ChamelGang hackers attack energy complex and aircraft industry
A new APT group known as ChamelGang has attacked the fuel and energy complex and the aviation industry in Russia, researchers from the Positive Technologies Expert Security Center (PT ESC) have revealed.
Additional attacks targeted institutions in 9 other countries, including the United States, India, Nepal, Taiwan and Japan. In some cases, researchers have discovered compromised government servers. The group began to exploit the vulnerabilities of ProxyShell in attacks to infect Microsoft Exchange. It is possible that vulnerable servers in the UK will also be affected in the future.
ChamelGang focuses on data theft over compromised networks, and its first Trust Relations 1 attacks were recorded in March 2021.
Attackers can penetrate an industrial company’s corporate network more than 90% of the time, and almost every such invasion results in a complete loss of control over the IT infrastructure. More than half of these attacks result in the theft of data about company partners and employees, mail correspondence and internal documentation.
The PT ESC Incident Response Team discovered the existence of ChamelGang while investigating security vulnerabilities in the fuel / power and aviation sectors in Russia .
ChamelGang had compromised a subsidiary organization by using a vulnerable version of a web application on the open source JBoss Application Server platform. By exploiting vulnerability CVE-2017-12149 (which was patched by RedHat over four years ago), criminals were able to remotely execute commands on the node.
Two weeks later, the hacking group also compromised the parent company. The attackers obtained the password from the local administrator’s dictionary on one of the servers in an isolated segment and entered the network using Remote Desktop Protocol (RDP).
The attackers went unnoticed in the corporate network for three months; after reviewing it, they took control of most of it, including critical servers and nodes in different segments. The APT group was specifically looking for data and managed to steal it.
Attackers exploited a chain of associated vulnerabilities in Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) called ProxyShell. This became public last month, and since then it has been actively exploited by other APT groups.
The attackers gained access to the company’s mail servers using a backdoor that had not been detected by most antivirus tools at the time of the attack. The attackers stayed inside the infrastructure of the target organization for only eight days and did not have time to do much damage.
A distinctive feature of ChamelGang attacks is the use of new malware: ProxyT, BeaconLoader, and the DoorMe backdoor. The latter is a passive backdoor, which considerably complicates its detection. The group also uses more well-known variants such as FRP, Cobalt Strike Beacon, and Tiny Shell.