Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Leonardo S.p.A. Data Breach Analysis
Message
<blockquote data-quote="upnorth" data-source="post: 924435" data-attributes="member: 38832"><p>Quote : " <strong>Leonardo S.p.A.</strong> (formerly <em>Finmeccanica</em>) is the 8th largest <strong>defence contractor</strong>. Partially owned by the Italian government, the company is widely known, among other things, for their <em>AgustaWestland</em> Helicopters, major contributions to the <em>Eurofighter</em> project, development of naval artillery, armoured vehicles, underwater systems, implementation of space systems, electronic defence and more.</p><p></p><p>On the 5th of December 2020 the CNAIPIC (<em>National Computer Crime Center for Critical Infrastructure Protection</em>), a unit specialized in computer crime, part of the Polizia di Stato (the Italian Police), <a href="https://www.commissariatodips.it/notizie/articolo/attacco-hacker-a-leonardo-spa-due-arresti/index.html" target="_blank">reported</a> the arrest of 2 individuals in relation to a data theft operation, identified for the first time in January 2017, against Leonardo SpA’s infrastructure. The anomalous activity was identified by the company’s security unit and quickly reported to the authorities that started an extensive investigation. Though the company’s initial report identified the leak to be negligible in volume, the CNAIPIC’s investigation found the amount to actually be significant, with <strong>100.000</strong> files exfiltrated for a total of <strong>10Gb</strong> of data from <strong>33</strong> devices in a single location and tracking the final infection to a total of <strong>94</strong> different devices. The attack was considered an <em>APT</em> by the Italian Police, <u>carried out by a single person whom manually installed a custom malware on each targeted machine</u>.</p><p></p><p><strong>Physical attacks</strong> are hard to detect, as any local access to the device can help to mitigate on-device detections, this is especially true when the attacker is, like in Leonardo’s case, part of the company’s <em>security unit</em>. A physical attack carried out by a person with high-level access is a <strong>worst-case scenario</strong> for any company or agency but, as we will see later, things might have taken a different turn if the malware involved was actually sophisticated. "</p><p></p><p><strong>Fujinama First Detection</strong></p><p></p><p>In January 2017, Leonardo’s Cyber Security Unit reported anomalous traffic from a number of endpoints operating in the <em>Pomigliano D’Arco</em> (Naples) office, the offending application name <em>c<strong>ft</strong>mon.exe </em>was a twist of a well-known Windows component <em>c<strong>tf</strong>mon.exe</em>. The application was not recognized as malicious by the security solutions in use, but the network traffic was indeed highly anomalous. As we will see in the analysis, while the attacker was certainly persistent, the sophistication was also lacking, in fact the type of traffic generated led eventually to the identification of the threat. Unfortunately the CNAIPIC didn’t release any information on the threat, except for its filename and the C2 address used: <em>www[.]fujinama[.]altervista.org ( </em><a href="https://i.postimg.cc/3Rmmd7KM/2021-01-10-21-25-56.png" target="_blank"><em>shut down by the Italian police</em></a><em> ) </em>though this was enough to threat hunt in our dataset looking for traces of this malware. </p><p></p><p><strong>Hunting Down Fujinama</strong></p><p></p><p>The hunt for <em>Fujinama</em> started shortly after CNAIPIC’s bulletin was published. Our <em>Threat Intelligence team </em>managed to find samples that reached our sensors network from 2018. From that point, we managed to pivot on a third sample that appears to be related to a different operation. Two of the three samples share the same keylogging capabilities but they point at two different C2. A third sample, pointing to the <em>Fujinama</em> C2, is in all likelihood an evolution of the previous version that includes <em>screenshots capabilities</em>, <em>exfiltration</em> and <em>remote execution</em>. This specific sample, labeled <em>Sample 2</em> in the article, will be the focus of our behavioural analysis.</p><p></p><p>Fujinama was written in <strong>Visual Basic 6</strong> and it tries to mimic an internal Windows tool: <em>cftmon.exe</em> (as mentioned above, a twist on the legitimate<em> ctfmon.exe</em>).</p><p></p><p><strong>Main Flow</strong></p><p></p><p>The sample adopts a very simple sandbox evasion technique, sleeping for 60 seconds before activating the malicious flow that consists of:</p><ul> <li data-xf-list-type="ul"><strong>Every 60 seconds</strong>: capturing a <strong>screenshot </strong>of the Desktop and uploading it to the C2</li> <li data-xf-list-type="ul">Installing a <strong>keylogger </strong>on the victim machine that sends all keystroke to the C2</li> <li data-xf-list-type="ul"><strong>Every 5 minutes</strong>: checking on the C2 for the presence of a command used either to <strong>execute </strong>an application or to <strong>exfiltrate </strong>a specific file</li> </ul><p><strong>Screenshots</strong></p><p></p><p>The<em> Screenshot routine</em> simulates a keypress on the <em>PrtScn</em> button to capture the image of the desktop. The screen content is then saved from the clipboard to a <em>jpg</em> file in a temporary folder. Finally Fujinama uploads the newly created image to its C2, using a http <em>POST</em> request with <em>content-type multi-part</em> before deleting the file from the victim’s device.</p><p></p><p><strong>Keylogger</strong></p><p></p><p>The<em> keylogging routine</em> simply waits for the user input, once a keystroke has been typed it is immediately uploaded to the C2. Surprisingly the keystroke is transferred using a simple <em>GET</em> request, this approach – although ignored by the local antivirus – is both visible and noisy, most likely this is what gave up the presence of the malware on its first detection. "</p><p></p><p>Full source :</p><p>[URL unfurl="true"]https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa/[/URL]</p></blockquote><p></p>
[QUOTE="upnorth, post: 924435, member: 38832"] Quote : " [B]Leonardo S.p.A.[/B] (formerly [I]Finmeccanica[/I]) is the 8th largest [B]defence contractor[/B]. Partially owned by the Italian government, the company is widely known, among other things, for their [I]AgustaWestland[/I] Helicopters, major contributions to the [I]Eurofighter[/I] project, development of naval artillery, armoured vehicles, underwater systems, implementation of space systems, electronic defence and more. On the 5th of December 2020 the CNAIPIC ([I]National Computer Crime Center for Critical Infrastructure Protection[/I]), a unit specialized in computer crime, part of the Polizia di Stato (the Italian Police), [URL='https://www.commissariatodips.it/notizie/articolo/attacco-hacker-a-leonardo-spa-due-arresti/index.html']reported[/URL] the arrest of 2 individuals in relation to a data theft operation, identified for the first time in January 2017, against Leonardo SpA’s infrastructure. The anomalous activity was identified by the company’s security unit and quickly reported to the authorities that started an extensive investigation. Though the company’s initial report identified the leak to be negligible in volume, the CNAIPIC’s investigation found the amount to actually be significant, with [B]100.000[/B] files exfiltrated for a total of [B]10Gb[/B] of data from [B]33[/B] devices in a single location and tracking the final infection to a total of [B]94[/B] different devices. The attack was considered an [I]APT[/I] by the Italian Police, [U]carried out by a single person whom manually installed a custom malware on each targeted machine[/U]. [B]Physical attacks[/B] are hard to detect, as any local access to the device can help to mitigate on-device detections, this is especially true when the attacker is, like in Leonardo’s case, part of the company’s [I]security unit[/I]. A physical attack carried out by a person with high-level access is a [B]worst-case scenario[/B] for any company or agency but, as we will see later, things might have taken a different turn if the malware involved was actually sophisticated. " [B]Fujinama First Detection[/B] In January 2017, Leonardo’s Cyber Security Unit reported anomalous traffic from a number of endpoints operating in the [I]Pomigliano D’Arco[/I] (Naples) office, the offending application name [I]c[B]ft[/B]mon.exe [/I]was a twist of a well-known Windows component [I]c[B]tf[/B]mon.exe[/I]. The application was not recognized as malicious by the security solutions in use, but the network traffic was indeed highly anomalous. As we will see in the analysis, while the attacker was certainly persistent, the sophistication was also lacking, in fact the type of traffic generated led eventually to the identification of the threat. Unfortunately the CNAIPIC didn’t release any information on the threat, except for its filename and the C2 address used: [I]www[.]fujinama[.]altervista.org ( [/I][URL='https://i.postimg.cc/3Rmmd7KM/2021-01-10-21-25-56.png'][I]shut down by the Italian police[/I][/URL][I] ) [/I]though this was enough to threat hunt in our dataset looking for traces of this malware. [B]Hunting Down Fujinama[/B] The hunt for [I]Fujinama[/I] started shortly after CNAIPIC’s bulletin was published. Our [I]Threat Intelligence team [/I]managed to find samples that reached our sensors network from 2018. From that point, we managed to pivot on a third sample that appears to be related to a different operation. Two of the three samples share the same keylogging capabilities but they point at two different C2. A third sample, pointing to the [I]Fujinama[/I] C2, is in all likelihood an evolution of the previous version that includes [I]screenshots capabilities[/I], [I]exfiltration[/I] and [I]remote execution[/I]. This specific sample, labeled [I]Sample 2[/I] in the article, will be the focus of our behavioural analysis. Fujinama was written in [B]Visual Basic 6[/B] and it tries to mimic an internal Windows tool: [I]cftmon.exe[/I] (as mentioned above, a twist on the legitimate[I] ctfmon.exe[/I]). [B]Main Flow[/B] The sample adopts a very simple sandbox evasion technique, sleeping for 60 seconds before activating the malicious flow that consists of: [LIST] [*][B]Every 60 seconds[/B]: capturing a [B]screenshot [/B]of the Desktop and uploading it to the C2 [*]Installing a [B]keylogger [/B]on the victim machine that sends all keystroke to the C2 [*][B]Every 5 minutes[/B]: checking on the C2 for the presence of a command used either to [B]execute [/B]an application or to [B]exfiltrate [/B]a specific file [/LIST] [B]Screenshots[/B] The[I] Screenshot routine[/I] simulates a keypress on the [I]PrtScn[/I] button to capture the image of the desktop. The screen content is then saved from the clipboard to a [I]jpg[/I] file in a temporary folder. Finally Fujinama uploads the newly created image to its C2, using a http [I]POST[/I] request with [I]content-type multi-part[/I] before deleting the file from the victim’s device. [B]Keylogger[/B] The[I] keylogging routine[/I] simply waits for the user input, once a keystroke has been typed it is immediately uploaded to the C2. Surprisingly the keystroke is transferred using a simple [I]GET[/I] request, this approach – although ignored by the local antivirus – is both visible and noisy, most likely this is what gave up the presence of the malware on its first detection. " Full source : [URL unfurl="true"]https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa/[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
