114 matches found
Shedding Skin – Turla’s Fresh Faces
Turla, also known as Venomous Bear, Waterbug, and Uroboros, may be best known for what was at the time an "ultra complex" snake rootkit focused on NATO-related targets, but their malware set and activity is much broader. Our current focus is on more recent and upcoming activity from this APT, whi...
Black Hat 2018: Stealthy Kernel Attack Flies Under Windows Mitigation Radar
There are lots of Holy Grails when it comes to compromising endpoints. One of them has long been an attack that leads to kernel ring0 access on a Windows system. That translates into so-called “God Mode” for hackers — and “game over” for victims. This is why Microsoft has gone to great lengths ov...
Sofacy APT Adopts New Tactics and Far East Targets
CANCUN, Mexico – A new analysis of the Russian-speaking Sofacy APT gang shows a continual march toward Far East targets and overlapping of activities with other groups such as Lamberts, Turla and Danti. Researchers at Kaspersky Lab this morning at its Security Analyst Summit, released their updat...
NCSC Releases Security Advisory
The United Kingdom's National Cyber Security Centre NCSC has released a report updating its guidance on Turla Neuron malware, which provides a platform to steal sensitive data. NCSC provides enhanced cybersecurity services to protect against cybersecurity threats. NCCIC/US-CERT encourages users a...
A week in security (January 8 – January 14)
It's very early in the year, yet everyone has already had a complete meltdown pun intended over a number of serious vulnerabilities found in legacy and modern microprocessors. Last week, rightly so, vendors released patches for hardware and OSes to help mitigate these threats. However, problems i...
Kaspersky Security Bulletin: Review of the Year 2017
Introduction The end of the year is a good time to take stock of the main cyberthreat incidents that took place over the preceding 12 months or so. To reflect on the impact these events had on organizations and individuals, and consider what they could mean for the overall evolution of the threat...
Turla APT Used WhiteBear Espionage Tools Against Defense Industry, Embassies
A toolset belonging to the Russian-speaking Turla APT has been publicly disclosed, and along with it details on its capabilities and indicators of compromise. The tools, called WhiteBear, were used to attack defense organizations as recently as June, and diplomatic targets in Europe, Asia and Sou...
Introducing WhiteBear
As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear. Much of the contents of that report are reproduced here. WhiteBear is a parallel project or second stage of the Skipper...
Gazer: A New Backdoor Targets Ministries and Embassies Worldwide
Security researchers at ESET have discovered a new malware campaign targeting consulates, ministries and embassies worldwide to spy on governments and diplomats. Active since 2016, the malware campaign is leveraging a new backdoor, dubbed Gazer, and is believed to be carried out by Turla advanced...
Threat Analysis: Carbon Black Threat Research Dissects PNG Dropper
UPDATE 8/14/17: After posting the original analysis, the Carbon Black Threat Research team received numerous requests for the tools to extract the second stage payload from the initial PNGdropper file. As a result, the source code and compiled binaries are being made public and are posted to the...
IT threat evolution Q2 2017
Targeted attacks and malware campaigns Back to the future: looking for a link between old and new APTs This year's Security Analyst Summit SAS included interesting research findings on several targeted attack campaigns. For example, researchers from Kaspersky Lab and King's College London present...
Updates to Sofacy, Turla Highlight 2017 Q2 APT Activity
Attackers behind advanced persistent threat campaigns have kept busy over the past several months, adding new ways to bypass detection, crafting new payloads to drop, and identifying new zero days and backdoors to help them infect users and maintain persistence on machines. Juan Andres...
APT Trends report Q2 2017
Introduction Since 2014, Kaspersky Lab's Global Research and Analysis Team GReAT has been providing threat intelligence reports to a wide-range of customers worldwide, leading to the delivery of a full and dedicated private reporting service. Prior to the new service offering, GReAT published...
For the APT organization to use the EPS vulnerabilities in and mention the right vulnerability analysis-vulnerability warning-the black bar safety net
In 2015, FireEye released a Microsoft Office EPS(Encapsulated PostScript in the two vulnerability details. Wherein, a is 0day vulnerabilities, one in the attack a few weeks before playing the patch. Recently, FireEye and Microsoft Office products in the discovery of three new 0day vulnerabilities...
EPS Processing Zero-Days Exploited by Multiple Threat Actors
In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript EPS of Microsoft Office. One was a zero-day and one was patched weeks before the attack launched. Recently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products...
Snake Malware Modified; OS X The Next Target
By Jahanzaib Hassan The security researchers at Fox-IT have discovered a modified version of the previously known snake malware. A version specifically designed to target MacOS. Still not sure what snake malware is? Well, it also goes by the name of Turla, Agent.BTZ and Uroburous. Sounds familiar...
Russian-Speaking Turla Joins APT Elite
SINT MAARTEN—In the waning moments of his 2016 talk at the Security Analyst Summit, Thomas Rid had a drop-the-mic moment when he disclosed there were likely links between the infamous Moonlight Maze cyberespionage operation of the mid- and late-1990s and the modern-day Turla APT. Today during thi...
Malware exploit: Kaiten
Type: Remote Code Execution Author: shipcod3 / Jay Turla This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class MetasploitModule Msf::Exploit::Remote Rank = ExcellentRanking include...
Unraveling Turla APT Attack Against Swiss Defense Firm
Ever since hackers targeted Swiss defense contractor RUAG, government officials have been tight lipped about the breach. But on Monday Switzerland’s CERT Computer Emergency Readiness Team spilled the beans on the attack against the firm and the how perpetrators pulled it off. While Monday’s repor...
PHP Utility Belt - Remote Code Execution (Metasploit)
Exploit for php platform in category remote exploits This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit4 'PHP Utility Belt Remote Code Execution', 'Description' = %q This module exploit...