“Kaspersky“Experts have unveiled a series of new, fast – growing spyware campaigns that have attacked more than 2,000 industrial companies worldwide.
–
–
Content will continue after the ad
Advertising
–
These attacks differ from most spyware campaigns in the limited number of victims in each attack and the very short lifespan of each malware. The study found more than 25 outlets selling stolen data. These and other facts are published in the new report of Kaspersky’s Computer Alert Management Team (ICS CERT).
In the first half of 2021, experts from the Kaspersky Production Management System Computer Alert Team observed an interesting anomaly in the statistics of spyware blocked on production management system computers. Although the malware used in these attacks belongs to well-known families of consumer spyware, such as Agent Tesla / Origin Logger, HawkEye, and others, these attacks differ from the majority with a very limited number of victims in each attack (from a few to a few dozen). ) and the very short life of each specimen.
An in-depth analysis of 58,586 copies of spyware blocked on production management system computers in the first half of 2021 revealed that approximately 21.2% of the copies belonged to this new series of limited and short-lived attacks. Their life cycle is limited to about 25 days, which is much less than the duration of a regular spyware campaign.
However, they account for a disproportionate share of all spyware attacks. In Asia, for example, one-fifth of computers exposed to spyware are affected by some form of anomalous spyware (2.1% out of 11.9%).
Importantly, most of these campaigns are spread from one industry to the next through well-designed phishing emails. Once an attacker has entered the victim’s system, it uses this device as the C2 (command control) server for the next attack. By accessing the victim’s mailing list, criminals can abuse corporate email and spread spyware even further.
More than 2,000 industrial organizations around the world are embedded in malicious infrastructure and are used by cyber gangs to spread the attack on their contact organizations and partners. The total number of company accounts hacked or stolen in the attacks exceeds 7,000, Kasspersky estimates.
Sold in at least 25 places
Confidential data from computers in production management systems often goes to various outlets. Kaspersky experts have identified more than 25 outlets where credentials stolen from these industrial campaigns are sold. Analysis of these outlets has shown that there is a high demand for corporate account credentials, especially for Remote Desktop Protocol (RDP) accounts. More than 46% of all RDP accounts sold at the points of sale analyzed belong to companies ASV, while the rest are in Asia, Europe and Latin America. Almost 4% (almost 2000 accounts) of all RDP accounts sold belonged to industrial companies.
Another growing market is the spyware service. Since the release of the source code for some popular spyware, it has become widely available in online stores as a service: developers sell not only the malware, but also the malware creator’s license and access to the infrastructure pre-configured to create the malware.
“This is different from what we’ve seen so far with spyware, and we anticipate that such attacks will intensify this year,” said Kirill Kruglov, a security expert at Kaspersky’s production control system’s computer alarm response team.
What to do?
In order to ensure adequate protection of the operations and business of the industrial company, its network of partners, Kaspersky experts recommend the following.
• Introduce two-factor authentication for access to corporate e-mail and other services with Internet access (including RDP, VPN-SSL gateways, etc.) that an attacker can use to access critical enterprise infrastructure and business-critical data.
• Ensure that all terminals in both the information and operational technology network are protected by a state-of-the-art terminal security solution that is properly configured and updated.
• Teach employees regularly how to handle incoming e-mails securely and protect their systems from malware that may be included in an e-mail attachment.
• Check spam folders regularly, not just empty them.
• Monitor the visibility of your organization’s accounts on the web.
• Use test environment solutions designed to automatically check attachments in incoming e-mail. However, make sure that the test environment solution is configured not to release emails from “trusted” sources, including collaboration and contact organizations, because no one is 100% protected from security breaches.
• Check outgoing e-mail attachments to make sure the account itself has not been compromised.
–
