dChan
Anonymous ID: 22e10f Oct. 9, 2018, 1:57 p.m. No.3412657   🗄️.is 🔗kun

DRAGONFLY:

 

Operation Dragonfly Analysis Suggests Links to Earlier Attacks

By Christiaan Beek and Raj Samani on Dec 17, 2017

 

On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017. This attack was effectively Dragonfly 2.0, an update to a campaign that began in 2014.

 

Moving beyond our 2014 analysis of Dragonfly, our current focus looks at the attack’s indicators to determine whether we can glean any further information regarding the source and possible motivations of those behind the campaign. The campaign targets energy companies around the world by leveraging spear-phishing emails that, once successful, allow the attackers to download Trojan software. The Trojans provide access to the victims’ systems and networks.

Going Beyond Energy

 

Although initial reports showed Dragonfly attacks targeting the energy sector, investigations by McAfee Labs and the Advanced Threat Research team uncovered related attacks targeting the pharmaceutical, financial, and accounting industries. Everything about this campaign points to a well-prepared assault that carefully considers each target, and conducts reconnaissance before taking any measures to exploit compromised targets.

 

We saw the group use several techniques to get a foothold in victims’ networks, including spear phishing, watering holes, and exploits of supply-chain technologies via previous campaigns. By compromising well-established software vulnerabilities and embedding within them “backdoor” malware, the victims think they are installing software from a trusted vendor, while unaware of the supply-side compromise.

 

Once the attackers have a foothold, they create or gain user accounts to operate stealthily. Using the remote-desktop protocol to hop among internal or external systems, they connect either to a control server if the risk is minimal or use an internal compromised server to conduct operations.

 

The last wave of attacks used several backdoors and utilities. In analyzing the samples, we compared these with McAfee’s threat intelligence knowledge base of attack artifacts.

 

SAUCE: https:// securingtomorrow.mcafee.com /mcafee-labs/operation-dragonfly-analysis-suggests-links-to-earlier-attacks/