Unknown cyber grouping has attacked 140 companies in 40 countries with legitimate software

Last week, the media published information about the activities of a group of cybercriminals, whose victims were banks, telecommunications companies and government agencies in 40 countries around the world, including in Russia - only about 140 organizations. To penetrate corporate networks, only legitimate software was used, and any malicious files were stored in memory, leaving no trace on hard drives.

Mysterious attack

Hackers mainly use penetration tests, administration tools and tools to automate tasks in Windows (for example, PowerShell).
')
For the first time, the activity of the group was discovered by Kaspersky Lab at the end of 2016. During the investigation of a suspicious activity of one of the banks in the CIS, a Meterpreter software was found in the memory of one of the organization’s servers, which is used for penetration tests. The code was loaded directly into memory, which allowed the program to go unnoticed and steal system administrator passwords.

The tactic in which malicious software is embedded in legitimate software allows attackers to avoid detection by the "white lists" method. In addition, the presence only in the memory of the operating system deprives cybersecurity experts of the possibility of collecting artifacts indicating illegal activity.

How else do hackers attack companies

News about attacks on corporate infrastructure, such as this one, appears regularly, but it is not always possible to find out details about the methods of attacks and the techniques used by violators from public sources. Most of these incidents are not publicized at all: companies seek to preserve their reputation.

Experts of Positive Technologies annually conduct studies of the corporate infrastructure and individual systems (web applications, remote banking systems and others). We will share the results of our penetration testing at a special free webinar.

During the webinar, Ekaterina Kilyusheva, analyst of information security analytics at Positive Technologies, will tell how an intruder can exploit common vulnerabilities and show typical attack scenarios.

The webinar will be held February 16 at 14:00 . To register for participation please follow the link: www.ptsecurity.com/ru-ru/research/webinar/165706