Hackers Use Open Source Tools to Attack Shipping Companies & Medical Laboratories
Unfortunately, it is not uncommon for hackers to use open source tools to attack organizations. Open source tools are freely available and can be used for both legitimate and malicious purposes.
In the case of shipping companies and medical laboratories, there are a number of open source tools that hackers could potentially use to launch attacks. For example, they may use network scanning tools such as Nmap or Wireshark to identify vulnerabilities in the organization’s network. They may also use tools such as Metasploit or Cobalt Strike to exploit these vulnerabilities and gain unauthorized access to systems and data.
Once they have access to a system, hackers may use open source tools like Mimikatz to steal passwords and other credentials. They may also use open source malware like DarkComet or Meterpreter to maintain access to compromised systems and exfiltrate sensitive data.
To protect against these types of attacks, it’s important for organizations to take a number of steps, including:
- Implementing strong access controls and authentication mechanisms to prevent unauthorized access to systems and data.
- Regularly patching and updating software and systems to address known vulnerabilities.
- Using security monitoring tools to detect and respond to potential security incidents.
- Providing regular security awareness training to employees to help them identify and respond to security threats.
- Conducting regular security assessments to identify and address vulnerabilities in the organization’s network and systems.
There has been an emergence of a new security threat that has been causing havoc among the Asian shipping and medical laboratory industries.
It’s a never-before-seen threat group dubbed Hydrochasma, actively targeting the shipping and medical organizations that are engaged in research and treatment of the COVID-19 vaccine.
Symantec, a company under Broadcom, has been monitoring the activities of cybercriminals since October of last year. Their ultimate aim seems to be the acquisition of valuable information.
Modus Operandi of Attack
Hydrochasma’s modus operandi is unique in that they employ open-source tools and LotL techniques during their attacks. This enables them to carry out their malicious activities without leaving behind any traces that could potentially expose their identity.
This method of operation poses a challenge to those attempting to track and attribute the attacks to specific threat actors.
The origin and affiliation of this threat actor have not been determined, nor has any evidence yet been collected as to its origin.
The utilization of pre-existing tools seems to serve a dual purpose for Hydrochasma:-
- To evade attribution efforts
- To enhance the stealthiness of their attacks
By leveraging these tools, they can mask their activity and blend in with legitimate network traffic, making it more challenging for security experts to detect and respond to their malicious activities.
Attack Chain
Most likely, Hydrochasma infected its host with a phishing email in order to spread its infection. Initial signs of Hydrochasma’s presence on a targeted system are often indicated by the appearance of a lure document, with a file name that is crafted to appear as if it were an email attachment written in the native language of the victim organization.
This is an attempt to deceive the target into thinking that the document is legitimate and relevant to their work. Here below we have mentioned those attachment names:-
- Product Specification-Freight-Company Qualification Information wps-pdf Export.pdf[.]exe
- University-Development Engineer[.]exe
Once the attacker gains access to a machine, they utilize this access to deploy a Fast Reverse Proxy (FRP), which has the potential to expose servers that are located behind a firewall to the public web.
Tools Used
Here below we have mentioned all the tools that are dropped by the intruder on the affected system:-
- Gogo scanning tool
- Process Dumper (lsass.exe)
- Cobalt Strike Beacon
- AlliN scanning tool
- Fscan
- Dogz proxy tool
- SoftEtherVPN
- Procdump
- BrowserGhost
- Gost proxy
- Ntlmrelay
- Task Scheduler
- Go-strip
- HackBrowserData
It is extremely difficult to relate the activity to any specific threat group when a large number of publicly available tools are used.
There was no evidence that any data was taken from any of the targeted computers by Hydrochasma according to researchers from Symantec. Hydrochasma on the other hand utilizes certain tools that allow remote access to the system, which could result in data being extracted from the system.
This attack appears to have been motivated by a mission to gather intelligence, as indicated by the sectors targeted.
Previous posts on Security Tool
InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services
