APT Group Cyber Attack Hacked Various Companies: A very well known group which is also called Energetic Bear / Crouching Yeti attacked different companies’ web servers with a strong vision on energy and industrial sectors around the Globe.
This Cyber Group attacking various types of companies web servers around the world using countless malware since around 2010 and stolen very huge amount of the confidential information.
During 2016 to 2017, APT group has compromised several web servers from different organizations.
The main focus to these attacks is to search and identify the vulnerabilities to get access over the various host and steal whole the Confidential data.
Cyber Criminals are using Email Phishing techniques with malicious documents to compromise the various servers and some already compromised servers which are used for an auxiliary purpose that acts as host tools and the logs.
The compromised servers are based in USA, Russia, Germany, UK, Ukraine, Turkey and many other countries with the various roles of attacks.
Water Whole Attack and Scanned Resources
Particularly this injected link initially requests for the images but eventually, it makes the user connected to the command and control server over SMB to extract the following data from infected servers.
- User IP
- Domain Name
- NTLM hash of the user’s password
Cyber Criminals are using very advanced and various advanced hacking tools & techniques some of the tools include: nmap, dirsearch, sqlmap etc, these tools are used to scan and find out the vulernable servers and compromised servers are used to conduct attacks on other resources.
The scanned resources are highly confidential information such as medical data, crypto-currency, confidential data including the server activities and financial information.
Tools Used By ATP Group
According to the research of Kaspersky, Most of the used tools are found on compromised servers are open-source and publicly available on GitHub:
- Nmap: An open-source utility for analyzing the network and verifying its security.
- Dirsearch: A simple command-line interface tool used for brute forcing (performing exhaustive searches of directories and files on the websites).
- Sqlmap: An open-source penetration testing tool used to automates the process of identifying and exploiting the SQL injection vulnerabilities and taking over database servers.
- Sublist3r: A tool which is written in Python is designed to enumerate the website sub domains. This tool uses open-source intelligence (OSINT). Sublist3r supports many of the different search engines, such as Google, Bing, Yahoo, Baidu and Ask, as well as such services like Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS. This tools helps the penetration testers to collect the information on the sub domains of the main domain they are researching.
- WPScan: A wordpress vulnerability scanner that uses the blackbox principle, which works without access to the source code. It can also be used to scan the remote WordPress websites in search of the security issues.
- Impacket: A toolset for working with various network protocols, which is required by SMBTrap.
- SMBTrap: A tool that is used for logging data received over the SMBB protocol (user IP address, Username, Domain Name, Password NTLM hash).
- Commix: A vulnerability search and command injection and exploitation tools which is written in Python.
- SubBrute: A sub domain enumeration tools which is available for Python and Windows that uses the open name resolver as a proxy and does not send the traffic to the target DNS server.
- PHPMailer: A mail sending tool.
After finding the vulnerable servers then the attackers try to bypass and to inject the exploitation to gain further more access and to pull out log files and other confidential information from compromised victims or servers.