In January 2022, Kaspersky researchers witnessed several advanced attacks on military enterprises and public organizations. The primary aim of the attacks was to access companies’ private information and to gain control over IT systems. The malware being used by the attackers is similar to the one deployed by TA428 APT, a Chinese-speaking APT group.
The attackers infiltrate enterprise networks by sending carefully crafted phishing emails, some of which contain information specific to their organization that has not been made publicly available at the time when emails were sent. This indicates that the attackers deliberately prepare for the attacks and select their targets in advance. The phishing emails include a Microsoft Word document with malicious code to exploit a vulnerability that enables an attacker to execute arbitrary code without any additional activity. The vulnerability exists in outdated versions of the Microsoft Equation Editor, a component of Microsoft Office.
Moreover, the attackers used six different backdoors at the same time – to set up additional communication channels with infected systems in case one of the malicious programs was detected and removed by a security solution. These backdoors provide extensive functionality for controlling infected systems and collecting confidential data.
The attack’s final stage involves hijacking the domain controller and gaining complete control of all the organization’s workstations and servers – and in one of the cases, they even took over cybersecurity solutions control center. After gaining domain administrator privileges and access to the Active Directory, attackers ran the “golden ticket“ attack to impersonate organizations arbitrary user accounts and search for documents, and other files, containing the attacked organization’s sensitive data, which they exfiltrate to the attackers’ servers hosted in different countries.
“Golden Ticket attacks take advantage of the default authentication protocol which has been used since the availability of Windows 2000. By forging Kerberos Ticket Granting Tickets (TGTs) within the corporate network, the attackers can independently access any service that belongs to the network for an unlimited time. As a result, just changing passwords or blocking compromised accounts won’t be enough. Our advice is to check carefully all suspicious activity and rely on trustworthy security solutions,” comments Vyacheslav Kopeytsev, a security expert at ICS CERT Kaspersky.
Learn more about these targeted attacks on Kaspersky ICS CERT.
To keep your ICS computers protected from various threats, Kaspersky experts recommend businesses: