Example of how the exploit worksįigure 2. When analyzing the server logs, vuln6581362514513155613jboss records were found on the compromised host, indicating that the public exploit jboss-_CVE-2017-12149 had been used.įigure 1. The investigation revealed that the attackers, having exploited vulnerability CVE-2017-12149, were able to remotely execute commands on the host. The reason for the investigation was the multiple triggering of the company's antivirus products reporting the presence of Cobalt Strike Beacon in RAM.Īt the end of March 2021, the attackers compromised a subsidiary organization to gain access to the energy company's network, using a vulnerable version of a web application on the JBoss Application Server platform. We named the new group ChamelGang (from the word "chameleon"), since in both cases the group disguised its malware and network infrastructure under legitimate services of such companies as Microsoft, TrendMicro, McAfee, IBM, and Google.
They also used new, previously unknown malware (for example, ProxyT, BeaconLoader, and DoorMe backdoor).ĭespite the fact that we managed to conduct two successful investigations, we could not unequivocally attribute the attackers to any of the known APT groups. To achieve their goals, the attackers used such well-known malicious programs as FRP, Cobalt Strike Beacon, and Tiny shell.
This time, the criminals attacked a Russian company from the aviation production sector, and used a chain of ProxyShell vulnerabilities for penetration. The group compromised a subsidiary and penetrated the target company's network through it.Īfter investigating the first incident, on August 16, 2021, as part of threat intelligence of the newly discovered group, PT ESC specialists detected another successful attack (server compromise), identified a new victim, and notified the affected organization. To achieve their goal, the attackers used a trending penetration method-supply chain. In addition, the APT group placed SSL certificates that also imitated legitimate ones (,, ) on its servers. They acquired domains that imitate legitimate ones (,, ,, ). We gave the group the name ChamelGang (from the word "chameleon"), because the group disguised its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google. The investigation revealed that the company's network had been compromised by an unknown group for the purpose of data theft. In Q2 2021, the PT Expert Security Center incident response team conducted an investigation in an energy company.
0 kommentar(er)
