Law enforcement agencies, with the help of leading IT security providers, are keen on blocking all the malware Command & Control servers they find. Sometimes, they efficiently shut down massive botnets by putting their controlling structure out of business. But one of the most advanced threat actors is still out there.<\/p>\n
One of the reasons for Turla\u2019s success, besides the group\u2019s obvious professionalism, is their ability to hide the ends \u2013 namely, the above-mentioned C&Cs. Research<\/a> by Kaspersky Lab experts reveals \u00a0that they\u2019re achieving this using a trick known as satlink hijacking \u2013 a technique this Russian-speaking group has been using since 2007. \u00a0It involves exploiting the vulnerability of asynchronous satellite internet connections to sniff traffic, distilling the IP addresses of satellite subscribers. All the attackers need then is to set up their servers with the same IPs, configure these addresses into their malware and, after a successful infection, wait for its call for C&C.<\/p>\n What happens next: the satellite broadcasts the request from an infected machine over the whole area of its coverage. Of course, both attackers and law-abiding subscribers receive this request. But, unlike the attackers\u2019 servers, subscriber systems are extremely unlikely to host any services on particular ports \u2013 and this traffic is simply dropped without acknowledgement, as this would increase the burden on the thin cellular upstream channel used in such asynchronous data links. After receiving the malware call, the C&C answers via regular fast landline with a spoofed acknowledgement, which appears to be coming from the same hapless satlink subscriber.<\/p>\n This isn\u2019t the only trick in Turla\u2019s arsenal \u2013 there are other mechanisms potential victims should be more worried about. For initial penetration, they use several different methods, including extremely precise waterholing tactics (infecting only victims with IPs hackers are interested in), exploiting several vulnerabilities in visitors\u2019 systems. It\u2019s worth mentioning that well-known vulnerabilities were actively used, along with zero days, once again proving that automated vulnerability assessment and patch management tools such as those offered by Kaspersky Lab[1]<\/a><\/sup> are essential. In the meantime, another security layer found in Kaspersky Endpoint Security for Business<\/a> \u2013 Automatic Exploit Prevention[2]<\/a><\/sup> \u2013 can block exploits, stopping the attack\u2019s development at the very beginning.<\/p>\n