Threat Alert

by IthacaLabs™

THREAT LEVEL/High 05/10/2021

A New APT group has emerged targeting fuel, energy, and aviation industries

Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.


We have observed that a new APT group, targeting fuel, energy and aviation industries in Russia and Asia, has been identified.

This APT (Advanced Persistence Threat) group, using trending penetration methods and vulnerability exploitations, could breach organizations and remotely execute commands on the remote hosts, deploy malicious payloads that enable the actor to launch the malware with elevated privileges. Thus the threat actors could laterally pivot across the network, and perform reconnaissance.

The APT group, named “ChamelGang”, first appeared in March, disguising its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.

“ChamelGang” is found to leverage the “ProxyShell” chain of vulnerabilities (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207), affecting Microsoft Exchange Servers, in order to drop additional web shells and conduct remote reconnaissance on the compromised nodes, ultimately leading to the installation of a modified version of the “DoorMe” implant. This malware is a backdoor that comes with expanded capabilities to run arbitrary commands and carry out file operations.

Furthermore, the “ChamelGang” group, has been found to utilize a flaw in Red Hat JBoss Enterprise Application (CVE-2017-12149) that could give them the ability to remotely execute commands on target hosts and deploy malicious payloads leading in launching malware with elevated privileges.

This malicious activity poses an increased and imminent threat to fuel/energy complexes and aviation industries worldwide and could lead to significant financial and reputational damage.





Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.


BASE SCORE: 7.5 High


Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33768, CVE-2021-34470.


BASE SCORE: 6.5 Medium


Microsoft Exchange Server Security Feature Bypass Vulnerability


BASE SCORE: 7.5 High


In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

Affected Systems

  • N/A


You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

The guidelines below will help you protect against Malware and its associated security threats:
* Back up your data. The single biggest thing that will defeat ransomware is having a regularly updated backup.
* Consider enabling the “”Show hidden file-extensions””. One way that ransomware such as Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions.
* Filter executable files in email. If your email gateway has the ability to filter files by extension, you may wish to deny mails sent with “.exe”, “”.scr””, “”.bat”” files, or to deny mails sent with files that have two file extensions, the last one being executable.
* Disable files running from AppData/LocalAppData folders. You can create rules within Windows or with Host Intrusion Prevention software, to disallow a particular, notable behavior used by ransomware, which is to run its executable from the App Data or Local App Data folders.
* Disable macros in Microsoft Office files. Most people may not be aware that Microsoft Office Files are like a file-system within a file system, which includes the ability to use a powerful scripting language to automate almost any action you could perform with a full executable file. By disabling macros in Office files, you deactivate the use of this scripting language.
* Keep your antivirus up to date and use real time protection.
* It is also recommended to implement a Security Awareness program, addressed to all your management and staff, designed to increase the level of understanding regarding Social Engineering and security threats in general.

Finally, in case that a system is compromised, it should be immediately removed from the network


Get the latest Threat Alerts in your inbox.