13.4 C
Saturday, September 23, 2017

Sony Hackers Still Active, 'Darkhotel' Checks Out Of Hotel Hacking

How some cyber espionage and other advanced attack groups don't go dark anymore after being outed.The epic and ugly cyberattack on Sony in 2014 may now be one for the history books, but the attackers behind it remain active and prolific.“They didn’t disappear when the dust settled” after the Sony attacks, says Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab.

Guerrero-Saade and fellow researcher Jaime Blasco last week at the Kaspersky Security Analyst Summit in Tenerife, Spain, detailed new activity by the Sony hackers. “It took us two years to correlate all of the information we had  … The same people were launching campaigns using information from the Sony attack,” said Blasco, who is vice president and chief scientist of AlienVault.

The attacks are mainly intelligence-gathering efforts, but occasionally the attacks include wiping disk drives, he said. The attackers, which the US government say came out of North Korea, pummeled Sony, wiping disk drives, and doxing emails and other sensitive information. There has been a noticeable shift in how some advanced threat groups such as this respond after being publicly outed by security researchers. Historically, cyber espionage gangs would go dark. “They would immediately shut down their infrastructure when they were reported on,” said Kurt Baumgartner, principal security researcher with Kaspersky Lab. “You just didn’t see the return of an actor sometimes for years at a time.” But Baumgartner says he’s seen a dramatic shift in the past few years in how these groups react to publicity.

Take Darkhotel, the Korean-speaking attack group known for hacking into WiFi networks at luxury hotels in order to target corporate and government executives.

Darkhotel is no longer waging hotel-targeted attacks -- but they aren’t hiding out, either. In July, Darkhotel was spotted employing a zero-day Adobe Flash exploit pilfered from the HackingTeam breach. “Within 48 hours, they took the Flash exploit down … They left a loosely configured server” exposed, however, he told Dark Reading. “That’s unusual for an APT [advanced persistent threat] group.” The Darkhotel group appears to care less about its infrastructure and more about its advanced attack techniques, he says. “Public exposure isn’t going to affect them,” he says. “The hotel [attack] activity focused on business travelers has come to an end, but the other operations are highly active,” including sending rigged links to Southeast Asia targets via Webmail services. ‘No Such Actor’ Meantime, one of the most advanced and infamous nation-state threat actor groups has been dark for more than a year. Kaspersky Lab still hasn’t seen any sign of the so-called Equation Group, the nation-state threat actor operation that the security firm exposed early last year and that fell off its radar screen in January of 2014. The Equation Group, which has ties to Stuxnet and Flame as well as clues that point to a US connection, was found with advanced tools and techniques including the ability to hack air gapped computers, and to reprogram victims’ hard drives so its malware can’t be detected nor erased. While Kaspersky Lab stopped short of attributing the group to the National Security Agency (NSA), security experts say all signs indicate that the Equation Group equals the NSA. “I would assume they are active but just changed their” communications, says Costin Raiu, director of the global research and analysis team at Kaspersky Lab. “We don’t detect them anymore.” Just how APT groups from various regions react to being outed is often a cultural thing. “The Far Eastern [APTs] don’t seem to care too much” about hiding out after being outed, he told Dark Reading. “The rest of the world cares a bit more.” On exception to that is the attack group behind the US Office of Personnel Management (OPM) breach, he says. “They are different kind of fish.

The moment they got discovered,” they shifted gears, he says. “We found traces of activity related to those guys.

But it was at another level of skills and capabilities versus other Chinese-speaking groups.” Related Content: Find out more about the latest security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full BioMore Insights

Experts: what ATM jackpotting malware is

Kaspersky Lab security researchers Santiago Pontiroli and Roberto Martinez explain how ATM malware works in Latin America and why it’s difficult to discover ‘jackpotting’ malware. Kaspersky Security Analyst Summit 2016 on Tenerife, Spain.

Ukraine Railway, Mining Company Attacked With BlackEnergy

Weeks after the malware played a role in a massive power outage in the Ukraine, BlackEnergy and its cohort KillDisk were used in other attacks as well, Trend Micro says.Even as questions continue to swirl around the role of the BlackEnergy malware family in the widespread power outage in Ukraine on December 23, there are signs the same toolkit is being used in attacks against industrial control systems in other sectors as well.
Security vendor Trend Micro says new intelligence shows that whoever was behind the power grid attacks also may have attempted similar attacks against a large railway operator and a mining company in the Ukraine.

An inspection of telemetry data obtained from the open source intelligence community shows that BlackEnergy and its integrated KillDisk component for erasing hard disks were used in both attacks. The BlackEnergy and KillDisk infrastructure used in the attacks on the mining and rail transportation firms was the same as the one used to launch the December attacks on Ukraine power distributor Prykarpattya Oblenergo that resulted in 30 substations getting knocked off the grid, according to Trend's findings. More than 100 cities suffered a total blackout while dozens of others experienced a partial power disruption as a result of that attack. “Based on our research, we can say we believe that the same actors are likely involved in some regard to these two victims and to those behind the Ukrainian power utility attack," Trend Micro senior security researcher Kyle Wilhoit said in a blog post.

The remarkable overlap between the malware used in the attacks, the naming conventions, the infrastructure, and the timing of the attacks hint strongly at a connection between the three campaigns, he concluded. The attacks suggest that the attackers are either seeking to use cyberattacks to cause massive and persistent disruption to Ukraine power, transportation, and mining infrastructure. Or the attackers could be deploying the malware on different critical infrastructure targets in Ukraine to try and figure out the most vulnerable ones, he said. The hacking of industrial control systems at the railway and mining companies in Ukraine, if true, represent a troubling expansion of the BlackEnergy campaign, says Dean Weber, chief cyber architect at Mission Secure Inc., which specializes in control systems security. The attack on Ukraine’s power grid represents the first time since Stuxnet degraded Iran’s uranium processing capability in 2010 that a cyberattack has been used to cause a physical outcome, he says. To pull it off, the attackers basically appear to have compromised a human-machine interface (HMI) system at Prykarpattya Oblenergo and used the access to instruct the underlying industrial control system to open a series of circuit breakers causing power to be shut down in multiple areas, Weber says. Some have attributed the attack to a Russian hacking group dubbed the Sandworm team, which has been associated with BlackEnergy related attacks on energy companies in the US and Europe for years, he notes. Though an inspection of the compromised system at the Ukraine power distributor revealed the presence of BlackEnergy 3 and KillDisk, security researchers are not entirely sure what role the malware played in actually leading to the switches being thrown open.  ['KillDisk' and BlackEnergy were not the culprits behind the power outage -- there's still a missing link in the chain of attack. Read More Signs Point To Cyberattack Behind Ukraine Power Outage.] BlackEnergy has been floating around since 2011 and was originally used to collect information from industrial control systems.

The US ICS-CERT -- which yesterday issued a new YARA signature for detecting BlackEnergy -- recently confirmed that several US organizations have reported infections on Windows-based human-machine interface systems (HMI) that are used to interact with back-end industrial control systems. ICS-CERT has not identified instances where BlackEnergy has been used to damage or modify control processes on a victim system, or if the malware operators used it to expand their access beyond the compromised HMI.

The CERT also has noted in its analysis of the attack on the Ukraine power grids that a version of BlackEnergy 3 with the KillDisk utility was indeed present on the system that was compromised.  “Everybody should be up at night about this,” MSi's Weber says. “Everything that relies on an industrial control system, whether it be an oil and gas facility, a pipeline, a ship or a power generator, are run by HMIs,” and such an attack shows how they could be compromised. Find out more about the latest security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200. Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full BioMore Insights

3 Flavors of Machine Learning: Who, What & Where

To get beyond the jargon of ML, you have to consider who (or what) performs the actual work of detecting advanced attacks: vendor, product or end-user. The great promise machine learning holds for the security industry is its ability to detect advanced and unknown attacks -- particularly those leading to data breaches.

These range from traditional uses -- such as malware detection -- to new areas like attack detection for hackers who have circumvented preventative security. Unfortunately, machine learning , which is rapidly becoming a popular marketing term, has lost much of its meaning because virtually all vendors define it differently. One way to get beyond the jargon is to look at ML from the perspective of who actually performs it, and where.

But first, some basic concepts and definitions. The strength of any ML algorithm is only as strong as the data modeling behind it; the actual algorithm in use only plays a secondary role.
If the selected data parameters do not contain parameters that can predict the result, you can use fancy algorithms, but the accuracy of the results will be very low.

They will also generate a lot of noise when used outside of a lab environment. A basic principle in data science is that simple schemes with the right data modeling work better than complex schemes. So in evaluating options, it’s wise to look for vendors that have real domain expertise rather than a large staff of PhDs.

That’s because understanding the parameters and various scenarios is more important than the development of an algorithm for correlating data.

Domain expertise directly affects the quality of the data modeling.

Consequently, if it’s hard to understand how ML is used, it probably means that it is not relevant to the way the product works. As for understanding the various flavors of ML, one approach is to divide products into categories based on who (or what) actually performs the machine learning work: the vendor, the product or the end-user. The VendorThe vast majority of cases using the term machine learning actually describe one of the tools that the vendor uses to develop their product or generate threat intelligence.
In these cases, the vendor is actually performing ML in their lab, rather than the product doing it on premise. A typical example: AV and URL filtering vendors that perform ML behind the scenes.
In order to keep their signatures (or threat intelligence) reasonably current and to process heavy loads of malware and viruses that have been encountered, vendors need to leverage ML in their labs to automate the classification and signature creation process.

This use of ML occurs in the vendor’s lab and results in signatures or threat intelligence that the product then uses to detect specific patterns or artifacts. Typical products: AV, sandboxing, anti-bot, whitelisting and rule-based event correlation. Advantage: the products are deterministic and will always operate in the same way, regardless of the environment. Disadvantage: the products are rule-based and can leverage only known artifacts, which leads to low detection accuracy (e.g.

AVs inherently don’t detect new malware well).

Attackers can circumvent detection and test against the product. The ProductSome products perform ML as an integral part of their function, typically for behavioral detection.
In this case the product “learns” the specific environment and uses that information for detection.

For example, observing a user or machine starting to access resources it never accessed before and ones that the user’s peer group doesn’t typically access.

There is no predetermined rule, signature or pattern that can detect this. You can only achieve an accurate detection by profiling normal behavior in the particular network and applying that knowledge to detect anomalous behavior. “Behavioral analysis” by itself doesn’t mean machine learning. Many products look at behaviors and apply rules or signatures.

For example, sandboxing products typically run a malware in a sandbox environment, examine its behavior and then compare the behavior against a list or rules previously developed by the vendor in their lab (using different methods, including machine learning).
In this case the product itself does not perform any ML.

A product that performs ML must have a self-training/learning/profiling period. Products that don’t operate this way do not belong in this category, even if they are said to perform “behavioral analysis” or “detection”. A relatively new security application for machine learning is detection of attacks that have evaded preventative security. While malware detection doesn’t necessarily need ML-capable products, more general behavioral attack detection is usually based around the activities of a human attacker or insider.

The system has to essentially customize its logic to the environment in order to accurately detect the activities.

This area represents a substantial break from traditional security in that the goal is to identify unknown anomalous behaviors that neither the end user nor the vendor specified in advance, rather than evaluate against known, already-defined technical artifacts. Typical products: fraud detection, anomaly detection, attack detection, behavioral detection.

A product in this category has to have a self-learning/profiling period, so other “behavioral analysis” products are not included here. Advantage: Leveraging ML, these products can obtain higher detection accuracy and a lower rate of false positives.

They automatically optimize their detection to every specific environment and could detect unknown things that the end-user or vendor would not need to specify in advance.

Additionally, these can’t be “gamed” by hackers in the way a statically defined technical artifact can be known and thus circumvented by an attacker. Disadvantage: The detection depends on the profile of the specific environment, making the process less predictable.

The products are less optimized for generic queries on the data, but more on automated detection. The End-userThis category includes products that are are toolkits used by data scientists to perform ML.

For example, business intelligence (BI) tools enable the end user to define datasets, run correlations, regressions and clustering algorithms.
In this case the end user is the data scientist who leverages ML, and the product is only a tool at his or her disposal.

The end user decides which data to process, what parameters to use and how to interpret the results. Typical products: Business intelligence products, mathematical/statistical analysis toolkits, SIEM products with analytics toolkits. Advantage: Lets the user perform custom analytics on custom datasets. Disadvantage: Can only be leveraged if the security team has data scientists.

The responsibility is on the analyst rather than the tool to define the problem, the input data and the conclusions.

The analyst would not be able to see patterns that he or she wasn’t looking for.
In order to allow custom analytics the collection of data is a heavy task that requires additional products and storage.  More on this topic: Find out more about security trends and technologies at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200. Giora Engel, vice president, product & strategy at LightCyber is a serial entrepreneur with many years of technological and managerial experience.

For nearly a decade, he served as an officer in an elite technological unit in the Israel Defense Forces, where he initiated and ...
View Full BioMore Insights

cross-platform Adwind RAT

Kaspersky Lab researcher Vitaly Kamluk gave a talk about the latest version of the cross-platform Adwind RAT.

The remote access Trojan is unique in that it’s written in JavaScript, giving this version — which is also known as Frutas, AlienSpy and JSocket — the flexibility to be used liberally in cybercrime operations as well as in targeted attacks.

From Kaspersky Security Analyst Summit 2016 on Tenerife, Spain.

Moscow Raids Could Signal End Of Dyre Bank Trojan

Police keep mum as malware activity flatlines One of the worst examples of financial malware appears to have fallen silent after operators were reportedly arrested in Moscow after a rare raid by the Federal Security Service of the Russian Federation (FSB). Reuters reports Russian police raided Moscow film studio 25th Floor and a neighbouring office in November. Western law enforcement authorities are apparently aware of the incident but Moscow has kept mum with requests to the FSB for comment unanswered at the time of writing. The Register has inquired with police and threat intelligence sources previously tracking the malware group. Little is known about the gang behind the Dyre malware.
It is understood to have links to the FBI's most wanted cyber criminal Evgeniy Mikhailovich Bogachev aka Slavik ,who switched over to the crimeware after his pet project Gameover was take down in raids by authorities. The malware is an advanced trojan capable of evading white hat analysis tools and antivirus products and was spreading rapidly last year.

But Dyre became less so as 2015 wore on, then fell silent in November. It is known to be responsible for inflicting tens of millions of dollars in damages to Western banks and businesses in the US, the UK, and Australia, spreading through dozens of separate spam and phishing campaigns since June 2014. In May Dyre was fingered for stealing some US$5.5 million from budget carrier RyanAir and has fleeced individual businesses of up to $1.5 million each in large scale wire transfers using stolen online banking credentials. Dyre flatlines.
Image: IBM. IBM analysis shows the Dyre activity flatlined in November after a steady decline since October. Sudden silence from malware operators is generally a hallmark of arrests in the cybercrime world but an intentional hiatus it is not without precedent. Researchers from Russia's Kaspersky Labs reported the Carbanak gang had resumed campaigns with renewed gusto after falling silent for five months last year during which time analysts assumed the gang had disbanded. Dyre's domination.
Image: IBM. IBM security expert Limor Kessem suggests the death in activity gives credibility to the possible arrests. "It has been close to three months now since Dyre went silent," Kessem says. "This in and of itself could have been a pause taken by its operators, an occurrence that happens from time to time. "But cybercrime gangs like Dyre do not typically stay out of the game for three whole months unless they are in trouble." Kessem says the arrests if confirmed would be one of the most significant in Russia's history. "A world without Dyre would definitely be safer for the financial sector in just about every country where the malware regularly attacked banks," she says. "But Dyre’s absence will also give a bigger market share to other malware." ® Sponsored: Building secure multi-factor authentication

How I hacked my hospital

Sergey Lozhkin, senior researcher at Kaspersky Lab’s GReAT gave a talk about several critical vulnerabilities he found in one hospital’s IT infrastructure.

From Kaspersky Security Analyst Summit 2016 on Tenerife, Spain.

Skype Users Warned Of T9000 Malware Threat

Skype users are at risk of being infected with a new trojan dubbed T9000 that can record video calls, audio calls and chat messages. Researchers at Palo Alto Networks discovered the new type of backdoor malware and explained that once installed it can evade detection by many popular antivirus systems, including some big names such as Kaspersky and Panda. The full list from Palo Alto of security firm's software it can dodge is: Sophos, INCAInternet, DoctorWeb, Baidu, Comodo, TrustPort, GData, AVG, BitDefender, VirusChaser, McAfee, Panda, Trend Micro, Kingsoft, Norton, Micropoint, Filseclab, AhnLab, JiangMin, Tencent, Avira, Kaspersky, Rising and Qihoo 360. T9000 is a new variant of T5000, first spotted in 2013.

The payload is hidden inside spearfishing emails with an infected .rtf document, but is sophisticated enough to get in through other means, when its controllers have the will. Once installed the software can record Skype calls and upload them along with text chats to a server.
It can also take regular screenshots.

The only saving grace is that a user has to give it permission, albeit unknowingly. An API request asking for permission for explorer.exe to access Skype appears.
In reality this should never be needed so it should be quite clear it's dodgy. The researchers explained: "The victim must explicitly allow the malware to access Skype for this particular functionality to work. However, since a legitimate process is requesting access, the user may allow this access without realising what is actually happening. Once enabled, the malware will record video calls, audio calls and chat messages." A computer with granted permissions could also have documents stolen, even on removable drives. Skype is used more and more by businesses as part of the Office suite, so there is the potential for hackers to uncover potentially lucrative information. Palo Alto has published a list of indicators that your machine is infected as the sheer complexity and audacity of T9000 means that prevention is more or less the only form of protection at the moment. Meanwhile, Microsoft has said that it protects users from the malware with security updates. “To further protect our customers, we’ve added detection for the malicious software known as T9000 to Windows Defender," the firm said. "Customers that have installed security updates released in 2012 (MS12-060) and 2014 (MS14-033), either manually or by enabling automatic updates, will already be protected. Our recommendation is to enable automatic updates, which installs the latest security protections, and to use the latest version of Skype."

Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage

During the latter part of 2015, Kaspersky researchers from GReAT (Global Research and Analysis Team) got hold of the missing pieces of an intricate puzzle that points to the dawn of the first Portuguese-speaking targeted attack group, named “Poseidon.” The group’s campaigns appear to have been active since at least 2005, while the very first sample found points to 2001.

This signals just how long ago the Poseidon threat actor was already working on its offensive framework. Why has the Poseidon threat remained undetected for so many years? In reality, it has not. Most samples were detected promptly. However, Poseidon’s practice of being a ‘custom-tailored malware implants boutique’ kept security researchers from connecting different campaigns under the umbrella of a single threat actor.

This approach entails crafting campaigns components on-demand and sometimes fabricating entirely unique malicious artifacts. 1st Portuguese-speaking group #ThePoseidonAPT attacks companies globally #TheSAS2016Tweet Our research team was able to put together the disparate pieces of this puzzle by diligently tracing the evolution of Poseidon’s toolkit in pursuit of an overarching understanding of how the actor thinks and the specific practices involved in infecting and extorting its victims. With a set of tools developed for the sole purpose of information gathering and privilege escalation, the sophistication level of campaign highlights that, today, regional actors are not far behind better-known players in the global game of targeted attacks. Becoming familiar with the operations of the Poseidon Group meant patiently dismantling their modus operandi to unearth the custom-designed infection tools deployed to each of their selected targets.

This process revealed a series of campaigns with highly-regionalized malware practices and geographically-skewed victim tasking, unsurprising in a region with a gradually-maturing cybercrime industry.

The proper detection of each iteration of their evolving toolkit may have been enough to thwart specific efforts, but to truly understand the magnitude of Poseidon’s combined operations required an archeological effort to match. Frequently asked questions What exactly is the Poseidon Group? The Poseidon Group is a long-running team operating on all domains: land, air, and sea.

They are dedicated to running targeted attacks campaigns to aggressively collect information from company networks through the use of spear-phishing packaged with embedded, executable elements inside office documents and extensive lateral movement tools.

The information exfiltrated is then leveraged by a company front to blackmail victim companies into contracting the Poseidon Group as a security firm.

Even when contracted, the Poseidon Group may continue its infection or initiate another infection at a later time, persisting on the network to continue data collection beyond its contractual obligation.

The Poseidon Group has been active, using custom code and evolving their toolkit since at least 2005.

Their tools are consistently designed to function on English and Portuguese systems spanning the gamut of Windows OS, and their exfiltration methods include the use of hijacked satellite connections. Poseidon continues to be active at this time. Why do you call it Poseidon’s Targeted Attack Boutique? The presence of several text fragments found in the strings section of executable files belonging to the campaign reveal the actor’s fondness for Greek mythology, especially regarding Poseidon, the God of the Seas (which also coincides with their later abuse of satellite communications meant to service ships at sea).

The boutique element is reflected in their artisanally adaptive toolkit for lateral movement and data collection which appears to change from infection to infection to fit custom-tailored requirements for each of their prospective clients.

The business cycle includes what is euphemistically referred to as ‘financial forecasting’ using stolen information, so we like to say that Poseidon’s boutique not only deals in targeted attacks but also stolen treasures. How did you become aware of this threat? Who reported it? We noticed that several security companies and enthusiasts had unwittingly reported on fragments of Poseidon’s campaigns over the years. However, nobody noticed that these fragments actually belonged to the same threat actor. Perhaps because many of these campaigns were designed to run on specific machines, using English and Portuguese languages, with diverse command and control servers located in different countries and soon discarded, signing malware with different certificates issued in the name of rogue companies, and so on.

By carefully collecting all the evidence and then reconstructing the attacker’s timeline, we found that it was actually a single group operating since at least 2005, and possible earlier, and still active on the market. With this understanding, GReAT researchers were able to recognize similarities in obfuscation and development traits leading back to widely-reported but little understood variants on a sample in 2015, which searched for prominent leaders and secret documents involving them. When did you discover this targeted attack? The very first samples from this campaign were detected by Kaspersky Lab back in the early 2000s. However, as noted previously, it is a very complex task to correlate indicators and evidence in order to put together all the pieces of this intricate puzzle.

By the middle of 2015 it was possible to identify that throughout this period of time it’s been the same threat actor, which we call Poseidon Group. Who are the victims? / What can you say about the targets of the attacks? The targets are companies in energy and utilities, telecommunications, public relations, media, financial institutions, governmental institutions, services in general and manufacturing.

The geographical spread of victims is heavily-skewed towards Brazil, the United States, France, Kazakhstan, United Arab Emirates, India and Russia. Many of the victims have joint ventures or partner operations in Brazil.

The importance of the victims is not measured in numbers since each of these victims is a large-scale (often multinational) enterprise. What exactly is being stolen from the target machines? One of the characteristics of the group behind Poseidon is an active exploration of domain-based networks. Such network topology is typical for companies and enterprises. The highest value asset for these companies is proprietary information, technologies, and business-sensitive information that represents significant value in relation to investments and stock valuations.

The Poseidon Group actively targets this sort of corporate environment for the theft of intellectual property and commercial information, occasionally focusing on personal information on executives. How does Poseidon’s APT Boutique infect computers? The main infection vector for Poseidon is the use of spear-phishing emails including RTF/DOC files, usually with a human resources lure.

The executables are also often digitally signed and occasionally hidden in alternate data streams to fool security solutions. Poseidon’s toolkit displays an awareness of many antivirus providers over the years, attempting to attack or spoof these processes as a means of self-defense for their infections. Once the infection happens, it reports to the command and control servers before beginning a complex lateral movement phase.

This phase will often leverage a specialized tool that automatically collects a wide array of information including credentials, group management policies, and even system logs to better hone further attacks and assure execution of their malware.

This way the attackers actually know what applications and commands they can use without raising an alert to the network administrator during lateral movement and exfiltration. What does the Poseidon Group do? What happens after a target machine is infected? Once the target’s machine is compromised, the attacker first enumerates all processes running in the system and all services.

Then the attacker looks for all administrator accounts on both the local machine and the network.

This technique allows them to map network resources and make lateral movements inside the network, landing in the perfect machine to match the attacker’s interest.

This reflects the Poseidon Group’s familiarity with Windows network administration.
In many cases, their ultimate interest is the Domain Controller. Additionally malware reports itself to its hardcoded command and control servers and established a backdoor connection, so the attacker may have a permanent remote connection. What are the malicious tools used by the Poseidon Group? What are their functions? Poseidon utilizes a variety of tools.

Their main infection tool has been steadily evolving since 2005, with code remnants remaining the same to this day, while others have been altered to fit the requirements of new operating systems and specific campaigns.

A noteworthy addition to the Poseidon toolkit is the IGT supertool (Information Gathering toolkit), a bulking 15 megabyte executable that orchestrates a series of different information collections steps, exfiltration, and the cleanup of components.

This tool appears to be designed to operate on high-value corporate systems like Domain Controllers or IIS servers that act as repositories of valuable information, particularly for lateral movement.

The Information Gathering Tool (IGT) tool is coded in Delphi and includes powershell and SQL components across a dozen different drops.

This tool contains several other executable files made in different programming languages ranging from Visual Basic 6 to C#, each one performing a very clear task devised by the group when trying to obtain more information from an objective.

The main purpose of the IGT tool is to make an inventory of the system, saving information from the network interfaces and addresses, credentials belonging to the Domain and database server, services being run from the OS and everything that could help the Poseidon Group make its attack more customized to its victim. Are the attackers using any zero-day vulnerabilities? No zero-day vulnerabilities have been found in the analysis of the samples obtained regarding this campaign. Poseidon’s conventional means of deceiving users with executable files posing inside Word and RTF document files, and actual poisoned documents with malicious macro-scripts has been the sole method used for compromising their desired targets.

As we have seen in other targeted campaigns, social engineering and carefully crafted spear-phishing attacks play a crucial role in the effectiveness of getting a foothold in the desired system. Is this a Windows-only threat? Which versions of Windows are targeted? Poseidon is particularly focused on the Microsoft Windows operating system family, specifically customizing the infection method for each one so as to gather different information and hide its presence after the initial infection. Other products usually found in corporate environments, such as an SQL server, are being used for lateral movement and credential harvesting using a customized toolset designed by the crafty Poseidon Group.

Because of Poseidon’s longevity, there are samples targeting Windows systems as early as Windows NT 4.0 Server and Windows 95 Workstation up to current versions like Windows 8.1, as well as server variants (very important to them, given the emphasis on reaching Domain Controllers in corporate environments.) How is this different from any other targeted attack? The extortion elements of this campaign are what set it apart from others.

The exfiltration of sensitive data is done in order to coerce the victim into a business relationship under the threat of exchanging this information with competitors or leveraging it as part of the company’s offering of ‘investment forecasting’.

Additionally this is the first ever publicly known Portuguese-speaking targeted attacks campaign. Are there multiple variants of the Poseidon Group’s malware? Are there any major differences in the variants? Poseidon has maintained a consistently evolving toolkit since the mid-2000s.

The malware has not avoided detection but instead been so inconspicuous as to not arouse much suspicion due to the fact that this malware only represents the initial phase of the attack.

An altogether different component is leveraged once Poseidon reaches an important machine like an enterprise’s Domain Controller.

This is where the main collection takes place by use of the IGT (Information Gathering Tool) toolkit. Is the command and control server used by the Poseidon Group still active? Have you been able to sinkhole any of the command and controls? Poseidon Group has interesting practices when it comes to its use of command and control servers, including redundancies and quickly discarding command and control (C&Cs) servers after specific campaigns.

This has actually allowed us to sinkhole several domains.

A few of these still had active infections attempting to report to the C&Cs.

This adds an interesting dimension to the story.

As part of Kaspersky Lab’s commitment to securing cyberspace for everyone, we reached out and notified identifiable victims, regardless of their security solution and provided them with indicators of compromise (IOCs) to help root out the active infection.
In the process, we were able to confirm the previously described operating procedures for the Poseidon Group. Is this a state-sponsored attack? Who is responsible? We do not believe this to be a state-sponsored attack but rather a commercial threat player.

Collaboration with information-sharing partners and victim institutions allowed us to become aware of the more complicated business cycle involved in this story, greatly adding to our research interest in tracking these campaigns.

The malware is designed to function specifically on English and Portuguese-language systems.

This is the first ever Portuguese-speaking targeted attack campaign. How long have the attackers been active? The attackers have been active for more than ten years.

The main distribution of samples goes back to 2005 with possible earlier outliers. Operating systems such as Windows 95 for desktop computers and Windows NT for server editions were not uncommon at the time and Poseidon’s team has evolved gradually into targeting the latest flagship editions of Microsoft’s operating systems. Recent samples show interest in Windows 2012 Server and Windows 8.1. Did the attackers use any interesting/advanced technologies? During a particular campaign, conventional Poseidon samples were directed to IPs resolving to satellite uplinks.

The networks abused were designed for internet communications with ships at sea which span a greater geographical area at nearly global scale, while providing nearly no security for their downlinks. The malware authors also possess an interesting understanding of execution policies which they leverage to manipulate their victim systems.

They combine reconnaissance of GPO (Group Policy Object management for execution) with digitally-signed malware to avoid detection or blocking during their infection phases.

These digital certificates are often issued in the name of rogue and legitimate companies to avoid arousing suspicion from researchers and incident responders. Does Kaspersky Lab detect all variants of this malware? Yes, all samples are detected by signatures and also heuristics. With a fully updated Kaspersky Lab anti-malware solution, all customers are protected now. Kaspersky Lab products detect the malware used by Poseidon Group with the following detection names: Backdoor.Win32.NhoproHEUR:Backdoor.Win32.Nhopro.genHEUR:Hacktool.Win32.Nhopro.gen How many victims have you found? At least 35 victim companies have been identified with primary targets including financial and government institutions, telecommunications, manufacturing, energy and other service utility companies, as well as media and public relations firms. The archaeological effort of understanding such a long-standing group can severely complicate victim identification. We see traces of upwards of a few tens of companies targeted.

The exact number of the victims may actually vary. Since it is a very long term group, some victims may be impossible to identify now. At this time, we are reaching out to victims of active infections to offer remediation assistance, IOCs, and our full intelligence report to help them counteract this threat.

Any victims or potential targets concerned about this threat should please contact us at intelreports@kaspersky.com. Who is behind these attacks? We do not speculate on attribution. Language code used to compile implants, as well as the language used to describe certain commands used by the group, actually corresponds to Portuguese from Brazil.

The inclusion of Portuguese language strings and preference for Portuguese systems is prominent throughout the samples. The tasking of Poseidon’s campaigns appears to be heavily focused on espionage for commercial interests. Speculating further would be unsubstantiated. Reference samples hashes: 2ce818518ca5fd03cbacb26173aa60cef3499a9d9ce3de5dc10de3d7831d09380a870c900e6db25a0e0a65b8545656d42fd8bb121a048e7c9e29040f9a9a6eee4cc1b23daaaac6bf94f99f309854ea102c4aeacd3f7b587c599c2c4b5c1475daf821eb4be9840feaf77983eb7d55e5f62ce818518ca5fd03cbacb26173aa60ce Command and control servers: akamaihub[.]com – SINKHOLED by Kaspersky Labigdata[.]net – SINKHOLED by Kaspersky Labmozillacdn[.]com – SINKHOLED by Kaspersky Labmsupdatecdn[.]com – SINKHOLED by Kaspersky Labsslverification[.]net – SINKHOLED by Kaspersky Lab For more about counter Poseidon and similar attacks, read this article in the Kaspersky Business Blog.

Adwind: FAQ

Adwind – a cross-platform RAT, multifunctional malware program which is distributed through a single malware-as-a-service platform.

Different versions of the Adwind malware have been used in attacks against at least 443,000 private users, commercial and non-commercial organizations around the world.

APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks

Introduction In late 2014, Kaspersky Lab researchers made a worrying prediction: financially-motivated cyber-criminals would adopt sophisticated tactics and techniques from APT groups for use in bank robberies. Just a few months later, in February 2015, we announced the discovery of Carbanak, a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries. Since then, we have seen an increase in these covert, APT-style attacks that combine the use of reconnaissance, social engineering, specialized malware, lateral movement tools and long-term persistence to steal money from financial institutions (particularly ATMs and money transfer systems). In summer 2015, a #bank in #Russia lost millions of rubles in a one night #bankingAPT #TheSAS2016Tweet Today at the Security Analyst Summit (SAS 2016), Kaspersky Lab is announcing the discovery of two new gangs engaged in APT-style bank robberies – Metel and GCMAN – and the reemergence of the Carbanak group with new targets in its sights. In 2015, Kaspersky Lab researchers conducted Incident Response for 29 organizations located in Russia and infected by these three groups. Due to the active nature of law enforcement investigations and non-disclosure agreements with victim organizations, Kaspersky Lab cannot provide extensive details of the attacks. Kaspersky Lab is releasing crucial Indicators of Compromise (IOC) and other data to help organizations search for traces of these attack groups in their corporate networks (see below). The story of Metel – ATM balance rollbacks In summer 2015, a bank in Russia discovered it had lost millions of rubles in a single night through a series of strange financial transactions. The bank’s clients were making withdrawals from ATMs belonging to other banks and were able to cash out huge sums of money while their balances remained untouched. The victim bank didn’t realize this until it tried to recoup the money withdrawn from the other banks’ ATMs. During our incident response, we discovered the solution to this puzzle: Metel, a modular malware program also known as Corkow. The malware, used exclusively by the Metel group, infected the bank’s corporate network via e-mail and moved laterally to gain access to the computers within the bank’s IT systems. Having gained access to the bank operator’s money-processing system, the gang pulled off a clever trick by automating the rollback of ATM transactions. This meant that money could be stolen from ATM machines via debit cards while the balance on the cards remained the same, allowing for multiple transactions at different ATM machines. Encrypted configuration for Metel malware plugins Our investigations revealed that the attackers drove around several cities in Russia, stealing money from ATMs belonging to different banks. With the automated rollback in place the money was instantly returned to the account after the cash had been dispensed from the ATM. The group worked exclusively at night, emptying ATM cassettes at several locations. GCMAN group planted cron script into #bank server, stealing $200/min #bankingAPT #TheSAS2016Tweet In all, we discovered Metel in more than 30 financial institutions, but Kaspersky Lab’s incident responders were able to clean the networks before any major damage could be done. It is highly likely that this threat is far more widespread and we urge financial institutions around the world to scan their networks for signs of the Metel malware. The Metel criminal group is still active. At the moment, we don’t have any information about any victims outside Russia. A second group, which we call GCMAN because the malware is based on code compiled on the GCC compiler, emerged recently using similar techniques to the Metel Group to infect banking institutions and attempt to transfer money to e-currency services. The initial infection mechanism is handled by spear-phishing financial institution targets with e-mails carrying a malicious RAR archive to. Upon opening the RAR archive, an executable is started instead of a Microsoft Word document, resulting in infection. Once inside the network, the GCMAN group uses legitimate and penetration testing tools such as Putty, VNC, and Meterpreter for lateral movement. Our investigation revealed an attack where the group then planted a cron script into bank’s server, sending financial transactions at the rate of $200 per minute. A time-based scheduler was invoking the script every minute to post new transactions directly to upstream payment processing system. This allowed the group to transfer money to multiple e-currency services without these transactions being reported to any system inside the bank. Decompiled code of GCMAN malware that is responsible for connecting to CnC In a stroke of luck, the financial institutions discovered the suspicious activity on their network in time to neutralize the threat and cancel the transactions. One interesting observation is that the real attack happened approximately 18 months before it was discovered. The group used an MS SQL injection in commercial software running on one of bank’s public web services, and about a year and a half later, they came back to cash out. During that time they poked 70 internal hosts, compromised 56 accounts, making their way from 139 attack sources (TOR and compromised home routers). We discovered that about two months before the incident someone was trying different passwords for an admin account on a banking server. They were really persistent but doing it only three times a week and then only on Saturdays, in an effort to stay under the radar. Kaspersky Lab’s research team responded to three financial institutions in Russia that were infected with the GCMAN malware. It is likely that this threat is far more widespread and we urge banks to sweep their networks for signs of this cyber-criminal group. Carbanak 2.0: new targets beyond banks After our exposure of the Carbanak group exactly a year ago, the group disappeared for about five months, leading us to believe that the operation was disbanded. However, in September last year, our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers. In December 2015, we confirmed that the group was still active. Kaspersky Lab discovered signs of Carbanak in two institutions – a telecommunications company and a financial institution. Executable files founded in SHIM during Carbanak incident response One interesting characteristic of Carbanak 2.0 is a different victim profile. The group has moved beyond banks and is now targeting the budgeting and accounting departments in any organization of interest to them, using the same APT-style tools and techniques. In one remarkable case, the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company. The information was modified to name a money mule as a shareholder of the company, displaying their IDs. It’s unclear how they wanted to make use of this information in future. #Carbanak gang is now targeting budgeting & accounting departments #bankingAPT #TheSAS2016Tweet Kaspersky Lab products successfully detect and block the malware used by the Carbanak 2.0, Metel and GCMAN threat actors with the following detection names: Trojan-Dropper.Win32.Metel Backdoor.Win32.Metel Trojan-Banker.Win32.Metel Backdoor.Win32.GCMan Backdoor.Win64.GCMan Trojan-Downloader.Win32.GCMan Trojan-Downloader.Win32.Carbanak Backdoor.Win32.Carbanak Kaspersky Lab urges all organizations to carefully scan their networks for the presence of Carbanak, Metel and GCMAN and, if detected, to disinfect their systems/computers/networks and report the intrusion to law enforcement. All this information has been made available to customers of our APT intelligence reporting service and they received the indicators of compromise and context information as soon as they became available. Indicators of Compromise (IOC) are available here:MetelGCMANCarbanak 2.0 For more about the measures to be taken against these Bank Busters and similar offensives, read this article in the Kaspersky Business Blog.

Kaspersky Security Analyst Summit 2016: The Live Blog

Live blog from Kaspersky Security Analyst Summit on Tenerife, Spain. Stay tuned for updates, photos and news.