Kaspersky ICS CERT has detected a wave of targeted attacks on companies and public institutions in the military-industrial complex in many Eastern European countries and Afghanistan. Cyber ​​criminals have managed to take over the victims’ entire IT infrastructure for industrial espionage.

In January 2022, Kaspersky researchers witnessed several sophisticated attacks on military and public institutions. The main purpose of the attacks was to gain access to companies’ private information and take control of their IT systems. The malware used by the attackers was similar to that of TA428 APT, a Chinese-speaking APT group.

The attackers infiltrated corporate networks by sending elaborate phishing emails containing trade secrets to organizations, some of which were not made public at the time the emails were sent. This indicates that the attackers consciously prepared for attacks and pre-selected their targets. The phishing emails contain a Microsoft Word document containing malicious code to exploit a vulnerability that could allow an attacker to execute arbitrary code without any activity. The vulnerability exists in older versions of Microsoft Equation Editor, a component of Microsoft Office.

The attackers also used six different back doors at once. They did this to establish additional channels of communication with infected systems in case one of the malicious programs was detected and removed by the security solution. These backdoors provided extensive functionality to monitor infected systems and collect confidential data.

The final phase of the attack involved taking over the domain controller and taking full control of all of the organization’s workstations and servers. In one case, they even took over the cybersecurity solutions control center. After gaining domain administrator rights and access to Active Directory, the attackers performed the so-called “golden ticket” attack to impersonate organizations’ arbitrary user accounts and search for sensitive data and other files belonging to the attacked organization.

Kaspersky ICS CERT Security Specialist Vyacheslav Kopeytsevsay: “Golden ticket attacks use the standard authentication protocol that has been in use since the launch of Windows 2000. By forging Kerberos Ticket Granting Tickets (TGTs) within the corporate network, attackers can independently access each network service. As a result, simply changing passwords or blocking compromised accounts is not enough to prevent this. Our advice is to carefully monitor all suspicious activity and look for reliable security solutions.”

You can learn more about the attack on Kaspersky ICS CERT.

To protect your ICS computers from various threats, Kaspersky experts recommend companies:

• Regularly update operating systems and application software that are part of the corporate network. Apply security solutions and patches to IT and OT network equipment as they become available.
• Perform regular security audits of IT and OT systems to identify and eliminate potential vulnerabilities.
• Use ICS solutions for network traffic monitoring, analysis, and detection to better protect against attacks that can threaten technology processes and critical assets.
• Implement specific security training for IT security teams and OT technicians to improve response to new and advanced malicious techniques.
• Provide up-to-date threat intelligence to the security team responsible for protecting industrial control systems. Our ICS Threat Intelligence Reporting service provides information on current threats and attack vectors, the most vulnerable elements in OT and industrial control systems, and how to mitigate them.
• Use security solutions such as Kaspersky Industrial CyberSecurity on your OT endpoints and networks to provide comprehensive protection for all industry-critical systems.
• Also protect your IT infrastructure. Integrated Endpoint Security protects business endpoints and provides automated threat detection and response

Source: (BYZHA) – Beyaz News Agency