A new previously unknown APT group called ChamelGang has been identified recently by Positive Technologies. And this APT hacking group is attacking the Fuel, Energy Complex, Aviation Industry, and Government networks in Russia.
Not only this, the threat actors are mainly interested in stealing data from compromised networks. To gain access to the target enterprise’s network in the first case, the threat actors have negotiated a subsidiary utilizing a vulnerable version of a web application on the open-source platform JBoss Application Server.
However, by exploiting the vulnerability CVE-2017-12149, the hackers were able to remotely perform their commands on the node. But apart from Russia, the threat actors of ChamelGang have also targeted the other countries as well with the motive of stealing data from compromised networks:-
Here, the threat actors have gained access to the company’s mail servers by utilizing a backdoor, which at the time of the attack was not detected by most anti-virus solutions, concluded the cybersecurity experts of Positive Technologies.
Denis Kuvshinov, Head of Threat Analysis at Positive Technologies:-
“Attackers can penetrate the corporate network of an industrial enterprise more than 90% of the time, and almost every such invasion leads to complete loss of control over the infrastructure. More than half of these attacks lead to the theft of data on company partners and employees, mail correspondence, and internal documentation.”
In the first case, the APT group ChamelGang initially aimed at stealing data, however, prompt detection of the APT group and countering made it feasible to prevent data theft.
In the second case, to comprehend the infrastructure, the attackers have used a chain of related vulnerabilities in Microsoft Exchange that is known as ProxyShell:-
All these vulnerabilities are the key nodes that are actively exploited by APT hacking groups since they are the most lucrative options for them to compromise their targets.
ChamelGang has a distinctive feature that is its attacks, that were being used in new malware which were not previously known, and here they are mentioned below:-
- The DoorMe backdoor
Denis Goydenko, Head of Information Security Threat Response at Positive Technologies:-
“Among the malware samples we found, the most interesting is the DoorMe backdoor. This is a native IIS module that is registered as a filter through which HTTP requests and responses are processed. And this backdoor also gives the attackers a wide range of opportunities in the captured systems.”
The hackers were present in the foundation of the besieged organization just for eight days and they did not even get the time to administer significant damage.