12345

2/14/2011

Spear-Phishing case on global energy company: Night Dragon

1. Introduction

Security threat about Spear-Phishing on global energy company has been reported on Feb 09, 2011.
This threat named Night Dragon was reported from Mcafee, an anti-virus SW company.
It can cause huge amount of financial damage with hitting industry facilities.



2. Spreading path and symptoms of infection

* SPEAR-PHISHING

http://itlaw.wikia.com/wiki/Spear-phishing
Spear-phishing is "impersonating a company employee/employer via e-mail to steal colleagues’ passwords/usernames and gain access to the company’s computer system."

Following figures shows the process of Night Dragon security threats



* Process of attack and infection

- Company extranet web servers compromised through SQL-injection techniques, allowing remote command execution
- Commonly available hacker tools are uploaded on compromised web servers, allowing attackers to pivot into the company’s intranet and giving them access to sensitive desktops and servers internally
- Using password cracking and pass-the-hash tools, attackers gain additional usernames and passwords, allowing them to obtain further authenticated access to sensitive internal desktops and servers
- Initially using the company’s compromised web servers as command and control (C&C) servers, the attackers discovered that they needed only to disable Microsoft Internet Explorer (IE) proxy settings
to allow direct communication from infected machines to the Internet
- Using the RAT malware, they proceeded to connect to other machines (targeting executives)
and exfiltrating email archives and other sensitive documents

McAfee reported that
"There is nothing to suggest that the developers of these tools had any direct connection to these intrusions, as the tools are widely available on the Chinese web forums and tend to be used extensively by Chinese hacker groups. Although it is possible that all of these indicators are an elaborate red-herring operation designed to pin the blame for the attacks on Chinese hackers, we believe this to be highly unlikely. Further, it is unclear who would have the motivation to go to these extraordinary lengths to place the blame for these attacks on someone else. We have strong evidence suggesting that the attackers were based in China."

3. How to prevent

Night Dragon can cause huge amount of financial damage after Stuxnet. Continuous appearance of security threats can threaten industry facilities.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

1 comment: