{"id":15024,"date":"2014-11-11T17:52:16","date_gmt":"2014-11-11T17:52:16","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2842"},"modified":"2020-02-27T03:50:58","modified_gmt":"2020-02-26T16:50:58","slug":"blackenergy-2-a-good-set-or-bad-deeds","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/blackenergy-2-a-good-set-or-bad-deeds\/15024\/","title":{"rendered":"BlackEnergy 2: a good set or bad deeds"},"content":{"rendered":"<p><a href=\"https:\/\/securelist.com\/blog\/research\/67353\/be2-custom-plugins-router-abuse-and-target-profiles\/\" target=\"_blank\" rel=\"noopener\">A new article had been released on Securelist<\/a>, dedicated to the already notorious BlackEnergy crimeware toolkit, which has been used most recently by Sandworm APT group, also known as BE2 APT.<\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: center\">\n<\/p><p>\u00a0<\/p>\n<p>While the majority of the research is mostly technical, there are a number of details which may require attention from business people. We\u2019ll try to cover them in this post.<\/p>\n<p>So, what is BlackEnergy? Initially a DDoS crimeware, it turned into a huge collection of various tools currently used in various APT-type activities, including what Kurt Baumgartner and Maria Garnaeva called \u201csignificant geopolitical operations\u201d.<\/p>\n<p>The most interesting point here is that BlackEnergy is a modular tool that comprises a lot of various plugins with capabilities to attack a multitude of platforms, including ARM and MIPS; there are also scripts for Cisco network devices, certificate stealers, and destructive plugins.<\/p>\n<p>Yes, destructive: Some are clearly purposed to kill hard drives by overwriting all of the information on them with random data mash.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>#BlackEnergy 2: a good set or bad deeds<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FR8eZ&amp;text=%23BlackEnergy+2%3A+a+good+set+or+bad+deeds\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Kaspersky Lab\u2019s experts don\u2019t know the total number of plugins associated with BlackEnergy (or, to be more specific, BlackEnergy 2 and BlackEnergy 3 \u2013 the currently known APT tools), nor do they know how many hacking groups have BE at their disposal. The Sandworm APT team has drawn a lot of attention to itself due to its high-profile attacks on high-profile targets, but it doesn\u2019t mean there aren\u2019t any other groups that may be using the same tools right now, fortunate enough to remain undiscovered.<\/p>\n<p>The Sandworm\/BE2 APT group had been <a href=\"https:\/\/threatpost.com\/sandworm-apt-team-found-using-windows-zero-day-vulnerability\/108815\" target=\"_blank\" rel=\"noopener nofollow\">hitting the larger entities<\/a> and clearly displayed an expansive interest in ICS. Among their victims are:<\/p>\n<ul>\n<li>power generation site owners<\/li>\n<li>power facilities construction<\/li>\n<li>power generation operators<\/li>\n<li>large suppliers and manufacturers of heavy power related materials<\/li>\n<li>investors<\/li>\n<\/ul>\n<p>However, researchers also noticed that the target list includes government, property holding, and technology organizations as well.<\/p>\n<p>It is also possible there are subtler operations in the works by other groups, with lower-profile targets; BlackEnergy hasn\u2019t been created specifically for narrowly targeted attacks. Judging by its architecture, BlackEnergy is a versatile and advanced toolset.<\/p>\n<p>The attackers behind BE2 were aware they are being watched. Baumgartner and Garnaeva mentioned in their report that over the course of the investigation, attackers left behind a \u201cpunchy\u201d farewell message:<\/p>\n<p style=\"text-align: center\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06020203\/message-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-2844\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2014\/11\/06020203\/message-1.png\" alt=\"message\" width=\"502\" height=\"534\"><\/a><\/p>\n<p>Trolling of this kind shows that the attackers are already rattled by the extensive attention they\u2019ve drawn to themselves. Still, so far, they are rather successful in covering their tracks. As said above, the whole range of tools, plugins, and other components of BlackEnergy is still undefined.<\/p>\n<p>The most important thing in situations like this is an attack vector. Of four victims profiled in the research, two had been hit with successful spearphishing. Moreover, attackers delivered an exploit for which there were no (and still is no) current CVE, while a metsaploit module had been available.<\/p>\n<p>This email message contained a ZIP archive with an .EXE file inside that did not appear to be executable. This crafted zip archive exploited a WinRAR flaw that makes files in zip archives appear to have a different name and file extension.<\/p>\n<p>The second victim had been hacked via the first victim\u2019s stolen VPN credentials; some data was destroyed on their machines and Cisco routers were hacked.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Battling BE will take targeted organizations far beyond their standard routine #enterprisesec<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FR8eZ&amp;text=Battling+BE+will+take+targeted+organizations+far+beyond+their+standard+routine+%23enterprisesec\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>And while the third victim had been hit the same way as the first, it is the fourth case (or, rather, a set of cases, for there was more than one company affected) that seems especially troubling. Victims discovered that Siemens SCADA software in their ICS environment was responsible for downloading and executing BlackEnergy-associated malware.<\/p>\n<p>All in all, researchers say that the malware\u2019s breadth presents new technical challenges \u201cin unusual environments, including SCADA networks\u201d. These challenges, Baumgartner and Garnaeva say, \u201cmay take an organization\u2019s defenders far beyond their standard routine and out of their comfort zone.\u201d<\/p>\n<p>While system administrators should clearly pay close attention <a href=\"https:\/\/securelist.com\/blog\/research\/67353\/be2-custom-plugins-router-abuse-and-target-profiles\/\" target=\"_blank\" rel=\"noopener\">to the full version of the research<\/a>, here are some basic recommendations for businesses regarding this threat:<\/p>\n<p>\u2013 Assume that you are a potential target even if your business doesn\u2019t belong to the aforementioned sectors and\/or their supply chains. BE tools may be in the possession of more than one hacking gang.<\/p>\n<p>\u2013 Deploy antiphishing tools and educate employees on phishing, spearphishing, and how they can be countered.<\/p>\n<p>\u2013 Diminish the possible attack surface by setting the most vulnerable software exploited by BE in the \u201cpresumption of guilt\u201d mode. Automatic exploit prevention tools are most helpful here.<\/p>\n<p>\u2013 And, of course, keep software (including security solutions) up to date.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Securelist has published extensive research on BlackEnergy. Initially a DDoS crimeware, it turned into a huge collection of various tools currently used in various APT-type activities, including some &#8220;significant geopolitical operations&#8221;.<\/p>\n","protected":false},"author":209,"featured_media":15869,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,2994],"tags":[2220,2221,2222],"class_list":{"0":"post-15024","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-blackenergy-2","10":"tag-ddos-crimeware","11":"tag-securelist"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/blackenergy-2-a-good-set-or-bad-deeds\/15024\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/blackenergy-2-a-good-set-or-bad-deeds\/15024\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/blackenergy-2-a-good-set-or-bad-deeds\/15024\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/blackenergy-2\/","name":"BlackEnergy 2"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15024","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=15024"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15024\/revisions"}],"predecessor-version":[{"id":26565,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/15024\/revisions\/26565"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/15869"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=15024"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=15024"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=15024"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}