A new advanced persistent threat (APT) actor, known as ChamelGang, has been observed targeting aviation and energy companies in Russia and government organizations in at least nine other countries. The threat actor has not been linked to any existing APT and its nationality is unknown. ChamelGang was first detected after it breached a Russian energy firm, which was followed by the APT’s identification by the cybersecurity company Positive Technologies (PT). PT traced the APT attack patterns to a second attack targeting a Russian aviation firm and attacks against government entities in at least nine other countries, including in the U.S., India, Taiwan, and Japan. ChamelGang uses Microsoft Exchange server ProxyShell vulnerabilities in its attack chain. Additionally, a notable feature of this APT is their “use of three previously unknown malwares: ProxyT, BeaconLoader, and the DoorMe backdoor… [and they] also [have] employed the better-known Cobalt Strike Beacon, FRP and Tiny Shell,” according to SecurityWeek. The typical factor in each ChamelGang compromise has been the existence of vulnerable Microsoft Exchange Servers and the employment of ProxyShell and ProxyLogon vulnerabilities. Members are encouraged to patch their systems with the latest Microsoft Exchange security update to mitigate against this threat. Access SecurityWeek for more details.
H2Oex: In Person 1 day event/exercise. Thurs Dec 5th. Washington DC. Join us!