Development and operations a practical guide



Download 4.62 Mb.
View original pdf
Page94/96
Date11.02.2023
Size4.62 Mb.
#60628
1   ...   88   89   90   91   92   93   94   95   96
1 Joe Vest, James Tubberville Red Team Development and Operations
Begin the Exercise
Begin by researching the Energetic Bear threat and attack. After you complete your own, compare your observations to the highlights below.
Highlights have been provided to help with this process.
Highlights from the Energetic Bear Threat Actor

Starting in 2010 and ending in 2014, Energetic Bear / Dragonfly / Crouching Yeti malware attacked numerous computers to collect information on industrial control systems in the
United States and Europe

Spread out overtime and thus difficult to detect

The primary goal was to collect information that impacted the energy and pharmaceutical industries

Possibly nation-state supported

Phishing, watering hole attacks

Known exploits were used (PDF, Java, IE, Word)

Compromised ICS web servers

HTTP-based C2

Specific activities and capabilities
IOCs from the actor Energetic Bear and the HAVEX malware
Actor

Associated with the Russian Federation

Active over multiple years

Active primarily during Moscow business hours

Targeted organizations based in the industry control system sector vGoal of gathering intelligence on ICS-based organizations

Use of custom malware
Attack and delivery TTPs

Phishing

Watering hole

Compromised web servers
Exploitation TTPs

PDF exploits

Java and IE exploits

Word exploits2

Custom binaries
Post-exploitation TTPs

Local system enumeration for OS, username, processes, internet history, etc.

Scan for known ICS-related ports

DLL injection to migrate into explorer.exe

Collect Outlook address book information

Collect passwords from browsers

Save exfiltrated data to an encrypted file on disk before delivery to the C in an HTTP
POST request

Download 4.62 Mb.

Share with your friends:
1   ...   88   89   90   91   92   93   94   95   96




The database is protected by copyright ©ininet.org 2024
send message

    Main page