A new Advanced Persistent Threat group called ChamelGang has been targeting the Aviation and Energy Complex industry in Russia.
Reportedly, these attacks are not only limited to Russia, it has been witnessed that the attacks have been occurring in other countries such as India, Nepal, Taiwan, Japan. According to researchers, the government servers are serving as bait for the servers and they are targeting it as well. Attacking UK’s government servers and making them vulnerable might become a possibility for the future.
As per the reports, ChamelGang has been focused on stealing data by making networks vulnerable and recorded its first successful attack in March 2021. Attackers have the capability of penetrating the network successfully and each time they are able to enter into the network, 90% of the time they steal the information, leading to a complete loss for the company including the sensitive information.
According to Infotechlead, ChamelGang had compromised a subsidiary organization using a vulnerable version of a web application on the open-source JBoss Application Server platform. By exploiting vulnerability CVE-2017-12149 (which had been fixed by RedHat more than four years ago), the criminals were able to remotely execute commands on the node.
The parent company was attacked soon after that. The attackers used Remote Desktop Protocol (RDP) to obtain the dictionary password of the local administrator.
The attackers exploited a chain of related vulnerabilities in Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) called ProxyShell. This became public last month, and ever since it has been actively exploited by other APT groups. (Infotechlead)
ChamelGang has also been using a new type of malware known as ProxyT, BeaconLeader, and the DoorMe backdoor. The group also uses better-known variants such as FRP, Cobalt Strike Beacon, and Tiny shell.