December 4, 2023 at 10:01AM
BlackBerry uncovered ‘AeroBlade’, a new hacking group targeting the U.S. aerospace sector. Using spear-phishing attacks, AeroBlade deployed reverse-shell payloads for data theft, focusing on cyber espionage. The threat evolved from testing in 2022 to sophisticated attacks in 2023, with unknown origins and objectives speculated to be selling or leveraging stolen information.
Meeting Takeaways:
1. **Hacking Group Identity and Targeting**: A new cyber-espionage hacking group named ‘AeroBlade’ has emerged, specifically targeting organizations in the U.S. aerospace sector.
2. **Discovery and Timeline**: BlackBerry cybersecurity experts discovered the attacks, identifying an initial trial phase in September 2022 and a more sophisticated wave in July 2023.
3. **Attack Methodology**: AeroBlade utilizes spear-phishing techniques with documents carrying malware in an attempt to gain access to corporate networks. These attacks drop a reverse-shell payload which is used for file listing and data theft.
4. **BlackBerry’s Assessment**: The attacks are believed to be a form of commercial cyber espionage with the purpose of acquiring sensitive information from the targeted organizations.
5. **Campaign Details**:
– **Initial Attack Phase**: In September 2022, AeroBlade conducted phishing attacks using .docx files that, once opened, download a second-stage .DOTM file that contains malicious macros to establish a reverse shell.
– **Decoy Tactic**: The hackers present a decoy document to the victims to make them believe the received email document is legitimate.
– **Evolution of Attack Tools**: The payload, an obfuscated DLL, has features to avoid detection, such as anti-analysis techniques, persistence through ‘WinUpdate2’ task and has been evolving to increase sophistication.
6. **Persistence Mechanism**: The malware ensures its continued presence through the Windows Task Scheduler by adding a task that remains even after system reboot.
7. **Consistency Across Attacks**: Despite the increasing complexity of the malware, both the initial and advanced attacks used the same C2 IP address for their reverse shells and similar phishing documents.
8. **Unclear Attribution**: The origins and precise objectives of AeroBlade remain undetermined, though there is speculation about intentions such as data theft for sale, providing information to international competitors, or for potential extortion purposes.
9. **Action Items**:
– There should be an increased focus on employee training for spotting and reporting phishing attempts.
– It may be advisable to review and strengthen network security measures, particularly around email filtering and endpoint protection.
– Consider consulting with BlackBerry or other cybersecurity entities for further insight and potential collaboration on defense strategies.