Supply Chain Attacks: Hackers Hit IT ProvidersSymantec Sees New Tortoiseshell Gang Hitting Targets in Middle East
Any attacker able to hack into an IT or managed service provider can gain access not only to that organization's network, but potentially also the network of every one of its customers. So it's no surprise that criminal groups and nation-state attackers alike continue to attempt these types of supply chain attacks (see: Magecart Nightmare Besets E-Commerce Websites).
See Also: 2020 Global Threat Report
Fresh evidence of the trend comes by way of security firm Symantec, which warns that a group it's dubbed Tortoiseshell has been hitting IT providers in the Middle East since at least July 2018, with the most recent activity spotted just two months ago.
Symantec says the group has hit at least 11 organizations, mostly in Saudi Arabia, and appears to have gained admin-level access to at least two organizations as part of its efforts to parlay hacks of IT providers into the ability to hack their many customers. In those two networks, it notes, attackers had managed to infect several hundred PCs with malware called Backdoor.Syskit.
"This is an unusually large number of computers to be compromised in a targeted attack," Symantec's security researchers say in a report. "It is possible that the attackers were forced to infect many machines before finding those that were of most interest to them."
Backdoor.Syskit is a Trojan, written in Delphi and .NET, that's designed to phone home to a command-and-control server and give attackers remote access to the infected system so they can push and execute additional malware on the endpoint, according to Symantec. The security firm first rolled out an anti-virus signature for the malware on Aug. 21.
Symantec says attackers have in some cases also used PowerShell backdoors - also known as a living off the land attack, since it's tough to spot attackers' use of legitimate tools. They've also deployed a range of tools designed to gather information about the system - sometimes including all Firefox data - and send it to attackers.
Symantec not identified the targeted organizations, and it says it's not clear who's behind the attacks. "We currently have no evidence that would allow us to attribute Tortoiseshell's activity to any existing known group or nation-state," the researchers say.
Infection Vector: Potentially, Web Servers
The initial infection vector is also unknown, although in at least one attack, attackers may have hacked into a web server. "For at least one victim, the first indication of malware on their network was a web shell," Symantec says. "This indicates that the attackers likely compromised a web server and then used this to deploy malware onto the network."
For one of the hacked organizations, researchers say they recovered malware called Poison Frog - "a backdoor and a variant of a tool called BondUpdater" - that had infected systems one month prior to the Tortoiseshell malware.
Use of BondUpdater has been linked to APT34, aka Oilrig, which the U.S. government has tied to Iran. But the presence of the malware is no smoking gun, because source code, malicious tools and a list of target victims linked to the group were dumped on Github and Telegram in mid-March and the attack spotted by Symantec happened later. As a result, anyone could now be using attack tools previously tied to APT34 (see: Despite Doxing, OilRig APT Group Remains a Threat).
Supply Chain Attacks' Allure
As the Tortoiseshell modus operandi suggests, supply chain attacks remain prevalent, especially against IT and security service providers, which can give attackers access to a wide range of victims as well as disguise which organizations they are actually attempting to target.
"IT providers are an ideal target for attackers given their high level of access to their clients' computers. This access may give them the ability to send malicious software updates to target machines, and may even provide them with remote access to customer machines," Symantec says. "This provides access to the victims' networks without having to compromise the networks themselves, which might not be possible if the intended victims have strong security infrastructure, and also reduces the risk of the attack being discovered."
Ransomware Attackers Hit Suppliers Too
The ability to potentially hack one organization and gain access to many more is also driving ransomware attackers.
Connecticut-based ransomware incident response firm Coveware, for example, says some ransomware-as-a-service affiliates wielding Sodinokibi ransomware have been specializing in targeting IT managed service providers and their remote management tools.
Such tools get installed on every endpoint that a firm manages. Hence, if attackers can either directly access endpoints running the software or gain access to the MSP and push software to the endpoints, they have access to an already working backdoor on every system.
Bill Siegel, CEO of Coveware, says that when such attacks succeed, they often have a major impact. "It's been devastating, because when they do get into an MSP, they hit hundreds of companies, sometimes simultaneously, [generating] very high return on the attack, rather than just hitting the MSP, which is also a small business," he tells Information Security Media Group. "They're hitting hundreds of small organizations at a time." (See: Ransomware Gangs Practice Customer Relationship Management).
The recent ransomware campaign that hit 22 Texas municipalities, for example, appears to have involved a single attacker hacking into at least one MSP. Gary Heinrich, the mayor of one of the affected municipalities - Keene, Texas, with a population of 6,100 - last month told NPR that the attacker hacked into its IT and demanded a total ransom worth $2.5 million to restore all crypto-locked systems across the 22 municipalities. "They got into our software provider, the guys who run our IT systems," Heinrich told NPR. "A lot of folks in Texas use providers to do that, because we don't have a staff big enough to have IT in house."
Texas state officials declined to comment to ISMG about whether one or more MSPs were compromised in the attack. But in the wake of the attack and incident response efforts, Nancy Rainosek, the CISO of Texas, offered five lessons learned from the attack that she says are applicable to any organization that uses remotely administered IT services or managed security providers (see: Texas Ransomware Responders Urge Remote Access Lockdown).