{"id":7435,"date":"2017-04-25T05:00:06","date_gmt":"2017-04-25T13:00:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/04\/25\/news-1226\/"},"modified":"2017-04-25T05:00:06","modified_gmt":"2017-04-25T13:00:06","slug":"news-1226","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/04\/25\/news-1226\/","title":{"rendered":"Pawn Storm: The Power of Social Engineering"},"content":{"rendered":"

Credit to Author: Ed Cabrera (Chief Cybersecurity Officer)| Date: Tue, 25 Apr 2017 12:00:02 +0000<\/strong><\/p>\n

\"\"<\/p>\n

Anyone familiar with Pawn Storm (a.k.a. APT28, Fancy Bear, Strontium, etc.) is likely to associate the group with highly sophisticated targeted attacks that compromise government and media agencies around the world. In our latest report<\/a>, researchers expose the true nature and scope of the cyber espionage group\u2019s attacks and methodologies.<\/p>\n

Pawn Storm has managed to compromise high-ranking members of governments across the globe, not through highly sophisticated malware or technical prowess, but with intelligent and calculated social engineering.<\/p>\n

The power of phishing<\/strong><\/p>\n

The threat actors utilize credential phishing campaigns at the core of their practice. They are successful by using proper spelling and grammar in their emails, evading spam filters, and playing on current events.<\/p>\n

Corporate webmail accounts are targeted as a weak point in a business ecosystem. These accounts can provide confidential data that might prove useful in an attempt to influence public opinion. For example, Pawn Storm stole data from webmail accounts of the World Anti-Doping Agency (WADA<\/a>) in 2016, leaking it under the pseudonym \u201cFancy Bear,\u201d to influence public opinion surrounding Russian athletes who were blocked from the summer Olympics. Additionally, webmail accounts may be used as a stepping stone to further infiltrate the target organization.<\/p>\n

They also maintain long-running campaigns against high profile users of free international webmail providers, such as Yahoo! and Gmail. In these attacks, Pawn Storm actors persistently send phishing emails to targets \u2013 sometimes multiple a week\u2013 trying different approaches to reach their goal. Our researchers have collected thousands of these emails since early 2015.<\/p>\n

Credentials lead to espionage<\/strong><\/p>\n

After a target succumbs to the socially engineered phishing lure by clicking a malicious link or opening a weaponized attachment, the threat actor uses relatively simple first stage malware to tour the target\u2019s computer and see what they find. Pawn Storm has been seen silently gathering data in a target\u2019s system for more than a year. After learning more about the victim, they may release the second stage of malware \u2013 though this only occurs with targets who are deemed very high profile, which is a small portion of overall victims.<\/p>\n

Pawn Storm has been known to use this data in two ways:<\/p>\n\n\n\n\n
<\/td>\n\n
    \n
  1. Compromised accounts are used to further penetrate the organization\u2019s network, even sending emails using stolen identities<\/li>\n
  2. Stolen sensitive emails may be publically leaked to cause harm to the victim organization and influence the public\u2019s opinion of them<\/li>\n<\/ol>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Protect against phishing<\/strong><\/p>\n

Governments and organizations that may be seen as a threat to the Russian government should fortify their virtual defenses. This includes protecting webmail through the following measures:<\/p>\n\n\n\n\n
<\/td>\n\n
    \n
  • Increase security with two-factor authentication<\/li>\n
  • Require employees to log in to the company VPN prior to accessing webmail<\/li>\n
  • Add a physical security key for authentication<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Additionally, educating employees at all levels in the organization is critical. Regardless of how convincing the email may sound, don\u2019t open attachments from unverified senders or click links in the emails. We also recommend adding a comprehensive email security tool<\/a> to protect against not only phishing, but also ransomware and other targeted attacks.<\/p>\n

For more information on Pawn Storm, visit Trend Micro\u2019s complete research hub<\/a>, where you can find three years of research and data on the group and their affairs.<\/p>\n

http:\/\/feeds.trendmicro.com\/TrendMicroSimplySecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Ed Cabrera (Chief Cybersecurity Officer)| Date: Tue, 25 Apr 2017 12:00:02 +0000<\/strong><\/p>\n

\"\"Anyone familiar with Pawn Storm (a.k.a. APT28, Fancy Bear, Strontium, etc.) is likely to associate the group with highly sophisticated targeted attacks that compromise government and media agencies around the world. In our latest report, researchers expose the true nature and scope of the cyber espionage group\u2019s attacks and methodologies. Pawn Storm has managed to…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10413],"tags":[4503,714,10423],"class_list":["post-7435","post","type-post","status-publish","format-standard","hentry","category-security","category-trendmicro","tag-cybercrime","tag-security","tag-underground-economy"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7435","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7435"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7435\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7435"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7435"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7435"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}