Friend
Professional
- Messages
- 2,675
- Reaction score
- 987
- Points
- 113
How an aerospace company hack put several industries at risk.
During an interview with The Register, John Dwyer, director of security research at Binary Defense, revealed the details of a cyberattack on a major manufacturer of components for the aerospace industry and other critical sectors. Hackers believed to be linked to the Chinese government gained access to the U.S. company's network using standard administrator credentials on an IBM AIX server.
The incident began in March when attackers compromised one of the victim's three unmanaged AIX servers. For four months, they remained unnoticed in the manufacturer's IT infrastructure, exploring the network in search of new targets for attack. This case serves as a cautionary tale for organizations that have long-forgotten or unmanaged devices on their networks. While the bulk of the infrastructure is protected by modern threat detection, legacy services are an ideal starting point for attackers.
Although Dwyer did not announce the name of the company, he said that it produces components for public and private aerospace organizations, as well as for the oil and gas sector. The attack is attributed to an unnamed group from the People's Republic of China, whose goal was apparently industrial espionage and the theft of blueprints.
It is worth noting that this year, the US federal authorities have repeatedly issued warnings about Chinese hacking groups, including APT40 and Volt Typhoon. The latter is accused of penetrating American networks in order to prepare destructive cyberattacks.
After discovering Chinese agents in its network in August, the manufacturer notified local and federal law enforcement agencies. The company also collaborated with government cybersecurity specialists to identify the source of the attack and develop measures to eliminate it. Binary Defense was involved in the investigation.
Before the hackers were discovered and forced out of the network, the group managed to download a web shell and establish permanent access. As a result, they have full remote control over the IT infrastructure and ideal conditions for intellectual property theft and supply chain manipulation.
John Dwyer highlighted the dangers of such a situation: "If a compromised component enters the supply chain and is used in the production of equipment or vehicles, the consequences will be felt by the end consumer when this component fails or begins to malfunction." He also added that hostile states are well aware of this vulnerability, and attacks are constantly shifting along the chain to the left. That is, attempts to interfere with products occur earlier and earlier in the production process, affecting more and more victims and becoming more deeply entrenched in the systems.
According to Binary Defense, three servers of the victim's AIX development environment were connected to the internet without any protection. At least one of them ran the Apache Axis admin portal with standard credentials. The server was incompatible with the organization's security monitoring tools, which partly explains why it took several months for network security specialists to detect malicious activity on the company's computers.
After the server was compromised, the attackers installed the AxisInvoker web shell, which allows them to remotely control the device, collect Kerberos data, and add SSH keys for secure login from the outside. The hackers then collected as much information about the network configuration as possible, as well as data available through LDAP and SMB shares.
Further, additional malware was deployed, including Cobalt Strike and web shells, as well as a fast reverse proxy (FRP) to tunnel into the attackers' own infrastructure. Curiously, the hackers did not seem to be familiar with AIX, as they tried to run programs standard for Linux.
They then turned their attention to the Microsoft Windows environment on the engineering firm's network. NTLM relay attacks were carried out to enumerate available Windows users and impersonate an account with administrator privileges.
The attackers attempted to dump the memory of the LSASS process on a Windows server – a common way to collect credentials from the system. This attempt was spotted and blocked, after which the hackers were pushed out of the network, presumably before they could access anything else.
According to Jwyer, immediately after the attackers were removed from the environment, another attack followed, which was attributed to the same group. This happened within 24 hours - someone tried to get into the system by brute-forcing credentials. Binary Defense plans to publish a report on this cyber intrusion and lessons learned soon.
Source
During an interview with The Register, John Dwyer, director of security research at Binary Defense, revealed the details of a cyberattack on a major manufacturer of components for the aerospace industry and other critical sectors. Hackers believed to be linked to the Chinese government gained access to the U.S. company's network using standard administrator credentials on an IBM AIX server.
The incident began in March when attackers compromised one of the victim's three unmanaged AIX servers. For four months, they remained unnoticed in the manufacturer's IT infrastructure, exploring the network in search of new targets for attack. This case serves as a cautionary tale for organizations that have long-forgotten or unmanaged devices on their networks. While the bulk of the infrastructure is protected by modern threat detection, legacy services are an ideal starting point for attackers.
Although Dwyer did not announce the name of the company, he said that it produces components for public and private aerospace organizations, as well as for the oil and gas sector. The attack is attributed to an unnamed group from the People's Republic of China, whose goal was apparently industrial espionage and the theft of blueprints.
It is worth noting that this year, the US federal authorities have repeatedly issued warnings about Chinese hacking groups, including APT40 and Volt Typhoon. The latter is accused of penetrating American networks in order to prepare destructive cyberattacks.
After discovering Chinese agents in its network in August, the manufacturer notified local and federal law enforcement agencies. The company also collaborated with government cybersecurity specialists to identify the source of the attack and develop measures to eliminate it. Binary Defense was involved in the investigation.
Before the hackers were discovered and forced out of the network, the group managed to download a web shell and establish permanent access. As a result, they have full remote control over the IT infrastructure and ideal conditions for intellectual property theft and supply chain manipulation.
John Dwyer highlighted the dangers of such a situation: "If a compromised component enters the supply chain and is used in the production of equipment or vehicles, the consequences will be felt by the end consumer when this component fails or begins to malfunction." He also added that hostile states are well aware of this vulnerability, and attacks are constantly shifting along the chain to the left. That is, attempts to interfere with products occur earlier and earlier in the production process, affecting more and more victims and becoming more deeply entrenched in the systems.
According to Binary Defense, three servers of the victim's AIX development environment were connected to the internet without any protection. At least one of them ran the Apache Axis admin portal with standard credentials. The server was incompatible with the organization's security monitoring tools, which partly explains why it took several months for network security specialists to detect malicious activity on the company's computers.
After the server was compromised, the attackers installed the AxisInvoker web shell, which allows them to remotely control the device, collect Kerberos data, and add SSH keys for secure login from the outside. The hackers then collected as much information about the network configuration as possible, as well as data available through LDAP and SMB shares.
Further, additional malware was deployed, including Cobalt Strike and web shells, as well as a fast reverse proxy (FRP) to tunnel into the attackers' own infrastructure. Curiously, the hackers did not seem to be familiar with AIX, as they tried to run programs standard for Linux.
They then turned their attention to the Microsoft Windows environment on the engineering firm's network. NTLM relay attacks were carried out to enumerate available Windows users and impersonate an account with administrator privileges.
The attackers attempted to dump the memory of the LSASS process on a Windows server – a common way to collect credentials from the system. This attempt was spotted and blocked, after which the hackers were pushed out of the network, presumably before they could access anything else.
According to Jwyer, immediately after the attackers were removed from the environment, another attack followed, which was attributed to the same group. This happened within 24 hours - someone tried to get into the system by brute-forcing credentials. Binary Defense plans to publish a report on this cyber intrusion and lessons learned soon.
Source