fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Unskilled Hacker Linked to Years of Attacks on Aviation, Transport Sectors

Unskilled Hacker Linked to Years of Attacks on Aviation, Transport Sectors

For years, a low-skilled attacker has been using off-the-shelf malware in malicious campaigns aimed at companies in the aviation sector as well as in other sensitive industries.

The threat actor has been active since at least 2017, targeting entities in the aviation, aerospace, transportation, manufacturing, and defense industries.

Tracked as TA2541 by cybersecurity company Proofpoint, the adversary is believed to operate from Nigeria and its activity has been documented before in analysis of separate campaigns.

Also Read: Best Privacy Certification: 3 Simple Steps On How To Achieve

Non-sophisticated attacks

In a report today, Proofpoint notes that TA2541 has been consistent about its attack method, relying on malicious Microsoft Word documents to deliver a remote access tool (RAT).

A typical malware campaign from this group involves sending “hundreds to thousands” of emails – mostly in English – to “hundreds of organizations globally, with recurring targets in North America, Europe, and the Middle East.”

Recently, though, the group switched from malicious attachments to linking to a payload hosted in cloud services such as Google Drive, Proofpoint researchers say.

TA2541 does not use custom malware but commodity malicious tools available for purchase on cybercriminal forums. According to the researcher’s observations, AsyncRAT, NetWire, WSH RAT, and Parallax appears to be the group’s top favorites being pushed most often in malicious messages.

TA2541 threat group's favorite RATs
source: Proofpoint

Proofpoint highlights that all malware used in TA2541 campaigns can be used to collect information, but the threat actor’s ultimate goal remains unknown at the moment.

A typical TA2541 attack chain starts with sending an email that is usually related to transportation (e.g. flight, aircraft, fuel, yacht, charter, cargo) and delivers a malicious document.

“In recent campaigns, Proofpoint observed this group using Google Drive URLs in emails that lead to an obfuscated Visual Basic Script (VBS) file. If executed, PowerShell pulls an executable from a text file hosted on various platforms such as Pastetext, Sharetext, and GitHub” – Proofpoint

In the next step, the adversary executes PowerShell into various Windows processes and looks for available security products by querying the Windows Management Instrumentation (WMI).

Then it tries to disable the built-in defenses and starts gathering system information before downloading the RAT payload on the compromised host.

Also Read: Computer Misuse Act Singapore: The Truth And Its Offenses

TA2541 threat group's attack chain
source: Proofpoint

Given TA2541’s choice of targets, its activity has not gone unnoticed and security researchers from other companies have analyzed its campaigns [123] in the past, but without connecting all the dots.

Cisco Talos published a report last year about a TA2541 campaign targeting the aviation industry with AsyncRAT. The researchers concluded that the actor had been active for at least five years.

Based on evidence from analyzing the infrastructure used in the attack, Cisco Talos was able to build a profile for the threat actor, linking its geographic location to Nigeria.

“While researching the actor’s activities, using passive DNS telemetry, we compiled the list of IPs used by the domain akconsult.linkpc.net. The chart below shows that roughly 73 percent of the IPs were based in Nigeria, further strengthening the theory that the actor in question is based in Nigeria.” – Cisco Talos

In a single campaign, the actor can send up to several thousand emails to dozens of organizations and are not tailored for individuals with specific roles. This shows that TA2541 is not concerned with the stealth of its actions, further supporting the theory of a non-skilled actor.

While thousands of organizations have been targeted in these “spray-and-pray” attacks, companies across the globe in the aviation, aerospace, transportation, manufacturing, and defense industries appear to be a constant target.

Even if TA2541’s tactics, techniques, and procedures (TTPs) describe an adversary that is not technically sophisticated, the actor managed to deploy malicious campaigns for more than five years without raising too many flags.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us