xHunt campaign detailed, new hacking tools discovered

News by Mark Mayne

A new and highly sophisticated campaign targeting transportation and shipping organisations based in Kuwait has been exposed.

A sophisticated hacking campaign that used a new toolset named after the anime series Hunter x Hunter and targeted infrastructure in Kuwait has been detailed by security researchers.

The campaign was active in May and June 2019, and involved a backdoor tool named Hisoka, as well as variants named Sakabota, Netero and Killua, according to researchers from Palo Alto's Unit 42.  

Detailed in a blogpost, the backdoor tools use a host of stealthy techniques, including DNS tunneling and email drafts to communicate with the C2 - the latter being quite unusual, according to the Unit 42 team. The method uses Exchange Web Services (EWS) and stolen credentials to create email "drafts" to communicate between the actor(s) and the tool.

Ryan Olson, vice president of Threat Intelligence, Unit 42, Palo Alto Networks told SC Media UK: "Organisations can protect themselves by including security tools and capabilities that look for changes in a known good state, anomalous activity on Exchange servers, and those that can detect for DNS Tunneling. It is also a good practice to continue user cyber-security awareness and education initiatives."

The researchers believe that a single developer is behind all the tools, and also traced similarities back to intrusions in 2018, indicating a professional and dedicated group at work. 

Javvad Malik, security awareness advocate at KnowBe4 told SC Media UK: "State sponsored actors will often target shipping and transport, or other companies critical to a country's infrastructure. It's important therefore for such companies to invest appropriately into security controls and be able to prevent, detect, and respond to such threats. 

"Having a good and reliable source of threat intelligence, and being able to look for indicators of compromise within one's environment is vital to be able to detect and respond to any emerging threats as they occur. However, it's also worth noting that while the initial access vector is not understood in this case, it will likely boil down to a handful of things such as phishing, social engineering, exploiting unpatched software, or similar. Therefore, it's important for companies to invest proportionally into those security controls which will prevent initial access and therefore minimise the risk of actively being exploited." 

Dave Weinstein, CSO at Claroty echoed the sentiment: "Both the transportation and shipping industries are undergoing a great deal of digital transformation to drive efficiencies, thus opening-up new attack vectors for malicious actors.   It's critical for organisations in these sectors to gain visibility into the intersection of their corporate and operational networks as hackers are exploiting the former to target the latter."

The full list of IOC’s is on Unit 42’s GitHub repository here.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews