A Touch of Artistry: Poseidon\u2019s APT Boutique #PoseidonAPT<\/p>Tweet<\/a><\/blockquote>\n Setting aside their artistic finesse, some aspects of their \u2018business model\u2019 looked distinctly ugly. Masquerading behind a front-end \u2018security company\u2019, they used harvested secrets to blackmail targets into accepting them as IT security contractors. Meanwhile, they either\u00a0retained an\u00a0illegitimate presence within the \u2018secured\u2019 system or, having completed the task agreed, quietly resumed their presence within the perimeter. They were known to refer to one element their business cycle as \u2018financial forcasting\u2019, giving an idea of the long-term benefit they anticipated from a prolonged systems presence. With their focus on Windows-based systems and extremely developed skills, they could theoretically embed themselves within the victim\u2019s IT system for years without being detected.<\/p>\n \u00a0<\/p>\n The Poseidon\u2019s targets have tended to be large Enterprises, mainly centering round Brazil, the US, France, Kazakhstan and Russia. There appears an interesting language limitation to English and Brazilian Portuguese based systems: even in countries with different national languages, the IT networks of multi-national corporations having these locales and\/or keyboard layouts were preferred as targets. Their sphere of interest has encompassed Energy and Utilities, Manufacturing \u2013 and also Media and PR. The latter two could obviously provide attackers with plenty of information for use as ammunition against additional future targets.<\/p>\n The Poseidon\u2019s targets have tended to be large Enterprises #PoseidonAPT<\/p>Tweet<\/a><\/blockquote>\n To many an artisan eye, elegance and simplicity go hand by hand. The Poseidon group seem to embrace this principle. For initial penetration, they use no exploits; only well-crafted spear-phishing emails carrying DOC\/RTF files with encapsulated executables \u2013 an uncommon approach nowadays. To fool existing security solutions, they often sign these binaries with real certificates \u2013 issued for fake companies or even belonging to genuine well-respected and trusted organizations. Having successfully infecting their first victims, the collection of extensive data about the attacked infrastructure begins. Using this information, and ace Windows admin skills, the attackers can then move laterally without triggering any alarms, their next objective being to obtain Domain Admin rights. With this level of power, they can then purge the majority of their own tools from the network, retaining only those essential to their ongoing presence and data exfiltration.<\/p>\n As already mentioned, in one series of operations Poseidon used ships\u2019 satellite communication systems as hiding places for their Command & Control (C&C) servers, a similar mechanism to that used by the Turla actor<\/a>. No attempts to repeat this feat have, however, been recorded.<\/p>\n Despite all Poseidon\u2019s attempts to disguise and disperse the evidence, experts from Kaspersky Lab\u2019s Global Research and Analysis Team have succeeded in piecing all the disparate pieces of data into a complete picture. Still, the Poseidon group remains active, which brings us to the question of adequate defense.<\/p>\n Of course protecting endpoints is a must \u2013 which, as the well-known ASD Mitigation Strategies<\/a> suggest, should comprise non-signature detection mechanisms, such as Heuristics and Behavioral Detection Algorithms. Possessing all these, Kaspersky Endpoint Security for Business<\/a> is powered by the same superior Security Intelligence that enabled our experts to piece together the previously insoluble Poseidon puzzle.\u00a0 Kaspersky Endpoint Security for Business also provides further proactive security layers \u2013 including Security Controls, HIPS and a built-in Application Firewall \u2013 \u00a0\u00a0all fed by real-time global intelligence from the Kaspersky Security Network. These layers erect further barriers in the path of malware, from blocking launch attempts to preventing access to critical system elements and communications with C&C.<\/p>\n The extent of information harvesting by the Poseidon group also highlights the benefits of Data Encryption throughout the whole corporate infrastructure, enforced by appropriate policies. The Advanced<\/a> tier of Kaspersky Endpoint Security for Business includes easy-to-use Encryption Technology, managed through the same single-pane-of-glass console of Kaspersky Security Center as all platform elements.\u00a0 Of course, with spear-phishing as the penetration method of choice for the majority of Targated Attack groups, scanning email streams is also absolutely crucial nowadays. Kaspersky Security for Mail Servers<\/a> erects another powerful defensive wall in the attacker\u2019s way.<\/p>\n All in all, Kaspersky Lab\u2019s portfolio of solutions helps implement 19 of ASD\u2019s 35 Mitigation Strategies, including 3 of \u00a0the \u2018top 4\u2019 which between them prevent 85% Targeted Attack-related incidents. But even if you use another vendor\u2019s solutions to protect your infrastructure, we can help. Kaspersky Lab\u2019s achievements as APT discoverers demonstrate that the presence even of such a stealthy and capable APT actor as Poseidon can be uncovered; that\u2019s what our Targeted Attack Discovery<\/a> service is for[1]<\/a>.<\/p>\n Secrets are worth most when they\u2019re sold red hot. Perhaps it\u2019s time to prevent your organization from getting burned.<\/p>\n For more about the Poseidon\u2019s APT Boutique, read the following blogpost on Securelist<\/a>.<\/p>\n Kaspersky Lab products detect Poseidon malware under the following verdicts:<\/p>\n Backdoor.Win32.Nhopro<\/p>\n HEUR:Backdoor.Win32.Nhopro.gen<\/p>\n HEUR:Hacktool.Win32.Nhopro.gen<\/p>\n \u00a0<\/p>\n [1]<\/a> Available only in a limited number of regions. To find out whether this is available in your region, please contact Kaspersky Lab manager<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Targeted attacks are visibly commoditizing, choosing cost efficiency over sophistication. If a combination of social engineering, tweaks to widely-available malware and legit apps can do the trick, why bother to create something original and exquisite?<\/p>\n","protected":false},"author":610,"featured_media":15465,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[2390,1410],"class_list":{"0":"post-5165","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-poseidonapt","10":"tag-sas-2016"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/poseidon-apt\/5165\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/poseidon-apt\/5165\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/poseidon-apt\/5165\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/poseidonapt\/","name":"PoseidonAPT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5165","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/610"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=5165"}],"version-history":[{"count":5,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5165\/revisions"}],"predecessor-version":[{"id":33634,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5165\/revisions\/33634"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15465"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=5165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=5165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=5165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"poseidon2\"](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/02\/06020436\/poseidon2.jpg\")
<\/p>\nGreat Art Demands Sacrifices<\/h2>\n
Tools of the Artisan\u2019s Trade<\/h2>\n
![\"\"](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/02\/06020435\/Poseidon_satellite_cut-1-1024x742-1024x742.png\")
<\/a><\/p>\nWhat Can Be Done?<\/h2>\n