Kaspersky Internet Security Middle East Download

[Amit Bolds]

InAugust 2018 a report was published describing espionage attacks by the Leafminer group, also known as RASPITE, targeting government agencies, commercial and industrial enterprises in the US, Europe, the Middle East and East Asia. Companies from different verticals were attacked, including the energy sector, government entities, financial institutions, shipping & transportation companies and others.

The threat actor used various publicly available and custom tools, exploits, watering-hole and dictionary attacks. For instance, Leafminer uses the well known EternalBlue exploit, as well as a modified version of the widespread Mimikatz program.

During the analysis of GreyEnergy Eset researchers found conceptual similarities between the new GreyEnergy malware and the BlackEnergy malware used in attacks on the Ukranian power grid in 2015. They also uncovered proof of a connection between GreyEnergy and the activity of the TeleBots criminal group. TeleBots is known in connection with a number of large-scale attacks, in some of which NotPetya and BadRabbit malware was used in 2017.

Kaspersky Lab ICS CERT researchers later uncovered a connection between the GreyEnergy group and a subgroup of Sofacy (known variously as Fancy Bear, Sednit, APT28, Tsar Team, and more), which they named Zebrocy.

It is known that in its past attacks the group exploited a GE Cimplicity vulnerability and was able to get the HMI server to execute a malicious .cim file hosted on an attacker-controlled server, ultimately resulting in the installation of the BlackEnergy malware. The vulnerability was assigned CVE-2014-0751.

In December 2018 researchers at McAfee detected a global campaign they named Sharpshooter primarily targeting defense contractors and the nuclear energy sector, as well as the financial vertical. The researchers indicated that espionage was the main goal.

The infection chain began with opening a compromised Microsoft Word document containing an infected macro. When the macro was launched it activated shell code which acted as a typical downloader and delivered an implant onto the victim machine. The threat actor spread the infected files through Dropbox.

According to the research, 130 employees in 30 organizations became victims between the end of September 2018 and the middle of November 2018. Most were located in Pakistan and Turkey. A few victims were also located in Russia, Saudi Arabia, Afghanistan, Jordan and other countries.

One of the main verticals identified in these attacks was the oil and gas industry. The victim list also included universities in the Middle East and as well as Middle Eastern embassies located in Europe.

In mid-December 2018 the German Federal Office for Information Security (BSI) issued a warning to a number of German enterprises about potential attacks using CloudHopper purportedly being conducted by the Chinese APT10 group. The BSI warned that several large engineering companies had already been attacked. The threat actor was also interested in enterprises from the construction and material science sectors.

The threat actor did not attack the potential victims directly, preferring to infiltrate the small cloud and hosting providers used by the victim organizations. These providers often had poor security and the attackers were able to penetrate the corporate networks of the targeted companies.

The Shamoon worm was discovered in 2012 after it infected the Saudi Aramco and Rasgas corporate networks. A new attack wave occurred in 2016-2017 where a modification of Shamoon (Shamoon v2) was used along with the StoneDrill malware.

The 2018 attacks were more destructive due to the use of Filerase versus the attacks where only Shamoon had been used. Shamoon erases the master boot record on the victim machine, but files on the hard drive can be recovered after a Shamoon infection. The use of Filerase makes it impossible to recover any files.

At the end of December 2018 researchers at Anomali Labs reported another variant of Shamoon, which had been uploaded to VirusTotal on December 23. The malware is disguised as a tool produced by the Chinese company Baidu for configuring settings and optimizing the system.

An incident caused by other ransomware occurred on November 28, 2018 at the Moscow Cable Car (MCC). The company reported that files on the main computer had been encrypted during a cyberattack. MCC employees quickly disembarked all of the passengers and stopped the cable cars. The criminals demanded a ransom in bitcoins for decrypting the files, with the amount depending on how fast the ransom was paid. Normal operations resumed in two days.

In August 2018 Kaspersky Lab ICS CERT published the results of investigations into phishing attacks on industrial companies located mostly in Russia. Stealing money from the company accounts was the main goal of the attackers.

The attackers search for financial and accounting software on victim machines, locate and analyze accounting paperwork referring to procurement, as well as the addresses of partners and correspondence with them. The pirated data is used to conduct financial fraud, such as changing the bank details used to make payments.

Moreover, if necessary, the attackers load additional malware onto victim machines, which is individually crafted for each victim. They use spyware and the Mimikatz tool to steal user authentication credentials and use them to infect other computers on the enterprise network. The criminals also often disguise malware components as Windows OS components to hide traces of malware activity.

In October 2018 experts at Yoroi CERT detected several attacks targeting Italian naval and defense enterprises. Personnel at the targeted enterprises received phishing emails with attached malicious Microsoft Excel files.

The malicious Excel file was designed to download a Trojan ensuring remote access to the victim machine. The researchers named the Trojan MartyMcFly. The attackers used MartyMcFly to control the victim machine and steal data. They also used a modified version of the QuasarRAT remote administration tool (the source code is available on github) in this attack

According to Kaspersky Lab ICS CERT the phishing emails referred to in the Yoroi report were sent under different names to companies in countries around the world, including Germany, Spain, Bulgaria, Kazakhstan, India, Romania and others. The companies are from many different verticals, ranging from bean suppliers to consulting firms.

Kaspersky Lab ICS CERT researchers believe that this attack was conducted by the same cyberiminals who had conducted mass phishing campaigns targeting various companies, sometimes including critical infrastructure facilities. These groups focus on stealing funds and financial data.

The largest number of vulnerabilities affect industrial control systems that control manufacturing processes at various enterprises (115), in the energy sector (110), and water supply (63). Leaders also include industrial control systems used in food processing and agriculture, as well as the chemical industry.

More than half of the vulnerabilities identified in ICS systems (284, compared with 194 in the previous year) were assigned CVSS v.3.0 base scores of 7 or higher, corresponding to a high or critical level of risk.

The most common types of vulnerabilities include buffer overflow (Stack-Based Buffer Overflow, Heap-Based Buffer Overflow, Classic Buffer Overflow) and improper input validation (Improper Input Validation).

At the same time, 16% of all published vulnerabilities are authentication issues (Improper Authentication, Authentication Bypass, Missing Authentication for Critical Function) and access control issues (Access Control, Incorrect Default Permissions, Improper Privilege Management, Credentials Management), while 10% are web-related vulnerabilities (Injection, Path traversal, Cross-site request forgery (CSRF), Cross-site scripting, XXE).

Compared with the previous year, the proportion of buffer-overflow vulnerabilities has grown significantly. We believe that this is due to the higher interest in ICS components on the part of security researchers and, at the same time, attempts to automate searching for vulnerabilities by using fuzzing, which can help find binary vulnerabilities.

Security issues in engineering software products are often due to vulnerabilities in third-party software that is used as part of these products. Since such third-party components are widely used, vulnerabilities in them can affect many industrial products at once. Thus, for example, Siemens Building Technologies Products and Siemens SIMATIC WinCC Add-On were found to be vulnerable because they incorporated a vulnerable version of the Sentinel LDK RTE license manager. Entire product lines of Siemens industrial products also turned out to be affected by an OpenSSL vulnerability. Similarly, vulnerabilities in Flexera Publisher software, which is part of the Floating License Manager, affected several Schneider Electric products at once.

In addition, special care should be taken with vulnerabilities in various industrial applications used by engineers and operators to access industrial control systems via smartphones and tablets running Android or iOS. Products of this type which were found to be vulnerable include, among others, SIMATIC WinCC OA iOS App, IGSS Mobile, SIMATIC WinCC OA UI Mobile App, and General Motors and Shanghai OnStar (SOS) iOS Client. Such mobile applications are increasingly used in the ICS infrastructure. However, their security level leaves much to be desired, which is fraught with significant risks: compromised mobile applications can cause the entire ICS infrastructure to be compromised.

In addition to hardware and software ICS components, vulnerabilities were identified in 2018 in security solutions for industrial networks: Nortek Linear eMerge E3 Series access control platform and Allen-Bradley Stratix 5950 network security device by Rockwell Automation.

The cases of vulnerabilities being identified in such products serve as an important reminder that security threats can be associated not only with security flaws of software or hardware ICS components, but also with solutions designed to protect them.

3a8082e126