At a glance.
- Lebanese threat actor targets Israeli organizations.
- LuoYu launches man-on-the-side-attacks.
Lebanese threat actor targets Israeli organizations.
Microsoft says a previously little-observed Lebanese threat actor dubbed “POLONIUM” is coordinating with Iran’s Ministry of Intelligence and Security (MOIS) to target Israeli entities in the critical manufacturing, IT, and defense industries. The threat actor used legitimate OneDrive accounts as command-and-control platforms, and the researchers suspect that the actor gained initial access to victims’ networks by exploiting CVE-2018-13379 in unpatched Fortinet devices:
“MSTIC assesses with high confidence that POLONIUM represents an operational group based in Lebanon. We also assess with moderate confidence that the observed activity was coordinated with other actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques. Such collaboration or direction from Tehran would align with a string of revelations since late 2020 that the Government of Iran is using third parties to carry out cyber operations on their behalf, likely to enhance Iran’s plausible deniability.
“POLONIUM has targeted or compromised more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon over the past three months. This actor has deployed unique tools that abuse legitimate cloud services for command and control (C2) across most of their victims. POLONIUM was observed creating and using legitimate OneDrive accounts, then utilizing those accounts as C2 to execute part of their attack operation. This activity does not represent any security issues or vulnerabilities on the OneDrive platform. In addition, MSTIC does not, at present, see any links between this activity and other publicly documented groups linked to Lebanon like Volatile Cedar.”
LuoYu launches man-on-the-side-attacks.
Researchers at Kaspersky have published a report on LuoYu, an “extremely sophisticated” threat actor that primarily targets Chinese entities, including “foreign diplomatic organizations established in the country, members of the academic community, or companies from the defense, logistics and telecommunications sectors.” Most notably, the threat actor is using a malware platform dubbed “WinDealer” that randomly chooses between one of 48,000 IP addresses for its command-and-control server:
“It is very hard to believe that an attacker would be able to control the 48,000 IP addresses of the aforementioned IP ranges, or even a significant portion of them. The only way to explain these seemingly impossible network behaviors is by assuming the existence of a man-on-the-side attacker who is able to intercept all network traffic and even modify it if needed. Such capabilities are not unheard of: the QUANTUM program revealed in 2014 was the first known instance.”
Kaspersky offers the following thoughts on how LuoYu was able to pull this off:
“We can only speculate as to how they were able to obtain such capabilities. They could have compromised routers on the route to (or inside) AS4134. Alternatively, they may use signals intelligence methods unknown to the general public. They may even have access (legitimate or fraudulent) to law enforcement tools set up at the ISP level and are abusing them to perform offensive operations. Overall, a threat actor is leveraging capabilities that could be compared (but are distinct) from the QUANTUMINSERT program in order to infect targets located in China.”