Intelligent CIO Kuwait Issue 5 | Page 42

SECURITY SPOTLIGHT //////////////////////////////////////////////////////////////////// CYBERCRIMINALS ATTACK KUWAIT SHIPPING AND TRANSPORT ORGANISATIONS Palo Alto Networks has revealed how cybercriminals attacked shipping and transportation organisations in Kuwait. P alo Alto Networks has revealed how cybercriminals attacked organisations in Kuwait. Unit 42, the global threat intelligence team at Palo Alto Networks, observed previously unknown tools used in the targeting of transportation and shipping organisations based in the country. The first known attack in this campaign targeted a Kuwait transportation and shipping company in which the actors installed a backdoor tool named Hisoka. Several custom tools were later downloaded to the system in order to carry out post- exploitation activities. All of these tools appear to have been created by the same developer. The team were able to collect several variations of these tools, including one dating back to July 2018. The developer of the collected tools used character names from the anime series Hunter x Hunter, which is the basis for the campaign name ‘xHunt’. The names of the tools collected include backdoor tools Sakabota, Hisoka, Netero and Killua. These tools not only use HTTP for their command and control (C2) channels, 42 INTELLIGENTCIO but certain variants of these tools use DNS tunnelling or emails to communicate with their C2 as well. While DNS tunnelling as a C2 channel is fairly common, the specific method in which this group used email to facilitate C2 communications has not been observed by Unit 42 in quite some time. This method uses Exchange Web Services (EWS) and stolen credentials to create email ‘drafts’ to communicate between the actor and the tool. In addition to the aforementioned backdoor tools, the team also observed tools referred to as Gon and EYE, which provide the backdoor access and the ability to carry out post- exploitation activities. Through comparative analysis, the team identified related activity also targeting Kuwait between July and December 2018, which was recently reported by IBM X-Force IRIS. While there are no direct infrastructure overlaps between the two campaigns, historical analysis shows that the 2018 and 2019 activities are likely to be related. In conclusion, the company found that while there are similarities in the targeting of Kuwait organisations, domain naming structure and the underlying toolset used, it remains unclear if two campaigns (July to December 2018 and May to June 2019) were conducted by the same set of operators. Historical infrastructure analysis shows a close relationship between Hisoka and Sakabota infrastructure, as well as with known oil rig infrastructure. Due to these overlaps and the focused targeting of organisations within the transportation and shipping industry in the Middle East, Palo Alto is tracking this activity very closely and will continue analysis in order to determine a more solid connection to known threat groups. Palo Alto Networks’ customers are protected by these threats through the following: • Customers using AutoFocus can view this activity by using the following tags: xHunt, Sakabota, Hisoka, Killua, Gon, EYE • DNS Tunnelling activity is detected through DNS Security automated detection • All tools identified are detected as malicious by WildFire and Traps n