Sunday, July 14, 2024
EHA

Hackers Use Open-Source Tools to Attack Shipping Companies & Medical Laboratories

There has been an emergence of a new security threat that has been causing havoc among the Asian shipping and medical laboratory industries.

It’s a never-before-seen threat group dubbed Hydrochasma, actively targeting the shipping and medical organizations that are engaged in research and treatment of the COVID-19 vaccine.

Symantec, a company under Broadcom, has been monitoring the activities of cybercriminals since October of last year. Their ultimate aim seems to be the acquisition of valuable information.

Modus Operandi of Attack

Hydrochasma’s modus operandi is unique in that they employ open-source tools and LotL techniques during their attacks. This enables them to carry out their malicious activities without leaving behind any traces that could potentially expose their identity. 

This method of operation poses a challenge to those attempting to track and attribute the attacks to specific threat actors.

The origin and affiliation of this threat actor have not been determined, nor has any evidence yet been collected as to its origin. 

The utilization of pre-existing tools seems to serve a dual purpose for Hydrochasma:- 

  • To evade attribution efforts
  • To enhance the stealthiness of their attacks

By leveraging these tools, they can mask their activity and blend in with legitimate network traffic, making it more challenging for security experts to detect and respond to their malicious activities.

Attack Chain

Most likely, Hydrochasma infected its host with a phishing email in order to spread its infection. Initial signs of Hydrochasma’s presence on a targeted system are often indicated by the appearance of a lure document, with a file name that is crafted to appear as if it were an email attachment written in the native language of the victim organization. 

This is an attempt to deceive the target into thinking that the document is legitimate and relevant to their work. Here below we have mentioned those attachment names:-

  • Product Specification-Freight-Company Qualification Information wps-pdf Export.pdf[.]exe
  • University-Development Engineer[.]exe

Once the attacker gains access to a machine, they utilize this access to deploy a Fast Reverse Proxy (FRP), which has the potential to expose servers that are located behind a firewall to the public web.

Tools Used

Here below we have mentioned all the tools that are dropped by the intruder on the affected system:-

  • Gogo scanning tool
  • Process Dumper (lsass.exe)
  • Cobalt Strike Beacon
  • AlliN scanning tool
  • Fscan
  • Dogz proxy tool
  • SoftEtherVPN
  • Procdump
  • BrowserGhost
  • Gost proxy
  • Ntlmrelay
  • Task Scheduler
  • Go-strip
  • HackBrowserData

It is extremely difficult to relate the activity to any specific threat group when a large number of publicly available tools are used. 

There was no evidence that any data was taken from any of the targeted computers by Hydrochasma according to researchers from Symantec. Hydrochasma on the other hand utilizes certain tools that allow remote access to the system, which could result in data being extracted from the system.

This attack appears to have been motivated by a mission to gather intelligence, as indicated by the sectors targeted.

Network Security Checklist – Download Free E-Book

Website

Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles