In today's technologically driven era, the cyber landscape is a dynamic and relentless battlefield. As we traverse the digital realm, the threats posed by cyber attacks continue to mutate and adapt, challenging our ability to stay ahead of the curve. From nation-state hacking to sophisticated ransomware campaigns and social engineering exploits, the arsenal of cyber adversaries seems boundless. In the past week, quite a few notable attacks have come to limelight, the most prominent one being Israel's largest oil refineries, APT 31 attacking air gapped systems in Eastern Europe and some interesting insights around Space Pirates Cyber campaign across Russia. This post highlights the attack details with the associated TTPs
According to Bleeping Computer, Website of Israel's largest oil refinery operator, BAZAN Group is inaccessible from most parts of the world as threat actors claim to have hacked the Group's cyber systems. A backdrop about BAZANgroup: located in the Haifa Bay area and is one of the most complex and largest energy groups in Israel. It operates a refinery and is a petrochemical conglomerate. Approximately 70% of the Company's products are distributed in the Israeli market and the remainder in international markets (with an emphasis on countries in the eastern Mediterranean. In terms of the attack, during the weekend, BAZAN Group's websites, namely bazan.co.il and eng.bazan.co.il, experienced significant issues with incoming traffic. Many visitors encountered timeouts and HTTP 502 errors, while others were denied access by the company's servers. Bleeping computer has suggested that " BAZAN may have implemented a geo-block as a defensive measure against an ongoing cyber attack." Interestingly, on a telegram channel, Cyber Avengers aka Cybe3rAv3ngers (Iranian hacktivists) claimed that it had breached BAZAN's network over the weekend. Additionally, it had also leaked images of the SCADA systems including diagrams of "Flare Gas Recovery Unit," "Amine Regeneration" system, a petrochemical "Splitter Section," [Source]
APT 31 is a sophisticated Chinese state-sponsored cyber espionage group, also known as Zirconium or Judgment Panda has been known to conduct targeted attacks on governments, organizations, and tech companies, focusing on intellectual property theft and information gathering for strategic advantages. This time around, they are suspected of being behind a series of attacks against industrial organizations in Eastern Europe that took place last year to siphon data stored on air-gapped systems. There have been resembelennces with respect to their tactics in the past. (Refer to this link here: APT31)
Kaspersky attributes the intrusions to APT31 (Bronze Vinewood, Judgement Panda, Violet Typhoon). The attacks involved more than 15 distinct implants, categorized by their abilities to establish remote access, gather sensitive data, and send it to the attackers' infrastructure. The attackers used a set of backdoors, including a malware family named FourteenHi with versatile features for file manipulation, command execution, reverse shell, and self-erasure from compromised hosts. Furthermore, discovered three first-stage backdoors used in cyber attacks by APT31. The backdoors are named MeatBall, with capabilities for process listing and file operations, and a third implant that uses Yandex Cloud for command-and-control. (Source)
Over the past year, the threat actor Space Pirates has targeted 16 organizations in Russia and Serbia, displaying innovative tactics and expanding its cyber arsenal. The group's primary objectives remain espionage and stealing confidential data, but it has diversified its interests and extended the scope of its attacks. The targets include government agencies, educational institutions, private security companies, aerospace manufacturers, agricultural producers, defense, energy, and healthcare firms in both countries. Space Pirates first came to light in May 2022, with a focus on the aerospace sector in Russia. It has been active since at least late 2019 and has ties to another adversary known as Webworm, as tracked by Symantec. Positive Technologies' analysis of the attack infrastructure has revealed the threat actor's interest in harvesting PST email archives as well as making use of Deed RAT, a malware artifact exclusively attributed to the adversarial collective.
These attacks attribute to an emerging trend of threat actors exploiting cloud services to evade detection. Kaspersky researchers also highlight the challenge of detecting and analyzing threats, as malicious code is concealed in encrypted form within separate binary data files and legitimate applications' memory. The necessity to exercise extreme precautions while managing cyber attacks has never been more critical. With ever-evolving cyber threats, advanced and persistent adversaries, and the increasing reliance on digital infrastructure, organizations must prioritize robust cybersecurity measures. Implementing proactive defense strategies, continuous monitoring, and employee training are essential to safeguard sensitive data, prevent financial losses, and protect reputation in the face of relentless cyber threats.
No comments:
Post a Comment