Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing

        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing

        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing

        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing

        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training

        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing

        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review

        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention

        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise

        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle

        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

I'VE BEEN BREACHED

New Tomiris backdoor likely developed by SolarWinds hackers

New Tomiris backdoor likely developed by SolarWinds hackers

Kaspersky security researchers have discovered a new backdoor likely developed by the Nobelium hacking group behind last year’s SolarWinds supply chain attack.

This comes on the heels of another report published by Microsoft two days ago detailing FoggyWeb, a “passive and highly targeted” backdoor developed and used by the same group to exfiltrate sensitive information from compromised AD FS servers remotely.

The new malware found by Kaspersky, dubbed Tomiris, was first spotted in June even though the first samples were deployed in the wild in February 2021, one month before the “sophisticated second-stage backdoor” Sunshuttle was found by FireEye and linked to Nobelium.

Also Read: What Is Data Sovereignty and How Does It Apply To Your Business?

Tomiris was discovered while investigating a series of DNS hijacking attacks targeting several government zones of a CIS member state between December 2020 and January 2021, which allowed the threat actors to redirect traffic from government mail servers to machines under their control

Their victims were redirected to webmail login pages that helped the attackers to steal their email credentials and, in some cases, prompted them to install a malicious software update that instead downloaded the previously unknown Tomiris backdoor.

“During these time frames, the authoritative DNS servers for the zones above were switched to attacker-controlled resolvers. These hijacks were for the most part relatively brief and appear to have primarily targeted the mail servers of the affected organizations,” Kaspersky said.

“We do not know how the threat actor was able to achieve this, but we assume they somehow obtained credentials to the control panel of the registrar used by the victims.”

Malicious webmail login page used to delive Tomiris
Image: Kaspersky

Links to Nobelium-made Sunshuttle malware

Once deployed on a system, Tomiris will repeatedly query a command-and-control server for further malicious payloads to run on the compromised device, allowing its operators to establish a foothold in the victim’s network.

Another variant can collect and exfiltrate documents out of compromised systems, automatically uploading recent files matching extensions of interest, including .doc, .docx, .pdf, .rar, and more.

Kaspersky found many similarities between the two backdoors (e.g., both developed in Go, persistence through scheduled tasks, same encoding scheme for C2 comms, automated sleep triggers to reduce network noise).

They also spotted the Kazuar backdoor who shares features with the Sunburst malware used in the SolarWinds attack on the same network as Tomiris.

Despite this, the researchers did not conclusively link the new backdoor to the Russian-backed Nobelium state hackers because of the possibility of a false flag attack designed to mislead malware researchers.

“While it is possible that other APTs were aware of the existence of this tool at this time, we feel it is unlikely they would try to imitate it before it was even disclosed,” Kaspersky added.

Also Read: What a Vulnerability Assessment Shows and How It Can Save You Money

“A much likelier (but yet unconfirmed) hypothesis is that Sunshuttle’s authors started developing Tomiris around December 2020 when the SolarWinds operation was discovered, as a replacement for their burned toolset.”

Tomiris Sunshuttle Kazuar connection
Image: Kapersky

Who is Nobelium?

Nobelium, the hacking group that carried out the SolarWinds supply-chain attack that led to the compromise of multiple US federal agencies, is the hacking division of the Russian Foreign Intelligence Service (SVR), also tracked as APT29, The Dukes, or Cozy Bear.

In April 2021, the United States government formally blamed the SVR division for coordinating the SolarWinds “broad-scope cyber espionage campaign.”

Cybersecurity outfit Volexity also linked the attacks to the same hacking group’s operators based on tactics they used in previous incidents going back to 2018.

In May, Microsoft researchers revealed four more malware families used by Nobelium in other attacks: a malware downloader known as ‘BoomBox,’ a shellcode downloader and launcher known as ‘VaporRage,’ a malicious HTML attachment dubbed ‘EnvyScout,’ and a loader named ‘NativeZone.’

In March, they detailed three other Nobelium malware strains used for maintaining persistence on compromised networks: a command-and-control backdoor dubbed ‘GoldMax,’ an HTTP tracer tool tracked as ‘GoldFinder,’ a persistence tool and malware dropper named ‘Sibot.’

0 Comments

Let us help you out.

Grab your free consultation NOW!

Privacy Ninja

Data Protection​

Cybersecurity

Support

Company

Locations

Singapore

7 Temasek Boulevard
#12-07, Suntec Tower One
Singapore 038987

Thailand

The Royal Place 1
2, 2/399 Mahatlek Luang 1 Alley, Lumphini, Pathum Wan, Bangkok 10330, Thailand



email-icon
Facebook Twitter Linkedin Youtube

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
TALK TO US
×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

× Chat with us