Kaspersky experts have unveiled a new series of fast-growing spyware campaigns that have attacked more than 2,000 industrial companies worldwide. These attacks differ from most spyware campaigns by the limited number of victims in each attack and the very short life of each malware. These and other facts are published in the new report of the Kaspersky Production Management System Alert Team (ICS CERT).
In the first half of 2021, the experts of the Kaspersky Production Management System Computer Alert Team noticed an interesting anomaly in the statistics of spyware blocked on the computers of production management systems. Although the malware used in these attacks belongs to a well-known family of consumer spyware, such as Agent Tesla / Origin Logger, HawkEye, and others, these attacks differ from the majority with a very limited number of victims in each attack (from a few to a few dozen). ) and the very short life of each specimen.
An in-depth analysis of 58,586 copies of spyware blocked on production management system computers in the first half of 2021 revealed that approximately 21.2% of the copies belonged to this new series of limited and short-lived attacks. Their life cycle is limited to about 25 days, which is much less than the duration of a regular spyware campaign.
Although each of these anomalous copies of spyware has a short lifespan and is not widespread, they account for a disproportionate share of all spyware attacks. In Asia, for example, one-fifth of computers exposed to spyware are affected by some form of anomalous spyware (2.1% out of 11.9%).
Percentage of computers in production management systems in which spyware was blocked in the first half of 2021
Importantly, most of these campaigns are spread from one industry to the next through well-designed phishing emails. Once an attacker has entered the victim’s system, he uses this device as the server for the next attack on C2 (command control). By accessing the victim’s mailing list, criminals can abuse corporate email and spread spyware even further.
The attack sent an e-mail with abuse of the victim’s contact list
Telemetry data from Kaspersky’s production management system’s computer alarm response team show that more than 2,000 industrial organizations around the world are embedded in malicious infrastructure and are being used by cyber gangs to spread the attack to their contact organizations and partners. We estimate that the total number of corporate accounts hacked or stolen in these attacks exceeds 7,000.
Confidential data from computers in production management systems often goes to various outlets. Kaspersky experts have identified more than 25 outlets where credentials stolen in these industrial campaigns are sold. Analysis of these outlets has shown that there is a high demand for corporate account credentials, especially for Remote Desktop Protocol (RDP) accounts. More than 46% of all RDP accounts sold at the points of sale analyzed are owned by companies in the US, with the rest in Asia, Europe and Latin America. Almost 4% (almost 2000 accounts) of all RDP accounts sold belonged to industrial companies.
Another growing market is the spyware service. Since the release of the source code for some popular spyware, it has become widely available in online stores as a service: developers sell not only the malware, but also the malware creator’s license and access to the infrastructure pre-configured to create the malware.
„2021. Cybercriminals actively used spyware to attack industrial computers. We are now seeing a new, fast-growing trend in the environment of industrial hazards. To prevent detection, criminals reduce the size of each attack and limit the use of each piece of malware by quickly replacing it with a new one. Other tactics include the misuse of a wide range of corporate email infrastructure to distribute malware. It’s different from what we’ve seen so far with spyware, and we anticipate that such attacks will intensify this year. ” Kirill Kruglov, a security expert at the Kaspersky Production Management System Computer Alert Response Team, comments.
Read more about anomalous spyware campaigns production management system computer alarm response team site.
To learn more about the threats to production management systems and industrial enterprises in 2022, check out production management system threat projections for 2022.
In order to ensure adequate protection of the operations and business of the industrial company, its network of partners, Kaspersky experts recommend the following.
Introduce two-factor authentication to access corporate e-mail and other services with Internet access (including RDP, VPN-SSL gateways, etc.) that an attacker can use to access critical enterprise infrastructure and business-critical data.
Ensure that all terminals in both the information and operational technology network are protected by a state-of-the-art terminal security solution that is properly configured and updated.
Teach employees regularly how to handle incoming e-mails securely and protect their systems from malware that may be included in an e-mail attachment.
Check spam folders regularly, not just empty them.
Monitor the visibility of your organization’s accounts on the web.
Use test environment solutions that automatically check attachments in incoming e-mail. However, make sure that the test environment solution is configured not to release emails from “trusted” sources, including collaboration and contact organizations, as no one is 100% protected from security breaches.
Check outgoing email attachments to make sure your account hasn’t been compromised.
„Kaspersky”
–