Connect with us

Biz & IT

Hackers target oil producers as they struggle with a record glut of crude

Published

on

As the world’s top oil producers prepared for a weeklong meeting earlier this month to plan a response to slumping prices of crude, espionage hackers commenced a sophisticated spearphishing campaign that was concentrated on US-based energy companies. The goal: install a notorious trojan that siphoned their most sensitive communications and data.

Setting the campaign apart, the emails were mostly free of the typos, broken grammar, and other sloppiness that are typical phishes. The emails also reflected a sender who was well-acquainted with the business of energy production. A barrage of emails that started on March 31, for instance, purported to come from Engineering for Petroleum and Process Industries, a real Egyptian state oil company.

Not your father’s spear-phishing

The sender invited the recipient to submit a bid for equipment and materials as part of a real ongoing project, known as the Rosetta Sharing Facilities Project, on behalf of Burullus, a gas joint venture that’s half-owned by another Egyptian state oil company. The email, which was sent to about 150 oil and gas companies over a week starting on March 31, attached two files that masqueraded as bidding conditions, forms, and a request for proposal. The relatively small number of emails demonstrates a narrow targeting of the carefully crafted campaign. By contrast, many phishing non-discriminately send tens of thousands emails.

The spear-phish in the campaign that began on March 31.
Enlarge / The spear-phish in the campaign that began on March 31.

Bitdefender

“To someone in the oil & gas industry, who has knowledge about these projects, the email and the information within might seem sufficiently convincing to open the attachments,” researchers from security firm Bitdefender wrote in a post published on Tuesday.

The most-targeted companies were located in Malaysia, the United States, Iran, South Africa, and Oman.

Bitdefender

A second campaign started on April 12. It sent an email asking recipients to complete a document known as a Estimated Port Disbursement Account needed for the chemical and oil tanker named MT Sinar Maluku. Not only was that a real vessel registered under the Indonesian flag, it had left its port on April 12 and was expected to reach its destination two days later. The email was sent to 18 companies, 15 of which were shipment companies in the Philippines.

“This email serves as another example of the length to which attackers will go to get their facts straight, make the email seem legitimate, and specifically target a vertical.

Pandemic-induced glut

The campaigns are likely an attempt to gain closely guarded information about the current negotiations between Russia, Saudi Arabia, and other oil producers struggling with a glut of crude resulting from the coronavirus pandemic. Bitdefender said this is hardly the first time companies in this industry have been targeted. The security firm has been tracking a run of cyber attacks on energy companies over the past year. Since September, the number has increased every month and reached a peak in February with more than 5,000. There have been more than 13,000 attacks this year.

Both of the recent campaigns deliver files that install Agent Tesla, a malware-as-a-service offering that charges various prices based on different licensing models. The trojan, which has been available since 2014, has a variety of capabilities, including capabilities involving “stealth, persistence and security evasion techniques that ultimately enable it to extract credentials, copy clipboard data, perform screen captures, form-grabbing, and keylogging functionality, and even collect credentials for a variety of installed applications.”

Companies in the US were targeted the most, followed by the UK, Ukraine, and Latvia.

The geographical distribution.
Enlarge / The geographical distribution.

“What’s interesting is that, until now, it has not been associated with campaigns targeting the oil & gas vertical,” Bitdefender researchers added.

The campaign provides a reminder that, despite the growing awareness of phishing attacks, they remain one of the most effective ways for attackers to gain a foothold in targeted companies. Even when phishing emails contain misspellings, grammatical mistakes, and other flaws, recipients often rightly assume those are the results of senders writing in a second language. Phishes as well crafted as these ones stand an even better likelihood of success.

Continue Reading

Biz & IT

A white supremacist website got hacked, airing all its dirty laundry

Published

on

Enlarge / Patriot Front members spray painting in Springfield, IL.

Unicornriot.ninja

Chat messages, images, and videos leaked from the server of a white supremicist group called the Patriot Front purport to show its leader and rank-and-file members conspiring in hate crimes, despite their claims that they were a legitimate political organization.

Patriot Front, or PF, formed in the aftermath of the 2017 Unite the Right rally, a demonstration in Charlottesville, Virginia, that resulted in one death and 35 injuries when a rally attendee rammed his car into a crowd of counter-protesters. PF founder Thomas Rousseau, started the group after an image posted online showed the now-convicted killer, James Alex Fields, Jr., posing with members of Vanguard America shortly before the attack. Vanguard America soon dissolved, and Rousseau rebranded it as PF with the goal of hiding any involvement in violent acts.

Since then, PF has strived to present itself as a group of patriots who are aligned with the ideals and values of the founders who defeated the tyranny of British colonists in the 18th century and paved the way for the United States to be born. In announcing the the formation of PF in 2017, Rousseau wrote:

The new name was carefully chosen, as it serves several purposes. It can help inspire sympathy among those more inclined to fence-sitting, and can be easily justified to our ideology [sic] and worldview. The original American patriots were nothing short of revolutionaries. The word patriot itself comes from the same root as paternal and patriarch. It means loyalty to something intrinsically based in blood.

Turbo cans and rubber roofing cement

But a published report and leaked data the report is based on present a starkly different picture. The chat messages, images, and videos purport to show Rousseau and other PF members discussing the defacing of numerous murals and monuments promoting Black Lives Matter, LGBTQ groups, and other social justice causes.

This chat, for instance, appears to show a PF member discussing the targeting of a civil rights mural in Detroit. When a member asks what the best way is to fully cover up a mural with paint, Rousseau is shown replying “It’s in the stencil guide. Turbo cans.” The stencil guide refers to these instructions provided to PF members showing how to effectively use spray paint and not get caught. The PF member also sent Rousseau pictures taken while scouting the mural.

When a different member discussed whether rubber roofing cement was suitable to covering a George Floyd memorial that had been treated with anti-graffiti clear coating, Rousseau allegedly responded: “Keep me posted as to your research and practice with this substance. Orders will be given out at the event.”

The data dump also appears to document the defacing of a monument in Olympia, Washington.

What it looked like before.
Enlarge / What it looked like before.

Unicorn.ninja

What it looked like after.
Enlarge / What it looked like after.

Unicorn.ninja

The leaked data purports to show a range of other illegal activities the group discussed. They include Rousseau informing members planning a rally in Washington DC that one participant will call 911 from a burner phone and make a false report to authorities.

“He will cite that there is a protest, he sees shields BUT NO WEAPONS, and everyone involved appears to be behaving peacefully, waving and handing out flyers, nonetheless he is a concerned citizen and suggests the police take a look into it to ensure everyone’s civil rights are safe,” Rousseau appeared to write. “He will add that it looks like we just arrived from the metro. This will soften the police up before our big visual contact on the bridge, and provide a little confusion and misinfo that’s within the realm of honest dialogue.”

Attempts to reach Rousseau or other PF members didn’t succeed.

Friday’s published report said that the leak comprised about 400 gigabytes of data and came from a self-hosted instance of RocketChat, an open source chat server that’s similar to Slack and Discord. It’s only the latest example of a hate group being hacked and its private discussions being dumped online. In 2019, the breach of the Iron March website revealed, among other things, that many of its members were members of the US Marines, Navy, Army, and military reserves.

Continue Reading

Biz & IT

Supply chain attack used legitimate WordPress add-ons to backdoor sites

Published

on

Getty Images

Dozens of legitimate WordPress add-ons downloaded from their original sources have been found backdoored through a supply chain attack, researchers said. The backdoor has been found on “quite a few” sites running the open source content management system.

The backdoor gave the attackers full administrative control of websites that used at least 93 WordPress plugins and themes downloaded from AccessPress Themes. The backdoor was discovered by security researchers from JetPack, the maker of security software owned by Automatic, provider of the WordPress.com hosting service and a major contributor to the development of WordPress. In all, Jetpack found that 40 AccessPress themes and 53 plugins were affected.

Unknowingly providing access to the attacker

In a post published Thursday, Jetpack researcher Harald Eilertsen said timestamps and other evidence suggested the backdoors were introduced intentionally in a coordinated action after the themes and plugins were released. The affected software was available by download directly from the AccessPress Themes site. The same themes and plugins mirrored on WordPress.org, the official developer site for the WordPress project, remained clean.

“Users who used software obtained directly from the AccessPress website unknowingly provided attackers with backdoor access, resulting in an unknown number of compromised websites,” Ben Martin, a researcher with Web security firm Sucuri, wrote in a separate analysis of the backdoor.

He said the tainted software contained a script named initial.php that was added to the main theme directory and then included in the main functions.php file. Initial.php, the analysis shows, acted as a dropper that used base64 encoding to camouflage code that downloaded a payload from wp-theme-connect[.]com and used it to install the backdoor as wp-includes/vars.php. Once it was installed, the dropper self-destructed in an attempt to keep the attack stealthy.

The Jetpack post said evidence indicates that the supply chain attack on AccessPress Themes was performed in September. Martin, however, said evidence suggests the backdoor itself is much older than that. Some of the infected websites had spam payloads dating back nearly three years. He said his best guess is that the people behind the backdoor were selling access to infected sites to people pushing web spam and malware.

He wrote, “With such a large opportunity at their fingertips, you’d think that the attackers would have prepared some exciting new payload or malware, but alas, it seems that the malware that we’ve found associated with this backdoor is more of the same: spam, and redirects to malware and scam sites.”

The Jetpack post provides full names and versions of the infected AccessPress software. Anyone running a WordPress site with this company’s offerings should carefully inspect their systems to ensure they’re not running a backdoored instance. Site owners may also want to consider installing a website firewall, many of which would have prevented the backdoor from working.

The attack is the latest example of a supply chain attack, which compromises the source of a legitimate piece of software rather than trying to infect individual users. The technique allows miscreants to infect large numbers of users, and it has the benefit of stealth, since the compromised malware originates from a trusted provider.

Attempts to contact AccessPress Themes for comment were unsuccessful.

Continue Reading

Biz & IT

Red Cross implores hackers not to leak data for 515k “highly vulnerable people”

Published

on

Getty Images

The Red Cross on Wednesday pleaded with the threat actors behind a cyberattack that stole the personal data of about 515,000 people who used a program that works to reunite family members separated by conflict, disaster or migration.

“While we don’t know who is responsible for this attack, or why they carried it out, we do have this appeal to make to them,” Robert Mardini, the director-general of the International Committee for the Red Cross, said in a release. “Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world’s least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data.”

Wednesday’s release said the personal data was obtained through the hack of a Switzerland-based subcontractor that stores data for the Red Cross. The data was compiled by at least 60 different Red Cross and Red Crescent National Societies worldwide. The ICRC said it has no “immediate indications as to who carried out this cyber-attack” and is so far unaware of any of the compromised information being leaked or shared publicly.

Those affected had used Restore Family Links, a service the Red Cross operates in cooperation with the Red Crescent to reunite families. On Wednesday, the site was down. The Internet Archive last updated it on December 27, raising the possibility of the breach occurring a few weeks ago.

The release provided few details about the attack. It’s not clear if it was done by profit-motivated ransomware criminals, nation-state hackers, or others. Over the past few years, a rash of ransomware breaches has hit healthcare providers, forcing them in many cases to reroute ambulances and cancel elective surgeries. In 2020, the ICRC helped lead a coalition that called on nations around the world to crack down on cyberattacks involving hospitals and healthcare providers.

Last September, the ICRC confirmed it was on the receiving end of a hack the previous April that compromised login credentials and other data that could be used to target agencies within the intergovernmental organization. The earliest known date the hackers obtained access to the UN’s systems, Bloomberg News reported, was April 5, and the hackers remained active through at least August. The breach came to light when private researchers noticed login credentials for sale on the dark web.

Continue Reading

Trending