Hackers Spying US and Europe through Satellite

When you are an APT group, you need to deal with many different problems. One of them, and perhaps the biggest, is the constant seizure and takedown of domains and servers used for command-and-control (C&C). These servers are constantly appropriated by law enforcement or shut down by ISPs. Sometimes they can be used to trace the attackers back to their physical locations.

Some of the most advanced threat actors or users of commercial hacking tools have found a solution to the takedown problem — the use of satellite-based Internet links. In the past, we’ve seen three different actors using such links to mask their operations. The most interesting and unusual of them is the Turla group.

Also known as Snake or Uroburos, names which come from its top class rootkit, the Turla cyber-espionage group has been active for more than 8 years. Several papers have been published about the group’s operations, but until the Epic Turla research was published by Kaspersky Lab, little information was available about the more unusual aspects of their operations, such as the first stages of infection through watering-hole attacks.

What makes the Turla group special is not just the complexity of its tools, which include the Uroboros rootkit, aka “Snake”, as well as mechanisms designed to bypass air gaps through multi-stage proxy networks inside LANs, but the exquisite satellite-based C&C mechanism used in the latter stages of the attack.

In this blog, we hope to shed more light on the satellite-based C&C mechanisms that APT groups, including the Turla/Snake group, use to control their most important victims. As the use of these mechanisms becomes more popular, it’s important for system administrators to deploy the correct defense strategies to mitigate such attacks.

Security firm Kaspersky has discovered a group of sophisticated Russian-speaking hackers who are secretively siphoning sensitive data via satellites from installations in the United States and Europe.

A group of malicious hackers are using commercial satellites to tap into sensitive information from diplomatic and military agencies across Europe and the United States, according to a report in the Washington Post.

After making the discovery, security firm Kaspersky also contends that the Russian-speaking hackers are using the satellites to hide their location as well as siphon data from it.

The revelation was made in a blog post by Kaspersky Lab.

The hackers behind the sophisticated spying operation are known as Turla, reveals Kaspersky Lab. Turla chose older satellites since they do not encrypt data streamed back to Earth. Moreover, older satellites rely on satellite internet providers around the world, those unsuspecting of espionage activity.

Here is how the satellite hacking scheme works:

• Turla locates and infects a target’s computer by inserting malware on a website frequented by the target. The computer is compromised when accessing the malicious website, otherwise known as a ‘watering hole’ attack.
• Having gained access to the user’s computer, Turla finds the required data and sends the stolen data from the computer to the internet address of a satellite user. A user online via the internet service provided by the satellite ISP.
• Subsequently, Turla gains control of the stream of data beamed from the satellite to the victim’s computer by spoofing the user’s internet address.
• This data is sent to a Turla-controlled server location that is incognito and hidden away from any detection, due to the wide range of the satellite beam that can stretch thousands of miles.

Turla, the Cyberespionage Group
Turla’s activities were initially exposed last year, with the Russian-speaking group conducting cyber espionage campaigns in more than 45 countries, targeting over 500 victims between them.

Stefan Tanase, a senior security researcher at Kaspersky Lab who penned the blog post revealed that Turla, named after the malware it uses for exploiting purposes, has targeted embassies, military, research and pharmaceutical organizations as well as other government agencies.

The list of targeted countries include:
The United States
Russia
Kazhakstan
China
Vietnam and more.

The reasons for the infiltration and the espionage campaigns are to gain unprecedented political and strategic intelligence from multiple countries using exceptional methods, Tanase adds.

Tanase also made the startling revelation that Turla has successfully used this method of tapping into satellites for at least eight years, showcasing skill, sophistication and creativity seldom seen among other hacker groups.

“For us, it was very surprising,” he said, speaking to the Washington Post.

“We’ve never seen a malicious operation that hijacked satellite connections to obtain data and to cover its tracks. This is the first group that we believe has done it. It allows you to achieve a much greater level of anonymity.”


For more details: https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/

Banking malware targets UK high street banks

Researchers report that cyber criminals have used spam servers to send 19,000 malicious emails to UK customers of Barclays, Royal Bank of Scotland, HSBC, Lloyds Bank and Santander in an attempt to steal bank login details.

Containing the Dyreza banking Trojan – also known as Dyre – the phishing emails pose as a follow-up email from a tax consultant, asking the user to urgently download an attached file in order to complete a financial transaction. A second email asks the user to attach files to verify financial and personal details, while a third email is also sent. Attached to the emails is an archive containing a malicious .exe file.

Dyre shares many similarities with the infamous Zeus malware. Catalin Cosoi, chief security strategist at Bitdefender describes the malware:

“It installs itself on the user’s computer and becomes active only when the user enters credentials on a specific site, usually the login page of a banking institution or financial service,” he continued, adding how “hackers inject malicious JavaScript code, allowing them to steal credentials and further manipulate accounts, all completely covertly.”

“If the user opens a banking web page, the malware will contact a malicious server and send it a compressed version of the web page. The server will then respond with the compressed version of the web page with malicious code added to it,” he said. “This altered web page is then displayed on the victim’s web browser. Its appearance remains exactly the same, but the added code harvests the victim’s login credentials”.

Phishing threat to businesses

Phishing emails are a major problem for companies, as staff are often unaware of the risks clicking on links or opening attachments from unknown senders.

It’s important to educate your staff so that they can spot and avoid phishing campaigns, significantly reducing the risk of a cyber attack on your organisation.

Five greatest cybersecurity myths

With the average cost of a data breach now sitting around $6.5 million in the US, businesses will be eagerly looking at how they can avoid being compromised.
With more interest in the industry than ever, we bust the top five myths surrounding cybersecurity:

Myth 1: Small organizations aren’t targeted by hackers
It’s a common misconception that hackers overlook small organizations and focus on large organizations only, but the truth is that virtually every web-based attack (98%) is opportunistic in nature, according to the 2015 Verizon Data Breach Investigations Report (DBIR).
In fact, because of this misunderstanding, small organizations tend to have inadequate levels of cybersecurity (more so than large organizations) and are actually an ideal target for hackers.
What’s worse is that 60% of small organizations that are compromised close down within six months.
Every organization – large and small – needs to strengthen its cybersecurity procedures.

Myth 2: It’s really expensive to be cyber secure and the ROI isn’t worth it
It’s true that being cyber secure costs money, but effective cybersecurity is actually a lot more affordable than people think, and considerably cheaper than suffering a data breach (now averaging $6.5 million).
It’s impossible to put an average cost on being cyber secure as every organization is different – in terms of size, resources, etc. – but organizations can implement ISO 27001, the internationally recognized cybersecurity standard, from as little as $659 with our packaged solutions.
In terms of return on investment (ROI), it’s hard to quantify the savings from an attack that didn’t happen, but the whole idea of cybersecurity is to decrease the costs related to security problems (i.e. incidents). If you manage to decrease the number and/or extent of security incidents, you will save money. In most cases, the savings achieved are far greater than the cost of the safeguards, so you will ‘profit’ from cybersecurity.

Myth 3: Cyber threats are a technology problem so a technology solution will fix them
Implementing the latest AlienVault solution may keep track of attacks or unusual activity, but it won’t get to the root of the problem.
It won’t prevent your staff from clicking on malicious links in emails, from letting a stranger through your organization’s front door, or from sending unencrypted customer data to someone outside the organization.
A comprehensive, holistic approach that covers your people, processes, and technology is the only real answer to achieving true cybersecurity, and ISO 27001 is the only internationally-recognized cybersecurity standard that addresses all of these three areas.

Myth 4: Hackers are your biggest threat
Reports show that your employees are in fact your biggest threat.
“Internal attacks are one of the biggest threats facing your data and systems,” states Cortney Thompson, CTO of Green House Data. “Rogue employees, especially members of the IT team with knowledge of and access to networks, data centers and admin accounts, can cause serious damage,” he says.
As well as disgruntled employees, you also need to be aware of careless or uninformed employees – those who mistakenly leave their work cell phone in a taxi, have weak passwords, or click on links in suspicious emails – and how your partners and suppliers are handling their cybersecurity. These all pose enormous security threats to your systems and data, and tend to be more insidious.

Myth 5: I don’t need cybersecurity – I have cyber insurance

Although cyber insurance seems like a fail-safe, simple way to tackle cybersecurity, it is often the opposite. Many cyber insurers include clauses stating that failing to implement basic cybersecurity measures will void your coverage, so it’s really important to check your policy carefully.
Insurance protection is just one of the ways to mitigate costs; you must also consider having an incident response plan and team in place, extensive use of encryption, business continuity management involvement, CISO leadership, employee training, board-level involvement, and other factors.