{"id":4169,"date":"2015-07-08T14:02:03","date_gmt":"2015-07-08T14:02:03","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=4169"},"modified":"2020-12-24T19:19:21","modified_gmt":"2020-12-24T17:19:21","slug":"wildneutron-in-the-wild-perhaps-youre-his-next-prey","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/wildneutron-in-the-wild-perhaps-youre-his-next-prey\/4169\/","title":{"rendered":"Wild Neutron in the Wild: Perhaps You&#8217;re His Next Prey"},"content":{"rendered":"<p><strong>Unimportance is not Bliss<\/strong><\/p>\n<p>Media portrayals of sophisticated, highly expensive and probably state-sponsored cyberespionage evokes images of Bond-style characters covertly raiding the digital equivalents of Fort Knox in search of heavily guarded secrets or to spy on top officials. But good news for a media outlet is bad news for business managers, convincing them that the relative insignificance of their company means they\u2019re of little interest to attackers.<\/p>\n<p>Unfortunately, this was never the case in the past \u2013 and that\u2019s unlikely to change in the near future. Do you deal with significant volumes of financial or personal data? The bad guys are interested. Or maybe there are some competitors willing to break the rules and hire some cybermercenaries to spy on you. If that still sounds improbable, a new series of attacks by Wild Neutron<sup><a title=\"\" href=\"#_edn1\" name=\"_ednref1\" target=\"_blank\" rel=\"noopener\">1<\/a><\/sup> should make you sit up and take notice:<\/p>\n<p>Consider this range of known targets:<\/p>\n<ul type=\"disc\">\n<li>Law firms<\/li>\n<li>Bitcoin-related companies<\/li>\n<li>Investment companies<\/li>\n<li>Large company groups often involved in M&amp;A deals<\/li>\n<li>IT companies<\/li>\n<li>Healthcare companies<\/li>\n<\/ul>\n<p>What do all these entities have in common? Mostly two things: They were vulnerable and had data the attackers considered valuable for some unknown reason. It could be something as simple as data that\u2019s easily converted into hard currency \u2013 or soft currency in Bitcoin\u2019s case. The Wild Neutron group behind this attack is unlikely to be connected with any government agencies, but that doesn\u2019t make them less skillful or dangerous. Their first known series of strikes in 2013 proved their capabilities, successfully compromising Apple, Microsoft, Facebook, and Twitter. They returned in 2014, using the same highly refined, professional techniques against their new targets \u2013 but still not state-of-the-art; some of their modules seem to be heavily based on open source tools (such as Mimikatz or Pass-the-Hash) or well-known commercial malware (Hesperbot).<\/p>\n<p><strong>Hijack many, benefit from a few<\/strong><\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/103\/2017\/05\/06020355\/2.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4171\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/103\/2017\/05\/06020355\/2.jpg\" alt=\"2\" width=\"1000\" height=\"667\"><\/a><\/p>\n<p>Wild Neutron seems to be rather unscrupulous in its initial penetration methods. Their favorite way to infect victims is by compromising a web resource, such as a forum frequented by their chosen targets. This is loaded with exploits or redirecting scripts leading to another exploit-charged web resource. Because of this scattergun approach, it seems that many infected users were not specific targets of the group, but merely collateral damage. On the other hand, attacking a broad spread of companies allows the group to access potentially valuable \u2018bonus\u2019 data from unexpected sources. Either way, one thing is clear: Your company doesn\u2019t have to be a target to become a victim. Just pray that the data you lose is of no use to the attackers.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>#WildNeutron in the Wild: Perhaps You\u2019re His Next Prey #cyberespionage<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FeV6A&amp;text=%23WildNeutron+in+the+Wild%3A+Perhaps+You%26%238217%3Bre+His+Next+Prey+%23cyberespionage\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Back in 2013, they were mostly using Java exploits, but currently they seem to prefer Adobe Flash. While the exact Flash vulnerability being exploited is still unclear, there is evidence that at least some victims had outdated versions of Adobe Flash on their machines, which is a grave mistake. After the initial penetration, they install a backdoor and create a fingerprint using the machine hardware, which is then used for both victim identification and to help encrypt sensitive information about C&amp;C server URLs and configuration. This makes Wild Neutron even harder to track; they may seem like lazy trappers in contrast with some highly focused predators, but make no mistake, they are extremely professional and take every step to cover their tracks.<\/p>\n<p><strong>It\u2019s Time to Mitigate the Risks Right Now<\/strong><\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/103\/2015\/07\/06020339\/23028-1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4175\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/103\/2015\/07\/06020339\/23028-1.jpg\" alt=\"23028\" width=\"999\" height=\"918\"><\/a><\/p>\n<p>Current Kaspersky Lab products offer plenty of features to significantly reduce the risk of being attacked.<\/p>\n<p>Properly addressing the issue of software vulnerabilities is a mission critical step in countering any attack; Wild Neutron\u2019s exploitation of such weaknesses makes Kaspersky Lab\u2019s Vulnerability Assessment and Patch Management<sup><a title=\"\" href=\"#_edn2\" name=\"_ednref2\" target=\"_blank\" rel=\"noopener\">2<\/a><\/sup> the tools of choice to defend against this attack. They enable streamlining and automation of the tasks connected with vulnerability management, helping to close the security gaps found in popular software as soon as they are reported.<\/p>\n<p>The toolset used by the Wild Neutron attackers includes both malware and legitimate software components which are integral for the toolset doing its job \u2013 but obviously have nothing to do with regular work activities of corporate staff. The ability to control the applications launched on company endpoints can really make a difference here; programs that are not supposed to be there won\u2019t be allowed to start. Our Application Control feature<sup><a title=\"\" href=\"#_edn3\" name=\"_ednref3\" target=\"_blank\" rel=\"noopener\">3<\/a><\/sup> can ensure that only legitimate, trusted software can run within corporate endpoints. In addition, Default Deny mode is worth considering for workstations running easily formalized processes: administrators simply choose the exact list of apps allowed to start and ban everything else.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Attacking a lot of companies allows the group to collect \u201cbonus\u201d data #cyberespionage<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FeV6A&amp;text=Attacking+a+lot+of+companies+allows+the+group+to+collect+%26%238220%3Bbonus%26%238221%3B+data+%23cyberespionage\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Of course the whole range of Kaspersky Lab\u2019s leading-edge anti-malware techniques are there to further reduce the risk of infection.<\/p>\n<p>In particular, Web Anti-Virus armed with heuristic Anti-Phishing analyzes the structure of the loaded web pages and blocks attempts at unlawful redirects leading to some suspicious external sites.<\/p>\n<p>The Automatic Exploit Prevention (AEP) system is capable of stopping exploits in their tracks.<\/p>\n<p>Currently, the components the attackers are using are detected under the following verdicts:<\/p>\n<p><strong>HEUR:Trojan.Win32.WildNeutron.gen<\/strong><br>\n<strong>Trojan.Win32.WildNeutron.*<\/strong><br>\n<strong>Trojan.Win32.JripBot.*<\/strong><br>\n<strong>HEUR:Trojan.Win32.Generic <\/strong><\/p>\n<p>Still, the fact that a targeted attack is usually more than just a pack of malware should always be kept in mind. Attackers are constantly testing their toolsets against the majority of known security solutions to find out how they could be sidestepped. Against a process, which is a targeted attack, a security-aware company would need not only endpoint-based or perimeter-guarding mechanisms, but a multi-faceted strategy. To fulfill such a strategy, Kaspersky Lab also offers a comprehensive set of Intelligence Services<sup><a title=\"\" href=\"#_edn4\" name=\"_ednref4\" target=\"_blank\" rel=\"noopener\">4<\/a><\/sup> that can help to understand the nature of the attack and strengthen the company\u2019s security posture.<\/p>\n<hr width=\"100%\">\n<p><a title=\"\" href=\"#_ednref1\" name=\"_edn1\" target=\"_blank\" rel=\"noopener\">1<\/a> You can read more about Wild Neutron <a href=\"https:\/\/securelist.com\/blog\/research\/71275\/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks\/\" target=\"_blank\" rel=\"noopener\">here<\/a><\/p>\n<p><a title=\"\" href=\"#_ednref2\" name=\"_edn2\" target=\"_blank\" rel=\"noopener\">2<\/a> Offered both in a standalone <a href=\"https:\/\/www.kaspersky.com\/business-security\/systems-management\" target=\"_blank\" rel=\"noopener nofollow\">Systems Management solution<\/a> and as a part of <a href=\"https:\/\/www.kaspersky.com\/business-security\/endpoint-advanced\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Endpoint Security Advanced<\/a> and <a href=\"https:\/\/www.kaspersky.com\/business-security\/total\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Total Security for Business<\/a><\/p>\n<p><a title=\"\" href=\"#_ednref3\" name=\"_edn3\" target=\"_blank\" rel=\"noopener\">3<\/a> Is a part of <a href=\"https:\/\/www.kaspersky.com\/business-security\/endpoint-select\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Endpoint Security Select<\/a>, <a href=\"https:\/\/www.kaspersky.com\/business-security\/endpoint-advanced\" target=\"_blank\" rel=\"noopener nofollow\">Advanced<\/a> and <a href=\"https:\/\/www.kaspersky.com\/business-security\/total\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Security for Business<\/a><\/p>\n<p><a title=\"\" href=\"#_ednref4\" name=\"_edn4\" target=\"_blank\" rel=\"noopener\">4<\/a> <a href=\"https:\/\/www.kaspersky.com\/enterprise-it-security\/security-intelligence-services\/\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Intelligence Services<\/a> offer a range of expert training, services and data feeds to empower your security strategy.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attacking a broad spread of companies allows the group to access potentially valuable \u2018bonus\u2019 data from unexpected sources.<\/p>\n","protected":false},"author":610,"featured_media":15638,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3021],"tags":[872,2320],"class_list":{"0":"post-4169","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cyberespionage","10":"tag-wildneutron"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/wildneutron-in-the-wild-perhaps-youre-his-next-prey\/4169\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/wildneutron-in-the-wild-perhaps-youre-his-next-prey\/4169\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/wildneutron-in-the-wild-perhaps-youre-his-next-prey\/4169\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/cyberespionage\/","name":"cyberespionage"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/4169","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/610"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=4169"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/4169\/revisions"}],"predecessor-version":[{"id":28529,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/4169\/revisions\/28529"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/15638"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=4169"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=4169"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=4169"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}