Headline
Hackers Target Ukrainian Software Company Using GoMet Backdoor
A large software development company whose software is used by different state entities in Ukraine was at the receiving end of an “uncommon” piece of malware, new research has found. The malware, first observed on the morning of May 19, 2022, is a custom variant of the open source backdoor known as GoMet and is designed for maintaining persistent access to the network. "This access could be
A large software development company whose software is used by different state entities in Ukraine was at the receiving end of an “uncommon” piece of malware, new research has found.
The malware, first observed on the morning of May 19, 2022, is a custom variant of the open source backdoor known as GoMet and is designed for maintaining persistent access to the network.
“This access could be leveraged in a variety of ways including deeper access or to launch additional attacks, including the potential for software supply chain compromise,” Cisco Talos said in a report shared with The Hacker News.
Although there are no concrete indicators linking the attack to a single actor or group, the cybersecurity firm’s assessment points to Russian nation-state activity.
Public reporting into the use of GoMet in real-world attacks has so far uncovered only two documented cases to date: one in 2020, coinciding with the disclosure of CVE-2020-5902, a critical remote code execution flaw in F5’s BIG-IP networking devices.
The second instance entailed the successful exploitation of CVE-2022-1040, a remote code execution vulnerability in Sophos Firewall, by an unnamed advanced persistent threat (APT) group earlier this year.
“We haven’t seen GoMet deployed across the other organizations we’ve been working closely with and monitoring so that implies it is targeted in some manner but could be in use against additional targets we don’t have visibility into,” Nick Biasini, head of outreach for Cisco Talos, told The Hacker News.
“We have also conducted relatively rigorous historic analysis and see very little use of GoMet historically which further indicates that it is being used in very targeted ways.”
GoMet, as the name implies, is written in Go and comes with features that allow the attacker to remotely commandeer the compromised system, including uploading and downloading files, running arbitrary commands, and using the initial foothold to propagate to other networks and systems via what’s called a daisy chain.
Another notable feature of the implant is its ability to run scheduled jobs using cron. While the original code is configured to execute cron jobs once every hour, the modified version of the backdoor used in the attack is built to run every two seconds and ascertain if the malware is connected to a command-and-control server.
“The majority of the attacks we’ve been seeing lately are related to access, either directly or through credential acquisition,” Biasini said. “This is another example of that with GoMet being deployed as a backdoor.”
“Once the access has been established, additional reconnaissance and more thorough operations can follow. We’re working to kill the attacks before they get to this stage so it’s difficult to predict the types of follow-on attacks.”
The findings come as the U.S. Cyber Command on Wednesday shared the indicators of compromise (IoCs) pertaining to different types of malware such as GrimPlant, GraphSteel, Cobalt Strike Beacon, and MicroBackdoor targeting Ukrainian networks in recent months.
Cybersecurity firm Mandiant has since attributed the phishing attacks to two espionage actors tracked as UNC1151 (aka Ghostwriter) and UNC2589, the latter of which is suspected to “act in support of Russian government interest and has been conducting extensive espionage collection in Ukraine.”
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution. The issue, rooted in the configuration utility component, has been assigned the CVE identifier CVE-2023-46747, and carries a CVSS score of 9.8 out of a maximum of 10. "This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The
Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]
Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.
A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called LOWZERO as part of an espionage campaign aimed at Tibetan entities. Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan
Security software company Sophos has warned of cyberattacks targeting a recently addressed critical vulnerability in its firewall product. The issue, tracked as CVE-2022-3236 (CVSS score: 9.8), impacts Sophos Firewall v19.0 MR1 (19.0.1) and older and concerns a code injection vulnerability in the User Portal and Webadmin components that could result in remote code execution. The company said it
Sophos XG115w Firewall version 17.0.10 MR-10 suffers from an authentication bypass vulnerability.
Executive summary Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks. Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine — this time aimed at a large software development company whose software is used in various state organizations within Ukraine. We believe that this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests. As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time we do not have any evidence that they were successful. Cisco Talos confirmed that the malware is a slightly modified version of the open-source backdoor named "GoMet." The malware was first observed on March 28, 2022. GoMet backdoor The story of this backdoor is rather curious — ther...
A sophisticated Chinese advanced persistent threat (APT) actor exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack. "The attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks