Kaspersky's
Global Research and Analysis Team (GReAT) and Industrial Control Systems Cyber
Emergency Response Team (ICS CERT) have uncovered significant cyber espionage
activities targeting Eastern European industrial companies using an updated
MATA toolset. The investigation, spanning months, exposed sophisticated attack techniques,
updated malware capabilities, and a novel infection chain.
In
early September 2022, researchers identified new malware samples linked to a
MATA cluster, which was previously associated with the Lazarus group. This
campaign, targeting over a dozen Eastern European corporations, persisted from
mid-August 2022 to May 2023. The attackers employed spear-phishing emails
utilizing a CVE-2021-26411 exploit, and Windows executable malware downloads
through web browsers.
The
MATA infection chain was intricate, integrating a loader, main Trojan, and stealers
with exploits, rootkits and precise victim validation processes. A key
discovery involved internal IP addresses used as Command and Control (C&C)
servers, indicating attackers deployed their own control and exfiltration
system inside the victims' infrastructure. Kaspersky promptly alerted affected
organizations, leading to swift responses.
The
attack initiated from a factory with a phishing email, infiltrated the target
network and compromised a parent company's domain controller. The attackers utilized
vulnerabilities and rootkits to interfere with security systems, gaining
control over workstations and servers. Notably, they accessed security solution
panels, exploiting vulnerabilities and weak configurations to gather
information and distribute malware to subsidiaries and systems not connected to
corporate domain infrastructure.
"Protecting
the industrial sector from targeted attacks requires a vigilant approach that
combines robust cybersecurity practices with a proactive mindset," said
Vyacheslav Kopeytsev, senior security researcher at Kaspersky's ICS CERT. "At
Kaspersky, our experts literally follow APT developments, keeping track of
their evolution and predicting their moves to be able to detect their new
tactics and tools. Our ongoing dedication to cybersecurity research is driven
by a commitment to provide organizations with critical insights into the
ever-evolving landscape of cyber threats. By staying informed and implementing
the latest security measures, businesses can bolster their defense against
sophisticated adversaries and safeguard their networks and systems."
Other
noteworthy findings include:
- Three new Generations of MATA Malware -
3, 4 and 5: These featured advanced remote control capabilities, modular
architecture, and support for various protocols, along with flexible proxy
server chains.
- Linux MATA Generation 3: The Linux
version shared capabilities with its Windows counterpart and was delivered
through security solutions.
- USB Propagation Module: Facilitating
infiltration of air-gapped networks, this module transferred data via
removable media, particularly in systems holding sensitive information.
- Stealers: These were employed to capture
sensitive information, such as screenshots and stored credentials,
customized to specific circumstances.
- EDR/Security Bypass Tools: Attackers
leveraged public exploits to escalate privileges and bypass endpoint
security products. Additionally, the BYOD (Bring Your Own Vulnerable
Driver) technique was used on systems with the CVE-2021-40449
vulnerability patch installed.
- The latest MATA versions
utilize techniques similar to ones used by 5-eyes APT groups, thus rising
some questions in the process of attribution that are hard to give a
definite answer.
To learn more about MATA's new
campaign, please visit Securelist.com.
In order to avoid falling victim to a targeted attack by a
known or unknown threat actor, Kaspersky researchers recommend implementing the
following measures:
- Provide
your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence is a single
point of access for the company's TI, providing it with cyberattack data
and insights gathered by Kaspersky spanning over 20 years.
- Upskill
your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by
GReAT experts
- Establishing
continuous vulnerability assessment and triage as a basement for effective
vulnerability management process. Dedicated solutions like Kaspersky
Industrial CyberSecurity may become an efficient assistant and
a source of unique actionable information, not fully available in public.
- For
endpoint level detection, investigation, and timely remediation of
incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
- In
addition to adopting essential endpoint protection, implement a
corporate-grade security solution that detects advanced threats on the
network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
- As many targeted attacks start with phishing or
other social engineering techniques, introduce security awareness training
and teach practical skills to your team - for example, through the Kaspersky Automated Security Awareness Platform
- To make sure your team and your tools and your
processes are prepared for a sophisticated incident response at the shop
floor of your facility we recommend you dedicated trainings such as
Digital Forensics and Incident Response in ICS by Kaspersky ICS CERT
Kaspersky will delve deeper into the future of
cybersecurity at its Security
Analyst Summit (SAS) 2023, set for October 25th-28th in Phuket,
Thailand.