{"id":15093,"date":"2015-08-20T16:21:09","date_gmt":"2015-08-20T16:21:09","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=4422"},"modified":"2019-11-15T07:02:33","modified_gmt":"2019-11-15T12:02:33","slug":"bluetermite-attention","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/bluetermite-attention\/15093\/","title":{"rendered":"Why BlueTermite should draw a lot of attention"},"content":{"rendered":"<p>Well, ladies and gentlemen, you\u2019ve heard it: a new APT BlueTermite is being publicized. The Securelist\u2019s Targeted Attacks Logbook will soon receive a new entry.\u00a0BlueTermite APT campaign is rather new, and \u201cpersistent in more senses than one,\u201d Denis Legezo <a href=\"https:\/\/business.kaspersky.com\/bluetermite-apt\/4409\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">wrote<\/a>\u00a0for Kaspersky Business earlier today.<\/p>\n<p>In that post our readers can also learn\u00a0how to protect themselves from the new APT, which seems to target all imaginable entities within Japan \u2013 government agencies, local governments, public interest groups, universities, banks, financial services, energy, communication, heavy industry, chemical, automotive, electrical, news media, information services sector, health care, real estate, food, semiconductor, robotics, construction, insurance, transportation, and more. Interestingly, the C2 servers of BlueTermite are also located in Japan.<\/p>\n<p>The number of victims is increasing, as the attack is active.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Why #BlueTermite should draw a lot of attention. #protectmybiz<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FUS3e&amp;text=Why+%23BlueTermite+should+draw+a+lot+of+attention.+%23protectmybiz\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p><strong>Circa 2013<\/strong><\/p>\n<p>The attack was\u00a0actually discovered in 2014, and the oldest samples associated with it are from November 2013. However, there was a powerful activity spike in mid-Summer 2015.<\/p>\n<p>There\u2019s a bit of intrigue here: at the same\u00a0time the now-famous (even fabulous) Adobe Flash 0day exploit used by Hacking Team slipped out to make its way into quite a few hacking groups\u2019 arsenal. BlueTermite is not an exclusion.<\/p>\n<p>But the initial attack method was different: Attackers used the malware customized for every specific target. Customization is going as far as making every sample work only on its target PC.<\/p>\n<p><strong>Highly customized<\/strong><\/p>\n<p>According to Suguru Ishimaru at Securelist, \u201cWithout knowing the victim\u2019s SID, the decryption key will not be generated successfully, making it difficult to decrypt important data. This means it\u2019s not possible to analyze the malware in detail.\u201d<\/p>\n<p>Fortunately, Kaspersky Lab\u2019s researchers were able to analyze those samples by successfully brute-forcing the decryption keys from several samples without SIDs. Apparently the encryption algorithm wasn\u2019t strong enough to prevent brute-force, but this may well change in future.<\/p>\n<p><strong>And what about that zeroday?<\/strong><\/p>\n<p>The CVE-2015-5119 exploit is, arguably, one of the more worrisome parts of the story, and indicative of how\u00a0attack tools are quickly making their way from one APT group to others.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Attack tools are quick to move between #APT groups.<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FUS3e&amp;text=Attack+tools+are+quick+to+move+between+%23APT+groups.\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>We mentioned earlier that cybercriminals are \u201clowering the profile\u201d, searching<a href=\"https:\/\/business.kaspersky.com\/cybercrime-inc-how-profitable-is-the-business\/2930\" target=\"_blank\" rel=\"noopener nofollow\"> for smaller and softer targets<\/a>. Cyberspies aren\u2019t an exclusion here, but this also means that the \u201cjust criminals\u201d may adopt APT-style techniques as well. So far, we have <a href=\"https:\/\/business.kaspersky.com\/apts-in-2014-and-2015-a-landslide-in-the-making\/4129\" target=\"_blank\" rel=\"noopener nofollow\">witnessed<\/a> Grabit, an espionage campaign targeting <a href=\"https:\/\/business.kaspersky.com\/grabit-an-smb-targeting-spy-campaign\/4015\" target=\"_blank\" rel=\"noopener nofollow\">specifically SMB companies<\/a>. Also, we have seen Carbanak, the<a href=\"https:\/\/business.kaspersky.com\/the-great-bank-robbery-carbanak-apt\/3598\" target=\"_blank\" rel=\"noopener nofollow\"> first ever purely criminal APT<\/a>.<\/p>\n<p>BlueTermite may be a geographically limited campaign, but its tools are not. Businesses across the world are advised to watch out and stand ready for the attack methods used by the APT groups, because even if their targets are currently mostly larger entities, at any moment a business of any size can be attacked in the same manner.<\/p>\n<p>As Mr. Legezo wrote,\u00a0businesses\u00a0need to acknowledge the possibility of such attacks and, at\u00a0the very least, should immediately install critical patches, as soon as they are provided. This won\u2019t nullify the probability of a targeted attack, but\u00a0it\u00a0greatly reduces the risk. A further necessary action is to deploy a security solution capable of preventing zeroday threats and block exploitation of software vulnerabilities, as well as reducing the \u201cpatching gap\u201d.<\/p>\n<p>For more detailed technical review of BlueTermite APT, please visit <a href=\"https:\/\/securelist.com\/blog\/research\/71876\/new-activity-of-the-blue-termite-apt\/\" target=\"_blank\" rel=\"noopener\">Securelist<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The BlueTermite APT campaign is rather new and extremely persistent. Here&#8217;s why. <\/p>\n","protected":false},"author":209,"featured_media":15591,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[1343,499,2333,783,1171],"class_list":{"0":"post-15093","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-0days","10":"tag-apt","11":"tag-bluetermite","12":"tag-business-security","13":"tag-exploits"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/bluetermite-attention\/15093\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/bluetermite-attention\/3123\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/bluetermite-attention\/15093\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/bluetermite-attention\/15093\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/0days\/","name":"0days"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15093","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=15093"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15093\/revisions"}],"predecessor-version":[{"id":30424,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15093\/revisions\/30424"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15591"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=15093"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=15093"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=15093"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}