{"id":8438,"date":"2017-07-25T02:00:32","date_gmt":"2017-07-25T10:00:32","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/25\/news-2212\/"},"modified":"2017-07-25T02:00:32","modified_gmt":"2017-07-25T10:00:32","slug":"news-2212","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/07\/25\/news-2212\/","title":{"rendered":"CopyKittens Exposed by ClearSky and Trend Micro"},"content":{"rendered":"

Credit to Author: Bob McArdle| Date: Tue, 25 Jul 2017 11:00:49 +0000<\/strong><\/p>\n

\"What<\/p>\n

CopyKittens is a cyberespionage group that ClearSky has been reporting on since 2015, tracking their attacks on government-related bodies around the world. Trend Micro has supported this research at several points, including for their latest report<\/a> released today on the group\u2019s vast espionage campaigns. This research highlights new malware, exploitation, delivery, and command and control (C&C) infrastructure being used by the group. This is Trend Micro\u2019s second collaborative effort with Clearsky, a paper on similarly named Rocket Kittens in 2015<\/a>.<\/p>\n

CopyKittens at Work<\/strong><\/p>\n

The main countries targeted by CopyKittens are Israel, Saudi Arabia, Turkey, the U.S., Jordan and Germany. Within these countries, the targets vary – with government institutions, defense companies, sub-contractors and large IT companies among the most targeted organizations.<\/p>\n

Victims are targeted via several methods, including spear phishing emails, watering hole attacks, fake social media profiles and targeting exposed webmail accounts. The group uses a combination of these methods to persistently target the same victim over multiple platforms until they succeed in establishing an initial beachhead of infection \u2013 before pivoting to higher value targets on the network.<\/p>\n

To do this the group leverages their own custom malware tools in combination with existing, commercial tools, such as Cobalt Strike and Metasploit. This report is the first time some of these custom tools have been publicly discussed<\/strong>. Details are given on how each component is used during initial infection and later lateral movement on the victims network.<\/p>\n

Protection Techniques<\/strong><\/p>\n

Security measures for these attack types are well known \u2013 and Trend Micro\u2019s solutions like Trend Micro\u00a0Deep Discovery<\/a> can mitigate these risks on multiple levels. One particular attack vector does merit an extra mention however \u2013 webmail. As stated in our recent Pawn Storm<\/a> report, we strongly recommend two factor authentication be implemented to protect webmail accounts from being compromised. Webmail accounts can be a treasure trove of information for an attacker, and an extremely strong initial beachhead for pivoting into other targets e.g. replying to existing threads with malicious attachments or links.<\/p>\n

You can find further information on this attack campaign in our collaborative paper \u201cOperation Wilted Tulip: Exposing a Cyberespionage Apparatus<\/a>.\u201d<\/p>\n

http:\/\/feeds.trendmicro.com\/TrendMicroSimplySecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Bob McArdle| Date: Tue, 25 Jul 2017 11:00:49 +0000<\/strong><\/p>\n

\"WhatCopyKittens is a cyberespionage group that ClearSky has been reporting on since 2015, tracking their attacks on government-related bodies around the world. Trend Micro has supported this research at several points, including for their latest report released today on the group\u2019s vast espionage campaigns. This research highlights new malware, exploitation, delivery, and command and control…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10413],"tags":[4503,714,10421],"class_list":["post-8438","post","type-post","status-publish","format-standard","hentry","category-security","category-trendmicro","tag-cybercrime","tag-security","tag-vulnerabilities-exploits"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8438","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8438"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8438\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8438"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8438"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8438"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}