government, with each industry facing different types of automated threats.