Feed aggregator

Energetic Bear: more like a Crouching Yeti

Secure List feed for B2B - Thu, 07/31/2014 - 07:00

Report   
Appendix   

Energetic Bear/Crouching Yeti is an actor involved in several advanced persistent threat (APT) campaigns that has been active going back to at least the end of 2010. Targeted sectors include:

  • Industrial/machinery
  • Manufacturing
  • Pharmaceutical
  • Construction
  • Education
  • Information technology

Most of the victims we identified fall into the industrial / machinery building sector, indicating this is of special interest.

To infect the victims, the attackers rely on three methods:

  • Spearphishing using PDF documents embedded with a flash exploit (CVE-2011-0611)
  • Trojanized software installers
  • Waterhole attacks using a variety of re-used exploits

During the attacks, the Crouching Yeti team uses several types of malware or Trojan, all of which only infect Windows systems:

  • Havex Trojan
  • Sysmain Trojan
  • The ClientX backdoor
  • Karagany backdoor and related stealers
  • Lateral movement and second stage tools

For command and control, these connect to a large network of hacked websites. The hacked sites host malware modules and victim information as well as serving commands to infected systems.

The dozens of known Yeti exploit sites and their referrer sites were legitimate, compromised sites. They ran vulnerable content management systems or vulnerable web applications. None of the exploits used to compromise the servers were known to be zero-day. None of the client side exploits re-used from the open source metasploit framework were zero-day.

Overall, we observed about 2,800 victims worldwide, the most prevalent attack tool being the Havex trojan.

We believe this group is highly determined and focused on a very specific industrial sector of vital interest. It uses a variety of ways to infect its victims and exfiltrate strategic information. The analyzed data seems to suggest the following points:

  • Country of origin cannot be determined at this point
  • Attackers' global focus is much broader than power producers
  • Stable toolset over time
  • Managed, minimal, methodical approach to sustained operation
  • Appropriate use of encryption (symmetric key protected with attackers public key for encrypted log file exfiltration)

You can read the full report here.

FAQ What is Yeti/Energetic Bear?

Energetic Bear/Yeti is an actor involved in different campaigns dating back to at least the end of 2010. It uses different techniques to spread its malware, most notably the repackaging of legitimate software installers and waterhole attacks. The victims, from several different sectors, are infected with backdoors.

What are the malicious purposes of this campaign?

We believe this is an information stealing campaign. Given the heterogeneous profile of the victims it seems than the attackers were interested in different topics and decided to target some of the most prominent institutions and companies in the world to get latest information.

Why do you think it is significant?

In our opinion, this campaign has some of remarkable characteristics: the artifacts used for the infection and exfiltration are not particularly interesting, but they are effective; they are very persistent, successfully infecting a significant number of companies and institutions around the world for a long period of time; they have a set of tools of choice that help us identify the group through their TTPs. In this last characteristic, it is interesting that they use the LightsOut Exploit Kit to infect users through waterhole attacks.

Why not Energetic Bear? Why did you give it a new name?

Energetic Bear was the initial name given to this campaign by Crowd Strike according to their nomenclature. After analyzing the data we obtained we can confirm that victims are not limited to the energy sector but to many other ones. The Bear tag reflects Crowd Strike's belief that this campaign has a Russian origin. We couldn´t confirm this point, so we decided to give it a new name. Yetis have something in common with Bears, but have a mysterious origin

When did the campaign start? Is this attack still active?

Based in some artifacts, we believe the campaign originated at the end of 2010. The campaign is still alive and getting new daily victims.

How was the malware distributed?

The malware is distributed using three methods:

  • Spearphishing using PDF documents embedded with a flash exploit (CVE-2011-0611)
  • Trojanized software installers
  • Waterhole attacks using a variety of re-used exploits

Additional modules can be installed by the attackers once a machine has been compromised.

The most prevalent attack tool is the Havex Trojan; we identified 27 different versions.

What is the potential impact for victims?

Given the nature of the known victims, the disclosure of very sensitive information such as commercial secrets and know-how are the main impact for the victims.

Who are the attackers? What countries are they from?

There simply is no one piece or set of data that would lead to a conclusion regarding the origin of this threat actor.

Who are the victims? What is the scale of the attack?

Overall, we observed about 2,800 victims worldwide.
Most of the victims we identified fall into the industrial / machinery building sector.

Targeted sectors include:

  • Industrial/machinery
  • Manufacturing
  • Pharmaceutical
  • Construction
  • Education
  • Information technology

The most targeted countries are: United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland and China.

How are users (both home and corporate) protected against this type of attack?

Our products detect and eliminate all variants of the malware used in this campaign including but
not limited to:

  • Trojan.Win32.Sysmain.xxx
  • Trojan.Win32.Havex.xxx
  • Trojan.Win32.ddex.xxx
  • Backdoor.MSIL.ClientX.xxx
  • Trojan.Win32.Karagany.xxx
  • Trojan-Spy.Win32.HavexOPC.xxx
  • Trojan-Spy.Win32.HavexNk2.xxx
  • Trojan-Dropper.Win32.HavexDrop.xxx
  • Trojan-Spy.Win32.HavexNetscan.xxx
  • Trojan-Spy.Win32.HavexSysinfo.xxx

All the exploits are also detected and detailed in the report.

Multipath TCP Introduces Security Blind Spot

Threatpost for B2B - Wed, 07/30/2014 - 14:50
A talk at Black Hat will expose security weaknesses introduced by multipath TCP, extensions to TCP that bring resilience and efficiency to networking.

ICS-CERT Warns of Flaw in Innominate mGuard Secure Cloud Product

Threatpost for B2B - Wed, 07/30/2014 - 14:36
The ICS-CERT is warning users about a vulnerability in a secure public cloud product from Innominate that enables an attacker to gain valuable configuration data about a target system, information that could be used in future attacks. The vulnerability is an information disclosure bug in the Innominate mGuard product, which is meant to connect operators to […]

Facebook Plans to Fix Instagram Mobile Session Hijack-Eventually

Threatpost for B2B - Wed, 07/30/2014 - 14:03
An encryption issue in the Android and iOS versions of the Instagram photo-sharing application could allow for man-in-the-middle attacks and more.

Canada’s National Research Council Hit by Apparent Chinese Cyber Attack

Threatpost for B2B - Wed, 07/30/2014 - 13:27
One of Canada’s premier research and technology organizations was hit with an apparent cyber-attack recently that forced the cooperative offline.

Tor Sniffs Out Attacks Trying to Deanonymize Hidden Services Users

Threatpost for B2B - Wed, 07/30/2014 - 10:11
Tor is warning users of its hidden services to upgrade relays after attackers were discovered on the network trying to deanonymize users.

Trio of Flaws Fixed in Facebook Android App

Threatpost for B2B - Wed, 07/30/2014 - 09:47
Facebook has fixed a vulnerability in its Android app could allow an attacker to cause a denial-of-service condition on a device or run up the victim’s mobile bill by transferring large amounts of data to and from the device. The flaw lies in the way that the Facebook app handles HTTP requests. The app include an HTTP server […]

Secure Microkernel seL4 Code Goes Open-Source

Threatpost for B2B - Wed, 07/30/2014 - 09:23
A new and allegedly super secure microkernel was made open source today, a move that could have serious security implications across a number sensitive and increasingly connected fields.

NOAA, Satellite Data, Fraught With Vulnerabilities

Threatpost for B2B - Tue, 07/29/2014 - 15:55
The informational systems that the National Oceanic and Atmospheric Administration (NOAA) runs are fraught with vulnerabilities and what the U.S. Department of Commerce deem “significant security deficiencies.”

New Signal App Brings Encrypted Calling to iPhone

Threatpost for B2B - Tue, 07/29/2014 - 14:56
Open WhisperSystems today released Signal, a free app that brings encrypted calling to the iPhone.

Leahy Introduces Bill to End Bulk Call Record Collection

Threatpost for B2B - Tue, 07/29/2014 - 14:51
Sen. Patrick Leahy has introduced an updated, tougher version of the USA FREEDOM Act that would end the bulk collection of data under Section 215 of FISA.

Threat Intelligence Tool Connects Dots on Pre-Attack Data

Threatpost for B2B - Tue, 07/29/2014 - 12:50
Georgia Tech Research Institute has released an open source threat intelligence gathering tool called BlackForest that automates attack-data mining.

Consumer Groups Urge FTC to Halt Facebook Data Collection Program

Threatpost for B2B - Tue, 07/29/2014 - 09:53
A collection of privacy and consumer groups from the United States and Europe has asked the Federal Trade Commission to force Facebook to suspend a recently installed program that mines information on sites that users' visit around the Web.

Critical Android FakeID Bug Allows Attackers to Impersonate Trusted Apps

Threatpost for B2B - Tue, 07/29/2014 - 08:00
There is a critical vulnerability in millions of Android devices that allows a malicious app to impersonate a trusted application in a transparent way.

Missile Defense Plans Hacked from Israeli Contractors

Threatpost for B2B - Mon, 07/28/2014 - 16:30
A new report claims attackers, apparently based in China, were able to hack into three Israeli defense firms to make off with sensitive military data in 2011.

DEF CON Hosting SOHO Wireless Router Hacking Contest

Threatpost for B2B - Mon, 07/28/2014 - 16:00
ISE will host a two-tracking hacking contest at DEF CON next week that focuses on the security of home and small office wireless routers.

Harnessing the Power of an Android Cluster for Security Research

Threatpost for B2B - Mon, 07/28/2014 - 14:20
When the topic of mobile security comes up, users and researchers often discuss Android as if it’s one monolithic operating system like iOS is. But the fact is that there are nearly as many versions of Android as there are Android devices, which has led to plenty of confusion when it’s time to fix a security […]

Koler Ransomware Infrastructure Complex and Agile

Threatpost for B2B - Mon, 07/28/2014 - 13:08
Researchers at Kaspersky Lab report on the infrastructure supporting the Koler ransomware, which not only has components targeting Android devices, but also redirects desktop browsers to other ransomware and exploit kits.

EFF Files Motion Asking Judge to Rule NSA Data Collection Unconstitutional

Threatpost for B2B - Mon, 07/28/2014 - 10:27
The EFF has asked a federal judge to rule that the NSA's collection of massive amounts of upstream user data is unconstitutional, violating the Fourth Amendment.
Syndicate content