A new wave of hackers is attacking IT companies in probable supply chain attacks across the globe.
We reveal the who, what, where, when and why behind the attacks, and more importantly, how you can help keep you and your business safe from the forever-growing threat of an attack.
Who?
A previously undocumented hacker group dubbed ‘Tortoisehell’ is using a custom execution alongside an off-the-shelf malware to target IT providers in what appears to be supply chain attacks.
The skillset of the group is said to be of an advanced level, with at least two attacks successfully gaining domain admin-level access to the IT providers’ networks, a feat that gave the group control over all connected machines.
What?
The Tortoiseshell hackers are utilising a unique malware called Backdoor.Syskit which can download and execute tools and custom commands. It is believed the Malware has been developed in both Delphi and .NET.
The backdoor.Syskit is run with the “-install” parameter to install itself.
- reads config file: %Windir%\temp\rconfig.xml
- writes Base64 encoding of AES encrypted (with key “fromhere”) version of the data in the “url” element of the XML to:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\Enablevmd
This contains the command and control (C&C) information.
- writes Base64 encoding of AES encrypted (with key “fromhere”) version of the “result” element of the XML to:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\Sendvmd
This holds the later portion of the URL to append to the C&C for sending information to it.
- deletes the config file
The malware collects and sends the machine’s IP address, operating system name and version, and Mac address to the C&C server using the URL in the Sendvmd registry key mentioned above. Data sent to the C&C server is Base64 encoded.
The backdoor can receive various commands:
- “kill_me”:
stops the dllhost service and deletes %Windir%\temp\bak.exe - “upload ”
downloads from the URL provided by the C&C server - “unzip”
uses PowerShell to unzip a specified file to a specified destination, or to run cmd.exe /c <received command>
Where?
Whilst some attacks will are yet to be documented, nor I’m sure even detected, the Tortoiseshell hackers have a keen interest in the Middle East, with a total of 11 organisations being hit by the group so far, with the majority being situated in Saudi Arabia.
However, just because the spotlight is on the Middle East, that doesn’t mean you can relax and put your feet up, cybercrime is a global pandemic, with new and unique techniques popping up every day, meaning you and your business are at risk more than ever.
When?
The discovery was made by Symantec who published the news on their website last week, September 18th.
The security firm claims the group has been active since July last year (2018) and indicates there has been a number of reported hacks occurring in just the past few months.
Whether it be fresh attacks or those only detecting previous ones, I’m more than confident we will see and hear of more in the coming months.
Why?
A hacker’s motives can be a number of things, but more so than others, it’s for financial gain.
With a 78% increase in 2018 alone, supply chain attacks are a likely candidate, with hackers targeting the IT companies in the hope of infiltrating the networks of their customers.
The profiles of the targeted IT companies are still unknown, but Tortoiseshell is not the first, nor I’m sure the last group to target companies in the Middle East, however, there is no evidence to indicate that Tortoiseshell’s motives are linked to any existing known group or nation-state.
Don’t get caught out, protect your users, data, and technology!
Whether you’re an IT company, SMB or one of the world’s largest organisations, you’re probably wondering, what can I do to protect myself from such vulnerabilities?
Well as the North East’s leading technology company, and Cisco Premier Partner, we utilise some of the industry’s most advanced and state-of-the-art security technology available.
Practising what we preach, we’re fully protected from the constant threat of attacks we see on a daily basis.
By using ACT (Advance Cybersecurity Technologies) we are able to Educate, Protect and Restore our business from the forever-growing number of vulnerabilities online, and you can too!
To give you an idea on how all, or each of these solutions can help protect your business, we’ve broken ACT down into 3 bitesize pieces:
Educate
With Advantex’s ‘Educate’ solution, we can evaluate, educate, simulate and report on any vulnerabilities within your business – ultimately empowering you and your workforce into making better and safer day-to-day decisions online.
Protect
With Advantex’s ‘Protect’, we can give your business the ultimate protection. Using the industry’s first Secure Internet Gateway in the cloud, Protect acts as the first line of defence against threats online, and the best bit is, we can get set you and your users up in a matter of minutes.
Restore
World-class data protection designed to fit any business environment—from a single workstation to an entire enterprise infrastructure, Restore allows users to seamlessly store business-critical data, and get back up and running in minutes if things were to go wrong.
With over 60% of British firms reporting some form of cybercrime in the past 12 months, up from 45% in 2018, the seriousness of this global pandemic is one we simply can’t ignore, and with the average cost of an attack hitting a business for over £25,000, it begs the question, can you really afford to take the risk?
Start Your FREE 14-Day Trial Here
With Advantex’s ACT suite, we can educate, protect and restore your business from any vulnerabilities online – giving you maximum protection and ultimately empowering you and your workforce into making better and safer day-to-day decisions online.
Send us your details below and we’ll get you started on your FREE no-obligation trial of the Advantex ACT suite.
Don’t take the risk, get in touch today!