Analytics within Jigsaw Security's Analytic Platform are indicating a huge and very active campaign by Russia to infiltrate critical infrastructure, Government, military and contractor facilities silently. Much of the activity has been discovered and stopped but we have noticed large numbers of systems looking for vulnerabilities that should have been patched for years. Routers are a specific and favorite target of this groups activity.
We are all aware of VPNFilter malware as reported by Jigsaw Security, Cisco Talos, Symantec and news organizations but there is a larger more successful campaign occurring that is utilizing CDN networks to infect downloads with malicious additional payloads, compromise routers and older hardware devices, install and sleep type operations where fileless malware is being installed but not activated, which points to a future campaign.
We really only have one thing to say to the Russians:
Мы видим вас, и мы знаем, что вы тоже видите нас.
Previously reported CDN abuse and calls home
We have been reporting on threat actors abusing CDN in the past. The fileless campaign we are tracking clearly is Russia as we have observed the malware reaching back to the Kremlin and several other servers in control of the Kremlin over the past several weeks. We are not 100% certain that the earlier CDN activity is Russia but we are 100% sure that the new malware samples we have captured are part of a much larger campaign by Russia in which they are preparing. We believe from our DNS statistics that the campaign may be 2 to 3 times the size of the recent VPNFilter activity based on statistical activity we have been monitoring.
This fileless malware has been observed attacking Government, banking, communications and energy infrastructure targets.
The Email Connection
Many companies have reported email campaigns that are very poorly written to mimic Microsoft, UPS and DHL which in and of itself are not new, what is new is that they are trying to determine WHO is being infected. This gives the actors information such as the sector that they have infected. Once that information is known, the malware the just goes to sleep. We agree with Ukrainian security firms based on what we have observed to be Russian activity.
These attackers are using very small files 2k to 4k in size that are fileless and reside in memory. Once the host is infected if it goes offline and is rebooted, it is then reinfected to maintain the foothold. We know the malware does not last a reboot but since they have already installed the malware previously it can be re-attacked and then it can go back to sleep. By running in memory and being fileless, it is harder for security software to detect that something is wrong.
Jigsaw Security customers can view the relevant details if they are granted the appropriate security access in our threat intelligence by looking at the following events. These events are now classified as TLP:RED//EX:CHR.
For specific assistance or to obtain additional information on this bulletin, you may open an RFI with the Jigsaw Security SOC from our website chat feature.