Our Latest Online Backup Reviews:Vembu SyncBlaze
Industry LinksTools and Graphs
WOBURN, MA – July 8, 2016 – /BackupReview.info/ — Kaspersky Lab announced today its researchers investigated a threat actor that was undertaking aggressive cyber-espionage activity in the Asian region, targeting multiple diplomatic and government entities with a particular focus on China and its international affairs. This group, named Dropping Elephant (also known as “Chinastrats”), used their unsophisticated tools to attack some high profile Western targets as well.
In February 2016, following an alert from a partner, Kaspersky Lab’s Global Research and Analysis Team began its investigation into this threat actor. They discovered that from November 2015 to June 2016, the group profiled hundreds to thousands of targets all around the world. The attackers rely heavily on social engineering, low-budget malware tools and old exploits; however, this approach seems to be effective, given that within the first couple of months of the operation, they managed to steal documents from at least a few dozen selected victims.
Tools: simple, yet effective
After using this simple method to filter out the most valuable targets, the attackers proceed with another, more targeted spear-phishing email. This is either a Word document with CVE-2012-0158 exploit, or PowerPoint slides with an exploit for the CVE-2014-6352 vulnerability in Microsoft Office. Both exploits are public and have been known for a long time, but are still effective.
Some victims are targeted by a watering hole attack. These victims receive a link to a website disguised as a political news portal, focused on China’s external affairs. The majority of links on this website lead to additional content in the form of a PPS (PowerPoint Slides document) with a malicious payload inside.
Even though the vulnerabilities used in the attacks were patched by Microsoft, the attackers can still rely on a social engineering trick to compromise their targets, if they ignore multiple security warnings displayed and agree to enable dangerous features of the document. The content of the malicious PPS is based on carefully chosen, genuine news articles featuring widely discussed geopolitical topics, which makes the document look more trustworthy and likely to be opened. This leads many users to become infected.
After the successful exploitation of the vulnerability, a range of malicious tools are installed on the victim’s machine.
These tools then collect and send attackers the following types of data: Word documents, Excel spreadsheets, PowerPoint presentations, PDF files, login credentials saved in the browser, etc.
In addition to social engineering attacks and exploiting old vulnerabilities, one of the Dropping Elephant backdoors uses a C&C communication method borrowed from other threat actors. It hides the real location of the C&C server in the comments section of articles on legitimate public websites. This technique has previously been observed, albeit with a far more complex execution, in operations conducted by Miniduke and other threat actors. This is done in order to make the investigation of the attack more complicated.
In total, Kaspersky Lab experts were able to identify several hundred targets worldwide, most of which are located in China, while others were from or related to Pakistan, Sri-Lanka, Uruguay, Bangladesh, Taiwan, Australia, the U.S., and a few other countries.
The analysis of activity reveals that the attackers probably operated in the time zone of either UTC+5 or UTC+6. Interestingly enough, since May 2016, Kaspersky Lab researchers have spotted a new activity pattern for the group in a new geographical area that includes Pacific Standard Time zone, corresponding – among others – to West Coast working hours in the U.S. This is likely to be the result of increased headcount in the Dropping Elephant team.
“Despite using such simple and affordable tools and exploits, the team seems capable of retrieving valuable intelligence information, which could be the reason why the group expanded in May 2016, said Vitaly Kamluk, head of research center in APAC, GReAT, Kaspersky Lab. “The expansion also suggests that it is not going to end its operations anytime soon. Organizations and individuals that match this actor’s target profile should be especially cautious. The good news is that this group hasn’t yet been spotted using really sophisticated, hard-to-detect tools. This means that their activity is relatively easy to identify. This can of course change at any time.”
Kaspersky Lab is open to working with CERTs and law enforcement agencies of affected countries to notify the owners and mitigate the threat.
In order to protect yourself and your organization from cyber-espionage groups like Dropping Elephant, Kaspersky Lab security experts advise taking the following measures:
Kaspersky Lab solutions detect and neutralize the Dropping Elephant malware as:
Kaspersky Lab also detects the exploits used in the documents.
To learn more about the Dropping Elephant group, read the blogpost on Securelist.com.
The full version of the report on Dropping Elephant is available for customers of Kaspersky Lab APT Intelligence reporting service. Learn more at: http://www.kaspersky.com/enterprise-security/apt-intelligence-reporting
Learn more about how Kaspersky Lab products can protect users from this threat: https://goo.gl/IsJvkK
About Kaspersky Lab
Learn more at www.kaspersky.com
For the latest in-depth information on security threat issues and trends, please visit:
Threatpost | The First Stop for Security News
General Tags: online backup news, online backup companies, online file backup, online backup, online file storage, online data backup, top rated online backups, compare online backups, backing up online, CEO interviews, online backup providers directory, online backup services, software as a service, cloud computing, data storage, data security, online backup reviews, SaaS
Like us on Facebook
Sponsored Links:Data Deposit Box Asigra Bacula Systems