CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Bangladesh Embassy Website in Cairo Compromised

In the world of Phishing emails, we often see schemes which involve enticing users to open a malicious document, sometimes disguised as a form of some sort. In the world of web attacks, we see less of these, as it usually takes a lot more to convince a user casually browsing the internet to download and open a document. But what if the user is visiting a government site where forms are generally in abundance? It looks like this time attackers decided to try their luck and find out.

At the end of October 2018, we saw a block in our Trustwave Cloud SWG product for a government facility domain. An examination into the block showed that the reason was the presence of the CoinImp web miner on the site. Now, we’ve been seeing a lot of web miner injections throughout 2018 so on the surface this case didn’t seem like anything special.

The same domain, however, drew our attention again at the beginning of January of 2019, when we once more saw a detection from CSWG for that domain, but this time for a Microsoft Word document with an embedded malicious EPS script.

After a closer investigation we saw that the Bangladesh embassy in Cairo website appears to be under control of intruders. Attempts to access almost any URL on the website ends with a request to save a file, with only a few pieces of content (like the visa application form file) still accessible:  

Embassy compromised pageFigure 1: Real visa application form on the site (left) and every other page on the site returning a malicious document (right)


This level of compromise usually indicates the attacker’s ability to not only upload their own data, but also change the web server’s configuration.

Despite this, it looks like detection rates for this malicious page are low:

scanning results

Figure 2: VirusTotal scan results for the URL


This office document contains an EPS file and exploits a use-after-free vulnerability, CVE-2017-0261. It seems that the EPS file was modified at the end of October 2018, which coincides with the timeline of the first infection dates we noticed. This could, of course, be a coincidence and we can never know the attacker’s intentions with certainty, but it’s possible that after running wider infection campaigns infecting sites with a web miner, the attacker looked through their victims to find more interesting targets to leverage further.

Once the EPS file is executed two binaries are extracted which exploit CVE-2017-7255, one for each of x86 and x64 architectures, this exploit provides privilege escalation for the execution of the main payload.

Finally, the Godzilla loader is dropped. The loader then gathers information about the infected machine, checks for internet connectivity by attempting to reach out to Wikipedia.org, and given that connectivity is possible, communicates back with the C2 server.

Godzilla panel

Figure 3: The Godzilla loader administration panel


Once communication is established with the C2 server, further executables can be dropped at the attacker’s will, in our case an additional downloader which downloaded a cryptominer was the selected payload.

It is possible that the intruders who injected the web miner into the site decided to make a shift from web mining to machine infection in order to install a more persistent cryptominer on victim machines.

A couple of indicators in this incident tell us that despite this being an embassy site, this is not an APT performing a sophisticated attack: The infection is very noisy (the site is essentially not functioning as a result of the attack), and the downloaded file was not particularly tailored to the site (a generic “conference details” name with a blank document opening).

Despite this lack of sophistication, we need to consider the potential of such an attack: An embassy site is, for all intents and purposes, a government site. This attacker was not an APT, but they could have been. The attack may not have been sophisticated, but it could have been. The fact that a non-sophisticated attacker managed to compromise a government site raises even more concern, if anything, and the potential harm under those conditions is much greater than a cryptominer infection.

We contacted the compromised domain and alerted them about the infection, unfortunately at the time of publishing this blog the site remains infected.

Trustwave SWG customers are protected from the malicious document, the malicious payloads and the attempts to communicate with Godzilla C2 server:

Trustwave Secure Web Gateway



Latest SpiderLabs Blogs

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More