CERT-UA has identified and addressed a cyber attack on the government information systems of Ukrainian governmental state bodies.
Through investigation, it was discovered that the department’s email address received communications on April 18, 2023, and April 20, 2023, appearing to originate from the authentic email account of the Embassy from Tajikistan (In Ukraine).
Weaponized DOCX File
Suspected to be a result of the compromised state of the embassy, these emails comprised an attachment in the form of a document that contained a macro in the initial case while referring to the same document in the later incident.
When the document is downloaded, and its macro is activated, it creates and opens a DOCX file called “SvcRestartTaskLogon” with a macro that generates another file with the “WsSwapAssessmentTask” macro.
While it also includes a “SoftwareProtectionPlatform” file categorized as HATVIBE, which can load and execute additional files.
During the course of technical investigation, it was documented that on April 25, 2023, supplementary programs were generated on the computer, possibly facilitated by HATVIBE, under uncertain circumstances.
Here below, we have mentioned those additional generated apps:-
LOGPIE keylogger
CHERRYSPY backdoor
The files are created with Python and secured with PyArmor, while the “pytransform” module, providing encryption and code obfuscation, is further safeguarded with Themida.
The STILLARCH malware is employed for searching and exfiltrating files, including data from the LOGPIE keylogger, with file extensions such as:-
.~tmp
.doc
Further analysis of infrastructure and associated data determined that the group’s targets include organizations from various countries engaging in espionage activities under the code name UAC-0063, which have been monitored since 2021.
To minimize the vulnerability scope, it is advisable to limit user accounts from executing “mshta.exe,” Windows Script Host (“wscript.exe,” “cscript.exe”), and the Python interpreter, thereby reducing the potential attack surface.
The vulnerability (CVE-2023-21492) affects mobile devices manufactured by Samsung and running on the following versions of the Android operating system. The vulnerability results from the accidental inclusion of sensitive data in log files.
Android 11, Android 12, Android 13
CISA has just recently issued a warning on a security hole that affects Samsung devices and makes it possible for attackers to avoid Android’s address space layout randomization (ASLR) protection while carrying out targeted attacks.
Randomization of the memory locations at which important app and operating system components are loaded into the device’s memory is made possible thanks to Android’s Address Space Layout Randomization (ASLR), which is a fundamental component of Android’s security architecture. The information that has been revealed may be used by local attackers who have elevated rights to perform an ASLR bypass, which would therefore make it easier to exploit weaknesses in memory management. Samsung has essentially remedied this issue as a part of the most recent security upgrades by adopting safeguards that prevent kernel references from being recorded in future instances. This was done as part of a larger effort to introduce new security measures.
According to the advice that was included in the May 2023 Security Maintenance Release (SMR), Samsung has admitted that it was notified of an attack that targets this specific flaw that is now active in the wild.
Despite the fact that Samsung did not provide any particular information on the exploit of CVE-2023-21492, it is essential to keep in mind that during highly focused cyberattacks, security vulnerabilities are regularly exploited as part of a sophisticated chain of exploits.
These attacks used chains of exploits that targeted the vulnerabilities to spread spyware that was driven by commercial interests. While this is going on, security researchers working for Google’s Threat Analysis Group (TAG) and Amnesty International discovered and reported on two different attack operations in the month of March. Following the recent addition of the CVE-2023-21492 vulnerability to CISA’s list of Known Exploited Vulnerabilities, the United States Federal Civilian Executive Branch Agencies (FCEB) have been given a three-week window of time until June 9 to patch their Samsung Android devices in order to protect themselves from potential attacks that exploit this security flaw.
In accordance with BOD 22-01, government agencies have until the deadline of June 9, 2023 to fix any vulnerabilities that have been added to the CISA’s KEV list.
Researchers have identified a new sort of attack that they have given the name “Ghost Touch.” This new form of attack may access the screen of your mobile device without even requiring you to touch it.
It would seem that those who commit crimes online are constantly able to one-up themselves and surprise everyone with innovative new strategies. You are already familiar with methods such as phishing, frauds, and the use of malware to infect devices. However, researchers from the Zhejiang University in China and the Darmstadt University of Technology in Germany have now uncovered a new hardware-based way that cybercriminals may use to get their hands on your smartphone.
These are known as Ghost Touch, and they may be used to unlock a mobile device, allowing the user to get access to sensitive information like passwords or banking apps, and even install malware. According to their explanation, the attack makes advantage of “electromagnetic interference (EMI) to inject fake touch points into a touch screen without physically touching it.”
Make note of the fact that this latest attack is aimed. To put it another way, in order to adjust the gadget, it is essential to have knowledge on the make and model of the cell phone belonging to the victim. The attacker may additionally need extra knowledge about it, such as the access code, which has to be obtained via social engineering. This might be a need for the attack. The attack is effective from a distance of up to 40 mm and makes use of the sensitivity of the touch screen to electromagnetic interference (EMI). Attackers have the ability to inject electromagnetic impulses into the implanted electrodes of the screen, which will cause the screen to record these signals as touch events (a touch, exchange, press, or hold).
On a total of nine different smartphone models, including the iPhone SE (2020), the Samsung Galaxy S20 FE 5G, the Redmi 8, and the Nokia 7.2, its efficacy has been shown. If a user’s screen has been hacked, it will begin operating on its own without the user’s intervention. For instance, it will begin answering calls on the user’s behalf or it will become unblocked.
When a mobile device begins visiting arbitrary web sites, entering into the user’s bank account, opening files, playing a movie, or typing on Google without the user’s interaction, this is another clear indication that the device has been compromised.
“You can protect yourself against touchscreen attacks in a number of different ways, including adding more security to your phone and being more vigilant in public places,” the article states. They recommend that you keep your phone in your possession at all times, since this will significantly lower the likelihood that it will be hacked.
Check Point Research has been monitoring sophisticated attacks on authorities in numerous European countries since January 2023. The campaign made use of a broad number of tools, one of which was an implant, which is a tactic that is often linked with Chinese government-backed cybercriminals. This action has substantial infrastructure similarities with activities that have been previously published by Avast and ESET, which links it to the “Mustang Panda” malware family. This cluster of suspicious behavior is
being monitored by CPR as “Camaro Dragon” at the moment.
According to experts from Check Point named Itay Cohen and Radoslaw Madej, an investigation of these attacks has uncovered a bespoke firmware implant that was created specifically for TP-Link routers. “The implant features several malicious components, including a custom backdoor named ‘Horse Shell,’ that enables the attackers to maintain persistent access, build anonymous infrastructure, and enable lateral movement into compromised networks,” the firm claimed.
“Because of the implant’s firmware-agnostic design,” its components may be incorporated into different types of software by a variety of different manufacturers. At this time, the precise mechanism that was utilized to distribute the altered firmware images on the compromised routers is unclear. Likewise, its utilization and participation in real attacks are also unknown. It is believed that the first access may have been gained by taking advantage of security holes that were already known about or by brute-forcing devices that had passwords that were either the default or readily guessed.
According to what is currently known, the C++-based Horse Shell implant gives attackers the ability to run arbitrary shell commands, upload and download files to and from the router, and relay communication between two separate clients. However, in an intriguing turn of events, it is suspected that the router backdoor targets random devices on residential and home networks. This finding lends credence to the theory that hacked routers are being co-opted into a mesh network with the intention of establishing a “chain of nodes between main infections and real command-and-control.”
The purpose of relaying communications between infected routers by utilizing a SOCKS tunnel is to establish an extra layer of anonymity and disguise the end server. This is accomplished by the fact that each node in the chain possesses information only about the nodes that came before and after it in the chain.
To put it another way, the approaches obfuscate the origin and destination of the traffic in a manner that is comparable to how TOR works, which makes it far more difficult to discover the scope of the attack and disrupt it. The finding is just one more illustration of a long-standing pattern in which Chinese threat actors target internet-facing network equipment in order to manipulate the underlying software or firmware of such devices.
Unfortunately, some laws restrict genuine security research. As we await the findings of UK Home Office’s review of the 1990 Computer Misuse Act, it’s time to rethink traditional approaches to security testing and for the UK government to support the case for ethical hacking proactively.
Why criminals have had the upper hand
Cybercriminals have had the advantage over businesses for too long. Poorly written code in old applications, unpatched software, and forgotten digital scaffolding accidentally left up after projects were completed are a few examples of how mistakes made years ago enable fresh attacks. However, it’s not just coding errors from the past that cause issues. Software is now dominated by open-source products; at least one known open-source vulnerability was detected by Synopsis in 84% of all commercial and proprietary code bases.
Although organizations have begun designing more robust security processes and testing throughout the software development lifecycle, it is often the same people who built the systems that are checking for issues. In addition, security activities tend to be siloed (e.g., we test an application but ignore the API). This reductionist view of cybersecurity all too often misses the bigger picture, but for a cyber attacker the whole is the goal.
The case for ethical hacking
What’s needed is fresh eyes and an outsider mentality to see where issues exist. This is where ethical hacking comes in. An organization can have a legion of external researchers on their side probing continuously for any weaknesses, uncovering vulnerabilities that automated scans and internal teams miss, performing recon to discover new insecure assets.
Like cybercriminals, hackers will also be leveraging tools such as publicly available Common Vulnerabilities and Exposures (CVE) databases. They go beyond CVEs in known applications to discover and examine hidden assets that potentially pose a greater risk. One-third of organizations say they monitor less than 75% of their attack surface and 20% believe over half of their attack surface is unknown or not observable. So, it’s easy to understand why cybercriminals with significant and often cheap labor power plus an array of techniques target unknown assets and regularly uncover exploitable vulnerabilities.
The way to keep pace and avoid burnout in internal security teams is to engage hackers to work on their behalf by setting up a vulnerability disclosure program (VDP).
The value of a vulnerability disclosure program (VDP)
VDPs are structured frameworks for security researchers to help proactively and continuously test internet-facing applications and infrastructure, documenting and submitting any found vulnerabilities. Program providers have amassed communities of ethical hackers and security researchers numbering in the hundreds of thousands, all with unique skill sets and perspectives to strengthen the security of an organization’s applications. Hackers perform ongoing tests in internet-facing assets including third-party software such as open-source libraries.
When a VDP is implemented, statistics indicate that over a quarter receive a vulnerability report within the first day of a program launch and new customers are notified of four high or critical vulnerabilities within their first month of use.
Therefore, ongoing feedback from hackers regarding the potential impact of vulnerabilities effectively extends the reach and knowledge of in-house security teams. Trying to deliver, and maintain, this breadth and depth of coverage in-house simply isn’t viable for most organizations.
Ethical hacking in practice
So, what does ethical hacking look like in practice? Programs offered by vulnerability disclosure platform providers can be tailored to meet all sizes and types of requirements.
The UK’s National Cyber Security Centre is leading the way with its vulnerability disclosure reporting program that covers its own website and extends to any online government site, as necessary.
Another government example is the Ministry of Defence (MoD), which has worked with the hacking community to build out its bench of technical talent and to bring more diverse perspectives to protect and defend assets. This collaboration enabled an understanding of where their vulnerabilities were which is an essential step when working to reduce cyber risk and improve overall resilience.
Incentivizing hackers
Enterprises with large asset inventories could consider taking a further step in the form of a vulnerability rewards program (VRP) that offers financial incentives to report vulnerabilities. Businesses can invite hackers that specialize in specific technologies to participate, depending on the assets that are in scope for the program. By offering competitive rewards or bounties, companies will attract the top independent security talent worldwide.
If organizations are seen to provide more significant financial incentives for reporting vulnerabilities quickly and directly to them, then the value to cybercriminals of stockpiling vulnerabilities for future ransomware attacks will also diminish.
Reforming the law
Every digital organization operating in the UK should have a vulnerability disclosure program that can leverage the benefits of hacking.
To ensure encouragement and protection, the government needs to update the Computer Misuse Act (CMA). Currently, the CMA does not provide sufficient legal protections for good faith cyber vulnerability and threat intelligence research and investigation provided by UK-based cyber security professionals and hackers. We recommend the government revises the CMA to include a statutory defense for cyber security professionals who are acting in the public interest that defends them from prosecution by the state and from unjust civil litigation.
Tipping the balance towards safety
Outwitting cybercriminals remains a complex and burdensome task. Ethical hackers can help to tip the scales away from the bad actors for those organizations that are prepared to incorporate them into their security initiatives.
Supporting hackers financially and protecting them legally from misdirected prosecution will further increase the ever-growing community of hackers who are working to provide a safer internet for businesses and individuals.
Because IoT devices often have weak security and are easily hacked, the Internet of Things (IoT) has been an increasingly attractive target for cyber assaults in recent years. This is due to the fact that IoT devices are connected to the internet. Pwn2Own was a competition held in Toronto in the last year that focused on hacking into Internet of Things (IoT) devices such as printers, routers, network-attached storage (NAS) devices, routers, and smart speakers. The competition was organized by the Zero Day Initiative (ZDI), which aimed to bring attention to the vulnerabilities of IoT devices and encourage better security practices from manufacturers. This competition invited skilled hackers to showcase their expertise in locating and exploiting flaws in the devices being used. As part of their investigation and participation in the Pwn2Own Toronto hacking competition that took place in December of last year, Team82 exposed five vulnerabilities that were found in NETGEAR’s Nighthawk RAX30 routers. If an exploit is successful, an attacker may be able to monitor the online activities of users, hijack users’ connections to the internet, and redirect traffic to malicious websites, as well as insert malware into network traffic.
These vulnerabilities might potentially be used by an attacker to obtain access to and manage networked smart devices (such as security cameras, thermostats, and smart locks), modify router settings (such as passwords or DNS settings), or exploit a network that has been hacked to launch attacks against other devices or networks.
NETGEAR products come with a dedicated server known as soap_serverd that operates on port 5000 (HTTP) and port 5043 (HTTPS). This server serves as a programmatic application programming interface (SOAP) for the router.
Users are given the ability to query the device and make changes to its settings thanks to the available API. The NETGEAR Nighthawk App for iOS and Android is the primary client that connects to the server. The vulnerabilities that were targeted are listed below.
They are able to extract the device serial number by using the CVE-2023-27357 vulnerability, which is known as Sensitive Information Exposed Without Authentication.
By using CVE-2023-27369, also known as an SSL Read stack overflow, researchers are able to deliver an HTTPS payload without being constrained by size requirements.
They are able to create a payload that is sufficiently large to replace the socket IP, bypass authentication, and obtain the device settings by using CVE-2023-27368, which is a sscanf stack overflow vulnerability.
They were able to alter the admin password by using CVE-2023-27370 (Plain text secrets in the configuration), which allowed us to access the plain-text answers to the security questions, along with the serial number that we obtained before.
Once they have updated the password, they were able to send a magic packet to the device in order to activate a limited telnet server. They get root access and remote code execution on the device by using the CVE-2023-27367 vulnerability, which is a restricted shell escape.
It is possible to compromise vulnerable RAX30 routers by chaining together these five CVEs. The most serious of these flaws allows for pre-authentication remote code execution on the device. NETGEAR has patched all five vulnerabilities uncovered by Team82, three of which were high-severity vulnerabilities that enable pre-authentication remote code execution, command injection, or authentication bypasses.
A new piece of malware known as Atomic macOS Stealer (AMOS) was recently discovered by researchers as it was being offered for sale on Telegram. The threat actor who is promoting it charges $1,000 each month and continually updates the virus that they are selling. The Atomic macOS Stealer is capable of stealing a variety of information from the computer of the victim, such as passwords saved in the Keychain, comprehensive system information, files from the victim’s desktop and documents folder, and even the macOS password itself.
One of its many capabilities is the extraction of data from web browsers and cryptocurrency wallets such as Atomic, Binance, Coinomi, Electrum, and Exodus. This is only one of its many functions. When a threat actor purchases the stealer from the creators of the stealer, they are also given a web panel that is pre-configured and ready to use for managing the victims.
In the event that AMOS is installed, it has the potential to compromise a broad range of data, some of which include the passwords for iCloud Keychain, the password for the macOS system, cookies, passwords, and credit card credentials from browsers like as Chrome, Firefox, Brave, Edge, and Opera, among others. Additionally, it has the ability to compromise cryptocurrency wallets such as Atomic, Binance, Exodus, Electrum, MetaMask, and a great number of others.
A web panel, a program called Brute MetaMask, logs in Telegram with alerts, and more features are provided to customers by the malicious party that is offering malware as a service.
The following is the message that the threat actor posted on Telegram while trying to sell the malware:
After the malware has gained access to a user’s information, it places the information into a ZIP file, compresses it, and then sends it to the malicious party via a command and control server URL.
It is imperative that users only download and install software from trusted sources, enable two-factor authentication, review app permissions, and refrain from opening suspicious links received via email or SMS messages as a result of this development, which is another sign that macOS is increasingly becoming a lucrative target beyond nation-state hacking groups to deploy stealer malware. The development is also a sign that macOS is becoming a target for cybercriminals to deploy stealer malware.
To protect against it:
Only applications from the official Apple App Store should be downloaded and installed on your device. Install an antivirus and internet security software package that has a good reputation on your computer. Make sure to use secure passwords, and implement multi-factor authentication whenever it’s possible. When it is feasible to do so, enable the biometric security capabilities of the device, such as fingerprint or face recognition, so that it can be unlocked. Always use caution before clicking on any links that are delivered to you in emails. When enabling any permissions, exercise extreme caution. Make that all of your software, including operating systems and apps, is up to date.
The software known as cPanel is used extensively online as a control panel for web hosting. At the time this blog article was being written, there were precisely 1.4 million exposed cPanel installations on the public internet.
The researchers found a vulnerability known as reflected cross-site scripting, which could be exploited without the need for any authentication. Additionally, the XSS vulnerability could be exploited even if the cPanel management ports (2080, 2082, 2083, and 2086) were not open to the outside world. This was the case regardless of whether or not they were exposed. This means that if your website is hosted by cPanel and runs on ports 80 and 443, it was also susceptible to the cross-site scripting vulnerability.
An invalid webcall ID that may include XSS content is at the heart of CVE-2023-29489, the vulnerability that it causes. When this content is displayed on the error page for cpsrvd, it is not appropriately escaped, thus enabling the XSS attack.
At @assetnote, we discovered a reflected cross-site scripting vulnerability in cPanel that affected ~1.2M assets. You can read about our work in reverse engineering cPanel and discovering this here: https://t.co/caweyh5fsE. This has been assigned CVE-2023-29489.
The repercussions of being susceptible to these dangers are quite concerning. Using cPanel with its default configuration allows malicious actors to run arbitrary JavaScript pre-authentication on almost any port on a web server. This is as a result of the proxy rules that enable access to the /cpanelwebcall/ directory even on ports 80 and 443, which were previously inaccessible.
The effect of this vulnerability is that they are able to run arbitrary JavaScript, including scripts that need pre-authentication, on practically every port of a webserver that is using cPanel with its default configuration.
The proxy restrictions are to blame for this situation. Even though it is being proxied to the cPanel administration ports by Apache on ports 80 and 443, they were still able to access the /cpanelwebcall/ directory.
Because of this, an adversary may launch attacks not only against the administrative ports of cPanel but also against the apps that are operating on ports 80 and 443.
An adversary may employ this cross-site scripting attack to take over the cPanel session of a legitimate user if the cPanel administration ports were exposed to the assault in the first place.
After successfully authenticating as a user of cPanel, it is often quite simple to upload a web shell in order to get command execution privileges for oneself.
Proof of Concept
For the purpose of demonstrating the vulnerability, the researchers supplied the following proof of concept URLs:
Please don’t be concerned if you believe that this vulnerability may be affecting your website. Because the majority of cPanel installations on the internet have the auto-update capability activated, it’s possible that you are no longer at risk of being exploited even if you don’t apply a patch. Upgrading to any of the following versions of cPanel or above will eliminate the risk associated with this vulnerability:
Researchers from Google’s Threat Analysis Group (TAG) presented their findings in the company’s Threat Horizons Report. Their findings showed that the hacking group APT41 was misusing the GC2 red teaming tool in its attacks. GC2, also known as Google Command and Control, is an open-source project that was built specifically for red teaming operations. It was written in the programming language Go. GC2 (Google Command and Control) is an application for Command and Control that enables an adversary to exfiltrate data using Google Drive and execute instructions on the target system using Google Sheet. During Red Teaming operations, this software was constructed in order to give a command and control that does not need any specific set up (such as a custom domain, VPS, CDN, etc.). This was done in order to make the application more accessible.
In addition, the application will only connect with Google domains (*.google.com) in order to make detection more challenging.
In October 2022, the Threat Analysis Group (TAG) of Google was successful in disrupting a campaign that was being run by HOODOO, a Chinese government-backed attacker also known as APT41. This effort was aimed at a Taiwanese media organization, and it consisted of sending phishing emails that included links to a password-protected file that was housed on Drive. The payload was a piece of open source software known as “G oogle Command and Control” (GC2), which was a red teaming tool. The program is written in Go, and it receives instructions from Google Sheets. These orders are used to exfiltrate data to Google Drive, which is presumably done to conceal the malicious behavior. After it has been installed on the victim’s system, the malware will query Google Sheets in order to collect orders from the attacker.
The attacker is able to download more files from Drive onto the target machine using GC2, in addition to exfiltrating data via Drive. HOODOO has previously made use of GC2 in the month of July 2022 in order to target an Italian job search website. These attacks provide light on a few critical patterns in the security landscape posed by threat actors linked with China. First, rather than building its own unique tools, Chinese advanced persistent threat (APT) organizations are increasingly turning to publicly accessible tooling like Cobalt Strike and other “pentest” software that can be purchased or found on sites like Github. This pattern may be seen, for instance, in HOODOO’s implementation of GC2. Second, the number of tools that are created in the Go programming language has been steadily increasing over the last several years. This is most likely attributable to the adaptability of the Go language as well as the ease with which module components may be added or removed. In conclusion, the targeting of Taiwanese media exemplifies the ongoing overlap of public sector threat actors attacking private sector entities with minimal links to the government.
The Google Cybersecurity Action Team (GCAT) and Mandiant conducted research on threat actors’ usage of Google Drive for hosting malware. The research revealed that threat actors store malware in Google Drive as encrypted ZIP files, most likely in an attempt to avoid detection. For instance, in the fourth quarter of 2022, Mandiant discovered a campaign that hosted the URSNIF binary on Google Drive in order to spread the URSNIF malware. URSNIF is a well-known piece of generic intrusion software that has a history of being used as a banking bot. Phishing emails were sent out by threat actors in an attempt to trick potential victims into downloading password-protected ZIP files that included harmful material. This content was subsequently installed on the victims’ computers. The DICELOADER malware, which is another kind of broad intrusion malware that may be used for a variety of objectives, was employed by threat actors in the latter part of the fourth quarter of 2022 to implement an extension of this approach. During this campaign, Mandiant discovered phishing emails that had malicious links to Google Drive. Clicking on these links caused the recipient’s computer to download a ZIP file that included an LNK file. The Trojanized Zoom MSI installer was later downloaded and installed as a result of the LNK file, which ultimately resulted in the infection caused by the DICELOADER. Based on the phishing emails that were discovered by Mandiant, this campaign gave the impression that it was aimed at the financial services industry. The attackers further concealed their destructive purpose from the Google Drive download by removing the malware binary from the downloaded ZIP file and separating the two. Google took a number of measures to put a stop to this behavior at the time, and the company also implemented new investigative skills to improve its ability to identify and thwart future instances of similar malicious usage of Google Drive.
These techniques bring to light the risk that is posed by threat actors using cloud services to host malicious content and their ongoing development of evasion techniques to avoid detection. For example, they have transitioned from using encrypted ZIP files that contained malware to encrypted ZIP files that linked to trojanized legitimate installers. Because this trend is expected to continue, businesses should exercise extreme caution while monitoring downloads, especially from websites that seem to be trustworthy.
Security researchers have uncovered fresh malware with hacking capabilities comparable to those of Pegasus, which was developed by NSO Group. The software, which is sold by an Israeli firm named QuaDream, has previously been used by customers to target journalists, political opposition leaders, and an employee of an NGO. The company that makes and sells the spyware is called QuaDream.
NEW REPORT: SWEET QUADREAMS: A first look at #spyware vendor QuaDream’s spy tools, victims and customers. We identified traces of suspected exploit deployed against iOS versions 14.4 and 14.4.2 and possibly other versions as zero-day vulnerability. https://t.co/u7jcxJpu9H
The malware was spread to the victims’ phones when the operators of the spyware, who are thought to be government customers, sent them an invitation to an iCloud calendar. The cyberattacks took place between the years 2019 and 2021, and the term “Reign” is given to the hacking program that was used.
A phone that has been infected with Reign can, similar to a phone that has been infected with Pegasus, record conversations that are taking place near the phone, read messages that are stored on encrypted apps, listen to phone conversations, track the location of a user, and generate two-factor authentication codes on an iPhone in order to break into a user’s iCloud account.
Apple, which has been marketing its security measures as being among the finest in the world, has taken yet another hit as a result of the recent disclosures. It would seem that Reign poses an unprecedented and significant danger to the security of the company’s mobile phones.
The spyware that was built by QuaDream attacks iPhones by having the operators of the malware, who are believed to be government customers, issue an invitation to an iCloud calendar to the mobile users of the iPhones. Since the calendar invites were issued for events that had been recorded in the past, the targets of the hacking were not made aware of them because they were sent for activities that had already occurred.
Since users of the mobile phone are not required to click on any malicious link or do any action in order to get infected, these kind of attacks are referred to as “zero-click” attacks.
When a device is infected with spyware, it is able to record conversations that are taking place nearby by taking control of the recorder on the device, reading messages sent via encrypted applications, listening in on phone calls, and monitoring the position of the user.
The malware may also produce two-factor authentication tokens on an iPhone in order to enter a user’s iCloud account. This enables the spyware operator to exfiltrate data straight from the user’s iCloud, which is a significant advantage. In contrast to NSO Group, QuaDream maintains a modest profile among the general population. The firm does not have a website and does not provide any additional contact information on its page. The email address of Israeli attorney Vibeke Dank was included on the QuaDream business registration form; however, she did not respond to a letter asking for her opinion.
Citizen Lab did not name the individuals who were discovered to have been targeted by clients while they were using Reign. However, the organization did say that more than five victims were located in North America, Central Asia, south-east Asia, Europe, and the Middle East. These victims were described as journalists, political opposition figures, and an employee of an NGO. In addition, Citizen Lab said that it was able to identify operator sites for the malware in the countries of Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the United Arab Emirates, and Uzbekistan.
In a security report that was published in December 2022 by Meta, the corporation that owns Facebook, the name of the firm was mentioned briefly. The report defined QuaDream as being an Israeli-based startup that was created by former NSO personnel.
At the time, Meta stated that it had removed 250 accounts on Facebook and Instagram that were linked to QuaDream. The company believed that the accounts were being used to test the capabilities of the spyware maker using fake accounts. These capabilities included exfiltrating data such as text messages, images, video files, and audio files.
The discovery of Reign underscores the continuous spread of very powerful hacking tools, even as NSO Group, the developer of one of the world’s most sophisticated cyberweapons, has received intensive investigation and been banned by the Biden administration, likely limiting its access to new clients. NSO Group is the maker of one of the most advanced cyberweapons in the world.
Samba is a free software project that runs on operating systems that are similar to UNIX and supports the Windows file sharing protocol. This protocol once went by the name SMB, but it was renamed CIFS a little while later. Computers running GNU/Linux, Mac OS X, or Unix in general may be perceived as servers or communicate with other computers in Windows-based networks in this fashion, making it possible for these machines to perform either role.
Samba has recently been found to have several security flaws, any one of which might possibly let an attacker obtain access to sensitive data. This poses a substantial danger to the system’s security.
CVE-2023-0614 (CVSSV3 SCORE OF 7.7): ACCESS-CONTROLLED AD LDAP ATTRIBUTES CAN BE FOUND
The vulnerability known as CVE-2023-0614 has been discovered, and it enables attackers to access and possibly gain private information, such as BitLocker recovery keys, from a Samba AD DC. As the remedy for the prior vulnerability, CVE-2018-10919, was inadequate, companies that store such secrets in their Samba AD should assume that they have been compromised and need to be replaced.
Impact: The exposure of secret information has the potential to result in unauthorized access to sensitive resources, which presents a severe threat to the organization’s security.
All Samba releases since the 4.0 version are impacted by this issue.
Workaround: The solution that is proposed is to avoid storing sensitive information in Active Directory, with the exception of passwords or keys that are essential for AD functioning. They are in the hard-coded secret attribute list, hence they are not vulnerable to the vulnerability.
They are in the hard-coded secret attribute list, hence they are not vulnerable to the vulnerability. This vulnerability, identified as CVE-2023-0922, affects the Samba AD DC administrative tool known as samba-tool. By default, this tool transmits credentials in plaintext whenever it is used to perform operations against a remote LDAP server. When samba-tool is used to reset a user’s password or add a new user, this vulnerability is triggered. It might theoretically enable an attacker to intercept the freshly set passwords by analyzing network traffic.
The transmission of passwords in plain text opens up the possibility of unwanted access to critical information and puts the security of the whole network at risk.
All versions of Samba released after 4.0 are included in this category.
Workaround: To reduce the risk of exploiting this issue, change the smb.conf file to include the line “client ldap sasl wrapping = seal,” or add the —option=clientldapsaslwrapping=sign option to each samba-tool or ldbmodify invocation that sets a password.
As is the case with vulnerabilities in other software, those in Samba may put an organization’s security at severe risk. Administrators of Samba are strongly encouraged to update to these versions or to install the patch as soon as reasonably practical.
An adversary may circumvent encryption for some communications by exploiting a flaw in the widespread 802.11 protocol, which enables them to do so. The university researchers that made the discovery claim that the flaw enables an adversary to “trick access points into leaking frames in plaintext, or encrypted using the group or an all-zero key.”
Due to the fact that it is a flaw in the Wi-Fi protocol, it impacts more than one implementation. A ground-breaking academic paper with the provocative title “Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmission Queues” was made available to the public on March 27, 2023. This document revealed flaws in the 802.11 Wi-Fi standard. Because of these vulnerabilities, an attacker could be able to impersonate a targeted wireless client and reroute frames that are already in the transmit queues of an access point to a device that the attacker controls. In this post, we will analyze the workings of this opportunistic attack and investigate the many preventative measures that may be taken to protect your network from this danger.
The attack, which has been given the name “MacStealer,” is directed against Wi-Fi networks that include hostile insiders and takes advantage of client isolation bypasses (CVE-2022-47522). Even if clients are unable to communicate with one another, it is able to intercept communication at the MAC layer. Wi-Fi networks that use client isolation, Dynamic ARP inspection (DAI), and other mechanisms meant to prevent clients from attacking one another are susceptible to this issue.
The first company to recognize the flaw was Cisco, which said that the attacks described in the research article might be effective against Cisco Wireless Access Point devices and Cisco Meraki products with wireless capabilities. Cisco was the first firm to admit the issue.
The client authentication and packet routing processes in Wi-Fi networks function independently of one another, which is the root cause of the security hole known as CVE-2022-47522. The usage of passwords, users, 802.1X IDs, and/or certificates is required for authentication, although MAC addresses are what determine how packets are routed. This inconsistency may be exploited by a malicious insider who disconnects a victim from the network and then reconnects to it using the victim’s MAC address and the attacker’s credentials. As a consequence of this, any packets that are still on their way to the victim, such as data from a website, will instead be received by the attacker.
The following are the three basic stages of this attack:
The attacker will wait for the victim to connect to a susceptible Access Point (AP), at which point the attacker will submit a request to an internet server. For example, the attacker may send an HTTP request to a website that only displays plaintext. Steal the Identifying Information of the Victim: The perpetrator of the attack removes the victim’s network connection before the AP has a chance to process the server’s response. After that, the attacker creates a fake version of the victim’s MAC address and logs in to the network using their own credentials. Intercept the Response: At this step, the access point (AP) pairs the attacker’s encryption keys with the victim’s MAC address. This gives the attacker the ability to intercept any pending traffic that is destined for the victim. It is essential to keep in mind that the communication that is being intercepted may be secured by higher-layer encryption, such as that provided by TLS and HTTPS. Therefore, regardless of whether or not a higher-layer encryption is being used, the IP address that a victim is talking with may still be discovered by this approach. This, in turn, exposes the websites that a victim is viewing, which, on its own, might be considered sensitive information.
All Corporate WPA1, WPA2, and WPA3 networks are vulnerable to the attack in exactly the same way. This is due to the fact that the attack does not take use of any cryptographic features of Wi-Fi; rather, it takes advantage of the way in which a network decides to which client packets should be transmitted, sometimes known as routing.
To summarize, the attack described in the “Framing Frames” study is a worrying vulnerability that presents the possibility of adversaries being able to intercept and perhaps read sensitive information that is being carried across Wi-Fi networks. It is essential for businesses to take all of the required steps, such as implementing strong security measures and using mitigations that have been advised, in order to guarantee the safety and security of their networks.
Using 802.1X authentication and RADIUS extensions are two methods that may be utilized to stop MAC address theft. Safeguarding the MAC address of the gateway, putting in place Managed Frame Protection (802.11w), and making use of virtual local area networks (VLANs) are all viable mitigations. The use of policy enforcement techniques using a system such as Cisco Identity Services Engine (ISE), which may limit network access by utilizing Cisco TrustSec or Software Defined Access (SDA) technologies, is something that Cisco advises its customers to do. It is also recommended by Cisco to implement transport layer security in order to encrypt data while it is in transit if it is practicable to do so. This would prevent an attacker from using the data they have collected.
In response to a recent vulnerability identified in Outlook, Microsoft recently published a proper guide for its customers to help them discover the associated IoCs.
That Outlook vulnerability in question has been tracked as “CVE-2023-23397” with a CVSS score of 9.8 and marked as Critical.
As a result of this flaw, NTLM hashes can be stolen, and without any user interaction, they can be reused to execute a relay attack.
The threat actors use specially crafted malicious emails to exploit the vulnerability and manipulate the victim’s connection. As a result, this allows them to get control of an untrusted location.
The attacker can authenticate as the victim with the Net-NTLMv2 hash leaked to the untrusted network
The problem is that this approach was taken after it was weaponized by Russian threat actors and used as a weapon against the following sectors in Europe:
Government
Transportation
Energy
Military
It was reported in April 2022 that Microsoft’s incident response team had found evidence that the shortcoming could be exploited.
Attack chain & threat hunting Guidance
It has been identified that a Net-NTLMv2 Relay attack allowed a threat actor to gain unauthorized entry to an Exchange Server in one attack chain.
By exploiting this vulnerability, the attacker could modify mailbox folder permissions and maintain persistent access, posing a significant security risk.
The adversary used the compromised email account in the compromised environment to extend their access. It has been discovered that this is done by sending additional malicious messages through the same organization to other members.
CVE-2023-23397 can lead to credential compromise in organizations if they do not implement a comprehensive threat-hunting strategy.
As a first step, running the Exchange scanning script provided by Microsoft is important to detect any malicious activity. However, it’s imperative to note that for all scenarios, this script is not capable of providing any visibility into messages that are malicious in nature.
Multiple mailboxes can be opened at the same time by Outlook users. Messages received through one of the other services will still trigger the vulnerability if a user configured Outlook to open mailboxes from multiple services. The scanned mailboxes do not contain that message.
If a user wishes to move a message to a local file, they can do so. Finding evidence of a prior compromise in Archived messages may be possible in some cases.
You can no longer access your Exchange messages if they have been deleted from Exchange. It is recommended that incident responders review the security telemetry collected from all available channels in order to confirm the presence of IP addresses and URIs obtained from the PidLidReminderFileParameter values.
There are a number of data sources that can be used to gather data, including:-
Firewall logs
Proxy logs
Azure Active Directory sign-in logs for users of Exchange Online
IIS Logs for Exchange Server
VPN logs
RDP Gateway logs
Endpoint telemetry from endpoint detection and response (EDR)
Forensic endpoint data
Recommendations
Here below we have mentioned all the recommendations:-
To mitigate the issue, make sure to update Microsoft Outlook immediately.
Ensure that defense-in-depth mitigations are active in organizations leveraging Microsoft Exchange Server on-premises.
The script should be used to remove either the messages or just the properties if suspicious or malicious reminder values are observed.
In the event that a targeted or compromised user receives suspicious reminders or initiates incident response activities, they should be instructed to reset their passwords.
To mitigate the impact of possible Net-NTLMv2 Relay attacks, it is recommended that you use multifactor authentication.
On Exchange, you should disable unnecessary services that you don’t need.
Block all IP addresses except those on an allowlist from requesting connections on ports 135 and 445.
If your environment has NTLM enabled, you should disable it.
On the third day of the Pwn2Own Vancouver 2023 hacking contest, the organization awarded $185,000 for 10 zero-day exploits.
Pwn2Own Vancouver 2023 is ended, contestants disclosed 27 unique zero-days and the organization awarded a total of $1,035,000 and a Tesla Model 3. The team Synacktiv (@Synacktiv) (Benoist-Vanderbeken, David Berard, Vincent Dehors, Tanguy Dubroca, Thomas Bouzerar, and Thomas Imbert) won the competition, they earned 53 points, $530,000, and a Tesla Model 3.
On the third day, contestants were awarded $185,000 after demonstrating 5 zero-day exploits targeting the Ubuntu Desktop, Windows 11, and the VMware Workstation software.
The day began with the hack of Ubuntu Desktop by Kyle Zeng from ASU SEFCOM, he used a double-free bug and earned $30,000 and 3 Master of Pwn points.
Thomas Imbert (@masthoon) from Synacktiv (@Synacktiv) used a UAF against Microsoft Windows 11. They earn $30,000 and 3 Master of Pwn points.
The researchers Mingi Cho of Theori used a UAF against Ubuntu Desktop, the team earned $30,000 and 3 Master of Pwn points.
The STAR Labs (@starlabs_sg) team used an uninitialized variable and UAF to hack the VMWare Workstation virtualization software. They earned $80,000 and 8 Master of Pwn points. The STAR Labs team also attempted to demonstrate an exploit against Microsoft Teams, but failed to do it within the time allotted.
Bien Pham (@bienpnn) from Qrious Security successfully targeted Ubuntu Desktop, but used a known exploit, for this reason, the attempt was classified as “Collision”. The team earned $15,000 and 1.5 Master of Pwn points.
“That’s a wrap for Pwn2Own Vancouver! Contestants disclosed 27 unique zero-days and won a combined $1,035,000 (and a car)! Congratulations to the Masters of Pwn, Synacktiv (@Synacktiv), for their huge success and hard work! They earned 53 points, $530,000, and a Tesla Model 3.” reads the wrap for the hacking competition that was published by The Zero Day Initiative.
It is the third day of the PWN2OWN VANCOUVER 2023 hacking contest. So far, security researchers managed to crack the operating systems Ubuntu, macOS and Windows 11, and other products, including Tesla cars and Adobe Reader.
Security researchers who managed to hack their targets win price money and the hacked devices, even if it is a Tesla.
Six of the eight hacks on day one were successful, a seventh was also successful, but it used an exploit that was known previously. Only one attempt failed to hack the target in time.
AbdulAziz Hariri of Haboob SA used a 6-bug logic chain exploiting multiple failed patches against Adobe Reader to escape the application’s sandbox and bypass a banned API list.
STAR Labs hacked Microsoft SharePoint successfully, using a 2-bug chain attack.
Bien Pham from Qrious Security exploited Oracle VirtualBox successfully using an OOB Read and a stacked-based buffer overflow.
Synacktiv successfully hacked a Tesla Model 3. They executed a TOCTOU (Time-of-Check-to-Time-of-Use) attack against Tesla – Gateway.
Marcin Wi?zowski managed to elevate privileges on Microsoft’s Windows 11 operating system using an improper input validation bug.
Synacktiv was able to escalate privileges on Apple macOS using a TOCTOU bug.
STAR Labs used an already known exploit to successfully hack Ubuntu Desktop.
last_minute_pwnie fafiled to get an Ubuntu exploit working.
A total price money of $375,000 was awarded to the successful researchers and teams. The Tesla Model 3 changed owner as well.
On day two, security researchers managed to hack Oracle VirtualBox, Microsoft Teams, another Tesla, and Ubuntu Desktop.
Thomas Imbert and Thomas Bouzerar from Synacktiv used a 3-bug chain against Oracle VirtualBox with a Host EoP.
Team Viettel hacked Microsoft Teams successfully using a 2-bug chain.
David Berard and Vincent Dehors from Synacktiv managed to get an exploit working that gave them unconfined root access in a Tesla. They used heap overflow and an OOB write for that.
dungdm of Team Viettel exploited Oracle VirtualBox using an uninitialized variable and a UAF bug.
Tanguy Dubroca from Synacktiv managed to escalate privilege on Ubuntu Desktop using an incorrect pointer scaling.
The researchers received $475,000 in price money on the second day.
Attacks against Ubuntu Desktop, Microsoft Teams, Microsoft Windows 11, and VMWare Workstation are planned for the third and final day of the hacking competition.
Additional information about the successful hacks and exploits have not been released to the public. Companies whose products have been exploited will create security patches to protect their devices and applications from potential attacks targeting the bugs.
Expect security updates for all hacked products in the coming days and weeks.
The Exynos Modems manufactured by Samsung Semiconductor were found to have eighteen 0-day vulnerabilities, as revealed by Project Zero. Internet-to-baseband remote code execution was possible due to the four vulnerabilities that were deemed to be the most serious among these eighteen flaws (CVE-2023-24033 and three further vulnerabilities that have not yet been allocated CVE-IDs). Tests that were carried out by Project Zero have shown that the aforementioned four vulnerabilities make it possible for an attacker to remotely compromise a phone at the baseband level without any interaction from the user; all that is required is for the attacker to know the phone number of the victim. We anticipate that highly competent adversaries would be able to swiftly design an operational exploit to compromise impacted devices in a stealthy and remote manner if they were just given access to modest extra research and development resources.
The fourteen other similar vulnerabilities (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076, and nine additional vulnerabilities that have yet to be granted CVE-IDs) were not as serious since they need either a hostile mobile network operator or an attacker with local access to the device.
The list of Exynos chipsets that are susceptible to these vulnerabilities may be found in the advisory published by Samsung Semiconductor. On the basis of information obtained from public sources that provide a mapping of chipsets to devices, the following devices are likely to be affected:
Devices from Samsung’s S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series;
Devices from Vivo’s S16, S15, S6, X70, X60, and X30 series
Devices from Google’s Pixel 6 and Pixel 7 series
Any wearables that use the Exynos W920 chipset and vehicles that use the Exynos Auto T5123 chipset.
Timelines for patches to address these vulnerabilities will differ depending on the manufacturer. Those who have devices that are vulnerable may protect themselves from baseband remote code execution vulnerabilities in the meanwhile by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in the settings of their devices.
Due to the unusual combination of the level of access that these vulnerabilities provide and the speed at which they believe a reliable operational exploit could be crafted, the Google Security Team has decided to make an exception to their standard disclosure policy and delay the disclosure of the four most severe vulnerabilities. This decision was made because the Google Security Team believes that a reliable operational exploit could be crafted relatively quickly.
But, they will maintain their tradition of openness by publicly publishing disclosure policy exclusions, and after all of the concerns have been identified, they will add these problems to the list. Five of the remaining fourteen vulnerabilities (CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, and CVE-2023-24076) have surpassed Project Zero’s regular 90-day limit and have been publicly revealed in their issue tracker. The other nine vulnerabilities will be publicly disclosed at that time if they are still unfixed.
End users are strongly urged by the Google Security Team to upgrade their devices as soon as is practically practicable in order to guarantee that they are using the most recent releases, which patch security flaws that have been made public as well as those that have not been made public. It is very vital to maintain vigilance and adopt the appropriate safety measures in order to safeguard one’s personal information and electrical devices from possible security risks.
Looking to enhance your Linux skills? Practical examples to build a strong foundation in Linux – credit: Ramesh Nararajan *******************************************
Telus, a Canadian national telecommunications company is looking into whether employees’ data as well as the source code for the system were stolen and then sold on a dark web marketplace.
Subsequently, the threat actor published screenshots that appear to depict the company’s payroll data and private source code repositories.
“We are investigating claims that a small amount of data related to internal Telus source code and select Telus team members’ information has appeared on the dark web,” Richard Gilhooley, director of public affairs at Telus said in an email.
“We can confirm that to this point our investigation, which we launched as soon as we were made aware of the incident, has not identified any corporate or retail customer data.”
Source Code, Employee Data Stolen
A threat actor offered what they claimed to be TELUS’ employee list (including names and email addresses) for sale on a data breach forum on February 17.
“Today we’re selling email lists of Telus employees from a very recent breach. We have over 76k unique emails and on top of this have internal information associated with each employee scraped from Telus’ API”, the forum post says.
The post provides what looks to be a list of email addresses for Telus employees as proof. “It isn’t known if these are the current or former staff — or even real”.
Later on Tuesday, February 21, the same threat actor published a new forum post with an offer to sell TELUS’ private GitHub repositories, source code, and payroll data.
“In the repositories are the backend, frontend, middleware [information,] AWS keys, Google auth keys, Source Code, Testing Apps, Staging/Prod/testing, and more!” says the seller’s latest post.
The claimed TELUS data and source code are posted in a second forum post
The seller also stated that the company’s “sim-swap-api,” which is supposed to allow attackers to conduct SIM swap attacks, was included in the stolen source code.
Despite the malicious attacker calling this a “Full breach” and stating that they will sell “anything related to Telus,” it is still too soon to say whether an event actually happened at TELUS or whether a breach at a third-party vendor actually occurred.
“It’s important to note that it’s not clear whether the data being sold is real”, commented Brett Callow, a British Columbia-based threat analyst for Emsisoft.
“If it is real, this is a potentially serious incident which exposes Telus’ employees to increased risk of phishing and social engineering and, by extension, exposes the company’s customers to risk”.
“The alleged exposure of the private Github repositories, supposedly including a sim-swap API, represents an additional tier of potentially significant risk.”
Hackers Use Open Source Tools to Attack Shipping Companies & Medical Laboratories
Unfortunately, it is not uncommon for hackers to use open source tools to attack organizations. Open source tools are freely available and can be used for both legitimate and malicious purposes.
In the case of shipping companies and medical laboratories, there are a number of open source tools that hackers could potentially use to launch attacks. For example, they may use network scanning tools such as Nmap or Wireshark to identify vulnerabilities in the organization’s network. They may also use tools such as Metasploit or Cobalt Strike to exploit these vulnerabilities and gain unauthorized access to systems and data.
Once they have access to a system, hackers may use open source tools like Mimikatz to steal passwords and other credentials. They may also use open source malware like DarkComet or Meterpreter to maintain access to compromised systems and exfiltrate sensitive data.
To protect against these types of attacks, it’s important for organizations to take a number of steps, including:
Implementing strong access controls and authentication mechanisms to prevent unauthorized access to systems and data.
Regularly patching and updating software and systems to address known vulnerabilities.
Using security monitoring tools to detect and respond to potential security incidents.
Providing regular security awareness training to employees to help them identify and respond to security threats.
Conducting regular security assessments to identify and address vulnerabilities in the organization’s network and systems.
There has been an emergence of a new security threat that has been causing havoc among the Asian shipping and medical laboratory industries.
It’s a never-before-seen threat group dubbed Hydrochasma, actively targeting the shipping and medical organizations that are engaged in research and treatment of the COVID-19 vaccine.
Symantec, a company under Broadcom, has been monitoring the activities of cybercriminals since October of last year. Their ultimate aim seems to be the acquisition of valuable information.
Modus Operandiof Attack
Hydrochasma’s modus operandi is unique in that they employ open-source tools and LotL techniques during their attacks. This enables them to carry out their malicious activities without leaving behind any traces that could potentially expose their identity.
This method of operation poses a challenge to those attempting to track and attribute the attacks to specific threat actors.
The origin and affiliation of this threat actor have not been determined, nor has any evidence yet been collected as to its origin.
The utilization of pre-existing tools seems to serve a dual purpose for Hydrochasma:-
To evade attribution efforts
To enhance the stealthiness of their attacks
By leveraging these tools, they can mask their activity and blend in with legitimate network traffic, making it more challenging for security experts to detect and respond to their malicious activities.
Attack Chain
Most likely, Hydrochasma infected its host with a phishing email in order to spread its infection. Initial signs of Hydrochasma’s presence on a targeted system are often indicated by the appearance of a lure document, with a file name that is crafted to appear as if it were an email attachment written in the native language of the victim organization.
This is an attempt to deceive the target into thinking that the document is legitimate and relevant to their work. Here below we have mentioned those attachment names:-
Product Specification-Freight-Company Qualification Information wps-pdf Export.pdf[.]exe
University-Development Engineer[.]exe
Once the attacker gains access to a machine, they utilize this access to deploy a Fast Reverse Proxy (FRP), which has the potential to expose servers that are located behind a firewall to the public web.
Tools Used
Here below we have mentioned all the tools that are dropped by the intruder on the affected system:-
Gogo scanning tool
Process Dumper (lsass.exe)
Cobalt Strike Beacon
AlliN scanning tool
Fscan
Dogz proxy tool
SoftEtherVPN
Procdump
BrowserGhost
Gost proxy
Ntlmrelay
Task Scheduler
Go-strip
HackBrowserData
It is extremely difficult to relate the activity to any specific threat group when a large number of publicly available tools are used.
There was no evidence that any data was taken from any of the targeted computers by Hydrochasma according to researchers from Symantec. Hydrochasma on the other hand utilizes certain tools that allow remote access to the system, which could result in data being extracted from the system.
This attack appears to have been motivated by a mission to gather intelligence, as indicated by the sectors targeted.