430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

DHS and FBI warn of ongoing attacks on energy firms and critical infrastructure

The US DHS and the FBI have issued a warning that APT groups are actively targeting energy firms and critical infrastructure. The US Department of Homeland Security (DHS) and the FBI have issued a warning that APT groups are actively targeting government departments, and firms working in the energy, nuclear, water, aviation, and critical manufacturing […]

dragonfly 2

The US DHS and the FBI have issued a warning that APT groups are actively targeting energy firms and critical infrastructure.

The US Department of Homeland Security (DHS) and the FBI have issued a warning that APT groups are actively targeting government departments, and firms working in the energy, nuclear, water, aviation, and critical manufacturing sectors.

The warning was sent to the organization via email on Friday to inform them of Advanced Persistent Threat Activity targeting energy and other critical infrastructure sectors since at least May 2017.

“Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks.” reads the alert.

“Analysis by DHS, FBI, and trusted partners has identified distinct indicators and behaviors related to this activity. Of specific note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign. “

dragonfly 2 energy firms

The hackers use to target third-party suppliers and contractors (“staging targets”) to hit intended institution.

The attackers leverage the staging targets’ networks as pivot points and malware repositories when launching the attacks on their final intended victims.

According to the warning, the campaign is still ongoing, the government experts believe it is operated by the Dragonfly hacking group (aka Energetic Bear) that has been active since at least 2011 when it targeted defense and aviation companies in the US and Canada.  Only in a second phase Dragonfly has focused its effort on US and European energy firms in early 2013.

In 2014, security experts at Symantec uncovered a new campaign targeting organizations located in the US, Italy, France, Spain, Germany, Turkey, and Poland.

Dragonfly gang conducted a cyber espionage campaign against energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers.

According to the JAR report published by the US Department of Homeland Security, Dragonfly was Russian APT actor linked to the Government.

The infamous group remained under the radar since December 2015, but now the researchers pointed out Dragonfly targeted energy companies in Europe and the US.

In September 2017, the attackers aimed to control or even sabotage operational systems at energy facilities.

Back to the ongoing campaign, the attackers launched a spear-phishing campaign.

“Throughout the spear-phishing campaign, threat actors used email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol. (An example of this request is: file[:]//<remote IP address>/Normal.dotm). As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server prior to retrieving the requested file.” states the alert. “(Note: It is not necessary for the file to be retrieved for the transfer of credentials to occur.) The threat actors then likely used password-cracking techniques to obtain the plaintext password. Once actors obtain valid credentials, they are able to masquerade as authorized users.”

APT28 hackers also used spear-phishing emails with a generic contract agreement in the form of a PDF that even if doesn’t include a malicious code prompts the victim to click a link which (via a shortened URL) downloads a malicious file.

The weaponized attachments may refer to legitimate curricula vitae CVs or resumés for industrial control systems personnel, invitations or policy documents designed to entice users into clicking on the attachment.

“The emails leveraged malicious Microsoft Word attachments that appear to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel, as well as invitations and policy documents that entice the user to open the attachment. The list of file names has been published in the IOC.” continues the alert.

Attackers also used watering hole attacks, attackers compromise trade publications and informational websites related to process control, ICS, or critical infrastructure.

Much more detail, including indicators of compromise, filenames used in the attacks, and MD5 hashes, can be found in the alert published on US-CERT.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – energy firms, critical infrastructure)

[adrotate banner=”5″]

[adrotate banner=”13″]