U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Sophisticated evasion techniques adopted in the Op Poisoned Hurricane

Researchers at FireEye have uncovered a new campaign dubbed Poisoned Hurricane characterized by the use of some clever techniques to avoid being detected. Security experts at FireEye revealed that several Internet infrastructure service providers in the United States and Asia, a financial institution, a government organization located in Asia and a US-based media company suffered […]

Sophisticated evasion techniques adopted in the Op Poisoned Hurricane

Researchers at FireEye have uncovered a new campaign dubbed Poisoned Hurricane characterized by the use of some clever techniques to avoid being detected.

Security experts at FireEye revealed that several Internet infrastructure service providers in the United States and Asia, a financial institution, a government organization located in Asia and a US-based media company suffered targeted cyber attack.

The hacking campaign, dubbed Poisoned Hurricane, was detected for the first time in March 2014, when experts at FireEye detected a PlugX (Kaba) variant that connected to legitimate domains and IP addresses. The instances analyzed by the experts were able to connect to domains such as adobe.com, update.adobe.com and outlook.com.

The attackers used the consolidated tactict to digitally sign of the malicious code with a legitimate certificate, they used a digital certificate from the Police Mutual Aid Association and signed another sample with an expired digital certificate from a company called MOCOMSYS, Inc.

The attackers behind the Poisoned Hurricane campaign used several popular legitimate domains, of course they were re-routing traffic destined for these domains from specific victims.

PlugX malware used in the Poisoned Hurricane campaign was configured to resolve DNS lookups through the nameservers of a company called Hurricane Electric.

Only visitors of the hijacked domains having their PC infected with these PlugX variants were victim of the attack, the researchers at FireEye have identified a total of 21 legitimate domains hijacked by bad actors.

As explained by the expert, anyone can sign up for a free account with the company’s hosted DNS service, which allows users to register a zone and create A records for it, and the A record created can be pointed at any IP address allowing to hijack legitimate domains.

“This sample was configured to resolve DNS lookups via Hurricane Electric’s nameservers of 216.218.130.2, 216.218.131.2, 216.218.132.2 and 216.66.1.2. ” “we found that anyone could register for a free account with Hurricane Electric’s hosted DNS service. Via this service, anyone with an account was able to register a zone and create A records for the registered zone and point those A records to any IP address they so desired. The dangerous aspect of this service is that anyone was able to hijack legitimate domains such as adobe.com. Although these nameservers are not recursors and were not designed to be queried directly by end users, they were returning results if queried directly for domains that were configured via Hurricane Electrics public DNS service. Furthermore, Hurricane Electric did not check if zones created by their users were already been registered or are otherwise legitimately owned by other parties.” reports the blog post published by FireEye. 

In time I’m writing, Hurricane Electric was no longer returning answers for these hijacked domains. The analysis conducted on the domains used by bad actors allowed to FireEye to identify the APT that in a parallel operation used Google Code to obfuscate the location of C&C servers.

Poisoned Hurricane domains APT

“While none of these techniques are necessarily new, in combination, they are certainly both creative and have been observed to be effective. Although the resultant C2 traffic can be successfully detected and tracked, the fact that the malware appears to beacon to legitimate domains may lull defenders into a false sense of security,” FireEye researchers added.

These parallel campaigns demonstrate that APT are very active and are specializing their effort to improve evasion capabilities, in the Poisoned Hurricane the attacker shown the knowledge of the following evasion techniques:

    • The use of legitimate digital certificates to sign malware
    • The use of Hurricane Electrics public DNS resolvers to redirect command and control traffic
    • The use of Google Code to obfuscate the location of command and control servers

Pierluigi Paganini

(Security Affairs –  ARP, Poisoned Hurricane)