fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Suspected Chinese State Hackers Target Russian Submarine Designer

Suspected Chinese State Hackers Target Russian Submarine Designer

Hackers suspected to work for the Chinese government have used a new malware called PortDoor to infiltrate the systems of an engineering company that designs submarines for the Russian Navy.

They used a spear-phishing email specifically crafted to lure the general director of the company into opening a malicious document.

Specific targeting

The threat actor targeted Rubin Central Design Bureau for Marine Engineering in Saint Petersburg, a defense contractor that designed most of Russia’s nuclear submarines.

The method for delivering the backdoor was a weaponized RTF document attached to an email addressed to the company CEO, Igor V. Vilnit.

Threat researchers at Cybereason Nocturnus found that the attacker lured the recipient to open the malicious document with a general description for an autonomous underwater vehicle.

RTF document carrying PortDoor backdoor

Also Read: The DNC Registry Singapore: 5 Things You Must Know

Digging deeper, the researchers discovered that the RTF file had been weaponized using RoyalRoad, a tool for building malicious documents to exploit multiple vulnerabilities in Microsoft’s Equation Editor.

The use of RoyalRoad has been linked in the past to several threat actors working on behalf of the Chinese government, like Tick, Tonto Team, TA428, Goblin Panda, Rancor, Naikon.

When launched, the RTF document drops the PortDoor backdoor in the Microsoft Word startup folder disguising it as an add-in file, “winlog.wll.”

PortDoor backdoor disguised as Microsoft add-in

According to Cybereason’s analysis, PortDoor is a full-fledged backdoor with an extended list of features that make it suitable for a variety of tasks:

  • Doing reconnaissance
  • Profiling victim systems
  • Downloading payloads from the command and control server
  • Privilege escalation
  • Dynamic API resolving to evade static detection
  • One-byte XOR encryption (sensitive data, configuration)
  • AES-encrypted data exfiltration

In a technical report today, Cybereason Nocturnus Team describes the functionality of the malware and provides indicators of compromise to help organizations defend against it.

The researchers attributed PortDoor to a Chinese state-sponsored hacker group based on similarities in tactics, techniques, and procedures with other China-linked threat actors.

Based on work from security researcher nao_sec, Cybereason was able to determine that the malicious RTF document was created with RoaylRoad v7 with a header encoding associated with operations from Tonto Team (a.k.a. CactusPete), Rancor, and TA428.

CactusPete and TA428 are known for attacking organizations in Eastern Europe (Russia) and Asia [1234]. Furthermore, Cybereason saw linguistic and visual elements in the PortDoor phishing email and documents that resemble the lures  in attacks from Tonto Team.

However, at the code level, PortDoor does not share significant similarities with other malware used by the aforementioned groups, indicating that this is a new backdoor.

Also Read: How To Comply With PDPA: A Checklist For Businesses

Cybereason’s attribution of PortDoor does not come with a high level of confidence. The researchers are aware that other groups may be behind this malware. Current evidence, though, points to an attacker of Chinese origin.

“Lastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor. We hope that as time goes by, and with more evidence gathered, the attribution could be more concrete”

– Cybereason

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us