Saudi IT providers hit by supply chain attacks
Researchers at cybersecurity company Symantec have uncovered a new threat group dubbed 'Tortoiseshell' that is attacking IT providers.
The research has identified 11 targets, most of them in Saudi Arabia. In two cases hundreds of hosts were infected, probably because the attackers were hunting for machines that were of particular interest.
The authors of the report note, "This is an unusually large number of computers to be compromised in a targeted attack. It is possible that the attackers were forced to infect many machines before finding those that were of most interest to them."
The group uses both custom and ready-made malware for its operations. One threat used is the Syskit Trojan, a custom backdoor first discovered in August this year. The malware sends its C&C server system-related data belonging to the compromised host. Details include the IP address, version of the operating system, computer name, MAC address, running apps, and network connectivity information. It can also execute commands from the server used to download other malware and launch PowerShell to unzip a file or run commands in the Command Prompt console.
The targeting of IT providers points strongly to these being supply chain attacks, the probable end goal being to gain access to the networks of some of the providers' customers. Supply chain attacks have been increasing in recent years, with Symantec seeing a 78 percent increase in 2018.
You can find out more about the attacks on the Symantec blog.