ProgressCommunications.euwww.deepr.nlwww.marcommit.nl
www.whizpr.nlProgressCommunications.euProgressCommunications.eu

Volg ook via:
Datum: (12 jaar en 22 dagen geleden)
Bedrijf:
PR: Progress Communications

Crouching Yeti: an ongoing spying campaign with 2800+ highly valuable targets worldwide

New malicious tools, an expanded list of victims, and other features related to the Crouching Yeti campaign, also known as Energetic Bear.

Kaspersky Lab announces the release of comprehensive in-depth analysis of the malware and command and control (C&C) server infrastructure related to the cyber-espionage campaign known to the company’s Global Research and Analysis Team (GReAT) as the Crouching Yeti.

The campaign’s origins go back as far as to the end of 2010; while today it is most definitely still alive – and targeting new victims on a daily basis.

Not that energetic. Energetic Bear/Crouching Yeti is involved in several advanced persistent threat (APT) campaigns. According to Kaspersky Lab’s research, its victims appear to be in a wider range of enterprises than was previously thought. The largest number of identified victims fall into the following sectors: 
  • Industrial/machinery
  • Manufacturing
  • Pharmaceutical
  • Construction
  • Education
  • Information Technology
The total number of known victims is over 2800 worldwide, out of which Kaspersky Lab researchers were able to identify 101 organizations. This list of victims seems to indicate Crouching Yeti’s interest in strategic targets, but it also shows an interest of the group in many other not-so-obvious institutions. Kaspersky Lab’s experts believe they might be collateral victims, but it might also be reasonable to redefine Crouching Yeti not only as a highly targeted campaign in a very specific area of interest, but also as a broad surveillance campaign with interests in different sectors.

The attacked organizations are located mostly in the United States, Spain, Japan, Germany, France, Italy, Turkey, Ireland, Poland and China. Given the nature of the known victims, the main impact for them is disclosure of very sensitive information such as trade secrets and know-how.

Malicious tools with multiple additional modules. Crouching Yeti is hardly a sophisticated campaign. For example, the attackers used no zero-day exploits, only exploits that are widely available on the Internet. But that didn’t prevent the campaign from staying under the radar for several years.

Kaspersky Lab researchers have found evidence of the existence of five types of malicious tools used by the attackers to withdraw valuable information from compromised systems: 
  • Havex trojan
  • Sysmain trojan
  • The ClientX backdoor
  • Karagany backdoor and related stealers
  • Lateral movement and second stage tools
The most widely used tool is the Havex Trojan. In total Kaspersky Lab researchers discovered 27 different versions of this malicious program and several additional modules, including tools aimed at gathering data from industrial control systems.

For command and control, Havex and the other malicious tools used by Crouching Yeti connect to a large network of hacked websites. These sites host victim information and serve commands to infected systems along with additional malware modules.

The list of downloadable modules includes tools for password and Outlook contacts’ stealing, screenshot capturing, and also modules for searching and stealing certain types of files: text documents, spreadsheets, databases, PDF files, virtual drives, password protected files, pgp security keys, etc.

Industrial espionage. At present, the Havex Trojan is known to have two very special modules aimed at gathering and transmitting to the attacker data from specific industrial IT environments. The first one is the OPC scanner module. This module is designed to collect the extremely detailed data about the OPC servers running in the local network. Such servers are usually used where multiple industrial automation systems are operating.

The OPC scanner module is accompanied by a network scanning tool. This module is designed to scan the local network, look for all computers listening on ports related to OPC/SCADA software, and try to connect to such hosts in order to identify which potential OPC/SCADA system is running, and transmit all gathered data to the command & control servers.

Mysterious origin. The Kaspersky Lab researchers observed several meta features that could point toward the national origin of the criminals behind this campaign. In particular, they performed file timestamp analysis of 154 files and concluded that most of the samples were compiled between 06:00 and 16:00 UTC, which could match basically any country in Europe as well as Eastern Europe.

The experts also analyzed the actor’s language. The strings present in the analyzed malware are in English (written by non-natives). Unlike several previous researchers of this particular campaign, Kaspersky Lab specialists couldn’t conclude definitely, that this actor has Russian origin. Almost 200 malicious binaries and the related operational content all present a complete lack of Cyrillic content (or transliteration), the opposite of Kaspersky Lab’s documented findings from researching Red October, Miniduke, Cosmicduke, Snake and TeamSpy. Also, language clues pointing at French and Swedish speakers were found.

Nicolas Brulez, Principal Security Researcher at Kaspersky Lab, said: “The Energetic Bear was the initial name given to this campaign by Crowd Strike according to their nomenclature. The Bear goes for attribution, and Crowd Strike believes this campaign has a Russian origin. Kaspersky Lab is still investigating all existing leads; however, at the moment there are no strong points in either direction. Also our analysis demonstrates that the attackers’ global focus is much broader than just power producers. Based on this data, we decided to give a new name to the phenomenon: a Yeti reminds one of a bear, but it has a mysterious origin.”

Kaspersky Lab’s experts are continuing their research into this campaign while working with law enforcement agencies and industry partners. The full text of the research is available at Securelist.com

Detection. Kaspersky Lab products detect and eliminate all variants of the malware used in this campaign, including but not limited to: Trojan.Win32.Sysmain.xxx, Trojan.Win32.Havex.xxx, Trojan.Win32.ddex.xxx, Backdoor.MSIL.ClientX.xxx, Trojan.Win32.Karagany.xxx, Trojan, Spy.Win32.HavexOPC.xxx, Trojan-Spy.Win32.HavexNk2.xxx, Trojan-Dropper.Win32.HavexDrop.xxx, Trojan-Spy.Win32.HavexNetscan.xxx, Trojan-Spy.Win32.HavexSysinfo.xxx

Verstreken tijd: 12 jaar en 22 dagen
PR contact  

Logo Progress Communications
Kaspersky contact  


Marcommit is hét full service B2B marketing bureau van Nederland! Wij helpen jouw bedrijf met offline en online marketing campagnes die écht werken.
 Spotlight  
Logo NetRom Software
Logo RAVI RYAN MOHANLAL
Logo BTG
Logo NHA Opleidingen
Logo Polly.Help
Logo MI Consultancy
Logo Incentro
Logo Stromma Nederland
Logo Fairbanks
Logo Valid
Logo Westpoort
Logo Brownies.nl
Logo Nextview
Logo Examencentrum
Logo Keuze.nl BV
Logo We talk SEO B.V.
Logo Victoria ID
Logo DNA Services B.V.
Logo Twenty Four Webvertising
Logo Web Wings
Logo Web Wings
Logo BusinessCom
Logo Msafe
Logo SCOS ViaCloud BV
Logo Keuze.nl BV
Logo Spryng
Logo BusinessCom
Logo Web Wings
Logo Web Wings
Logo Web Wings
Logo Tineco
Logo DXC Technology
Logo EPAM Systems
Logo osapiens
Logo Youforce
Logo Veeam Software
Logo Wuunder
Logo SureSync
Logo Proofpoint
Logo Techleap.nl
Logo NetApp
Logo Keepit
Logo Workday
Logo We talk SEO B.V.
Logo Buckaroo B.V.
TARIEVEN
Publicatie eenmalig €49

PUBLICATIEBUNDELS
6 voor €199
12 voor €349
Onbeperkt €499

EENMALIG PLAATSEN
Persbericht aanleveren

REGELMATIG PLAATSEN
Bedrijfsabonnement
CONTACT
Persberichten.com
JMInternet
Kuyperstraat 48
7942 BR Meppel
Nederland
info@persberichten.com
KvK 54178096

VOLGEN
@ICTBERICHTEN

ZOEKEN
IT bedrijf
IT PR-bureau
OVER ONS
Persberichten.com, hét platform voor IT/Tech persberichten

DATABASE
103884 persberichten
7046 bedrijfsprofielen
60 PR-bureauprofielen
17564 tags

KENMERKEN
• Behouden tekstopmaak
• Foto/illustratie/logo
• Downloadbare bijlages
• Profiel met socials
 
ProgressCommunications.euwww.whizpr.nlwww.marcommit.nl
www.whizpr.nlINFLUX PRINFLUX PR