A previously unknown threat actor is behind a string of attacks against energy and aviation companies in Russia, the US, India, and Japan, according to Positive Technologies.
The security company dubbed the new advanced persistent threat (APT) group as ChamelGang – from “chameleon” – due to its chameleonic capabilities. For example, attackers register phishing domains that imitate legitimate services of large international companies, such as Microsoft, TrendMicro, McAfee, IBM, and Google.
“To achieve their goal, the attackers used a trending penetration method—supply chain,” the researchers said. “The group compromised a subsidiary and penetrated the target company’s network through it. Trusted relationship attacks are rare today due to the complexity of their execution. Using this method […], the ChamelGang group was able to achieve its goal and steal data from the compromised network.”
Researcheers revealed the technical details of this campaign at the Black Hat USA 2021 security conference.
The adversary is believed to have started attacking victims at the end of March 2021. Attacks in August were largely focused on the vulnerabilities that affect Microsoft Exchange Servers, known as the ProxyShell flaws.
Researchers described a campaign that took place in March during which operators breached a subsidiary organization to gain access to an unnamed energy company’s network. Hackers exploited a flaw in Red Hat JBoss Enterprise Application (CVE-2017-12149)to deploy malware with elevated privileges, laterally move across the network, perform recon, and deploy DoorMe backdoor.
“The infected hosts were controlled by the attackers using the public utility FRP (fast reverse proxy), written in Golang,” the researchers said. “This utility allows connecting to a reverse proxy server. The attackers’ requests were routed using the socks5 plugin through the server address obtained from the configuration data.”
Similarly, the August attack against a Russian company in the aviation production sector exploited ProxyShell flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to conduct remote recon and ultimately install a modified version of the DoorMe implant.
“Targeting the fuel and energy complex and aviation industry in Russia isn’t unique — this sector is one of the three most frequently attacked,” Positive Technologies’ Head of Threat Analysis, Denis Kuvshinov, said. “However, the consequences are serious: Most often such attacks lead to financial or data loss—in 84% of all cases last year, the attacks were specifically created to steal data, and that causes major financial and reputational damage.”