{"id":4409,"date":"2015-08-20T11:00:06","date_gmt":"2015-08-20T11:00:06","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=4409"},"modified":"2020-12-11T18:26:10","modified_gmt":"2020-12-11T16:26:10","slug":"bluetermite-apt","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/bluetermite-apt\/4409\/","title":{"rendered":"Japanese national threat cuisine: served individually, with zero-day flavor"},"content":{"rendered":"<p>These days, the propagation of zero-day exploits occurs almost literally at the \u00a0speed of light. As soon as such useful exploit makes it to the public, APT authors can begin adding them into their creations right away. \u00a0During a month when we have already written about the latest forays of <a href=\"https:\/\/securelist.com\/blog\/research\/71713\/darkhotels-attacks-in-2015\/\" target=\"_blank\" rel=\"noopener\">Darkhotel<\/a> attackers, who adopted a zero-day from the Hacking Team\u2019s stolen materials, we now find this Adobe Flash vulnerability reaching the Land of the Rising Sun. On this occasion, APT actor BlueTermite decided to embed it into their toolset.<\/p>\n<p><strong>From Italy to Japan with persistence<\/strong><\/p>\n<p>This attack itself is \u201cpersistent\u201d in more senses than one. It has been active since at least November 2013, and has an interesting peculiarity, in that, geographically, it strongly references Japan. Its victims, of which the Japanese Pension Service and Health Insurance Services are examples, are located only in this country, as are BlueTermite\u2019s own control servers.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-4411\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/103\/2015\/08\/06020353\/2-1024x270-1.png\" alt=\"2\" width=\"1024\" height=\"270\"><\/p>\n<p>A burst of activity in mid-summer of 2015, as shown on the above graph, is easy to explain. This is the point at which the APT received the new infection method. While prior to July 2015 BlueTermite used only spear-phishing to spread itself, this is the point at which drive-by infection was added. It\u2019s interesting to note that amongst the infected web-sites was the network resource of a Japanese government member. Such waterholing precisely targets the country\u2019s political circles.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Japanese national threat cuisine: served individually, with zero-day flavor #APT<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F95e5&amp;text=Japanese+national+threat+cuisine%3A+served+individually%2C+with+zero-day+flavor+%23APT\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>One more interesting aspect of attacks is that, in order to decrypt code in the infected \u201cemdivi t20\u201d BlueTermite uses the decrypt key generated from a unique ID based on victim\u2019s hardware. Once again, the attack is \u201cpersistent\u201d on many fronts: besides sticking to its own country, its toolset clings to the infected system, forestalling any attempts at cloning or similar research methods. A more detailed description of BlueTermite can be found <a href=\"https:\/\/securelist.com\/blog\/research\/71876\/new-activity-of-the-blue-termite-apt\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>Also, check out our new video with\u00a0Suguru Ishimaru,\u00a0Junior Security Researcher Kaspersky Lab Japan, who has authored\u00a0the linked above Securelist article,\u00a0reports on BlueTermite discovery:<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/wmucFBfdftg?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>In view of the above, it may appear that actor\u2019s interest in the HackingTeam exploit is massive. But, in all truth, the same story could be told about every emerging zero-day that hits the wider public: cybercriminals hurry to reap the benefits of the \u2018still not patched\u2019 period.<\/p>\n<p>If companies don\u2019t want to become victims, they need to <strong>acknowledge the possibility of such attacks and be prepared<\/strong>. At the very least, businesses should <strong>immediately install critical patches,<\/strong> as soon as they are provided. Of course this won\u2019t nullify the probability of a targeted attack, but greatly reduces the risk.<\/p>\n<p><strong>How Kaspersky Lab products defend from BlueTermite APT<\/strong><\/p>\n<p>Kaspersky Lab products detect the BlueTermite\u2019s modules using verdicts from the table below.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-4412\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/103\/2015\/08\/06020352\/verdict-1.png\" alt=\"verdict\" width=\"232\" height=\"164\"><\/p>\n<p><strong>Zero-day malware prevention<\/strong><\/p>\n<p>Heuristic algorithms exist for previously unknown malware samples that cannot be detected using databases. These algorithms are based on a knowledge of both structure and emulated behavior typical patterns. Actual process behavior is subject to monitoring as well; System Watcher module is capable of discerning suspicious behavior patterns and blocking unwanted activity.<\/p>\n<p>Kaspersky Lab\u2019s <a href=\"http:\/\/media.kaspersky.com\/en\/business-security\/AEP_WP%20(1).pdf\" target=\"_blank\" rel=\"noopener nofollow\"><strong>Automatic Exploit Prevention<\/strong><\/a> functionality is designed to fight exploits, including zero-days, and is highly effective in detecting BlueTermite components. The Heuristics and Automatic Exploit Prevention components of Kaspersky Lab\u2019s advanced antimalware engine form a crucial part of a multilayered, comprehensive defense.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Meet the BlueTermite #APT<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2F95e5&amp;text=Meet+the+BlueTermite+%23APT\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p><strong>Apply patches in time<\/strong><\/p>\n<p>Regularly updating to the latest version of installed software and patching OS will help prevent a vast range of attacks. Timely patching is most easily achieved using a Patch Management toolkit, such as by Kaspersky Lab\u2019s, working together with or instead of Microsoft WSUS. <strong>Vulnerability Assessment<\/strong> and <strong>Patch Management<\/strong><a href=\"#_ftn1\" name=\"_ftnref1\" target=\"_blank\" rel=\"noopener\">[1]<\/a> \u00a0\u00a0combined will also update all popular third party software to the latest versions. Employing Kaspersky Lab\u2019s automated tools helps reducing the \u2018patching gap\u2019 between the release of the patch and its deployment, therefore greatly reducing the risk of falling victim to \u2018yesterday\u2019s 0-day\u2019.<\/p>\n<p><strong>Control servers known URLs<\/strong><\/p>\n<p>When command and control (CnC) servers of any targeted attack are determined we add their addresses into our security database. Kaspersky Lab clients can obtain all the current information about active CnC servers from our special <strong><a href=\"https:\/\/www.kaspersky.com\/enterprise-it-security\/security-intelligence-services\/\" target=\"_blank\" rel=\"noopener nofollow\">data feed<\/a><\/strong>. This feed could be used (e.g. in customer\u2019s SIEM system) to alert system administrators about any communications with these malicious servers.<\/p>\n<p><em><a href=\"#_ftnref1\" name=\"_ftn1\" target=\"_blank\" rel=\"noopener\">[1]<\/a> Vulnerability Assessment and Patch Management are included in <a href=\"https:\/\/www.kaspersky.com\/business-security\/total\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Total Security for Business<\/a>, <a href=\"https:\/\/www.kaspersky.com\/business-security\/endpoint-advanced\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Endpoint Security for Business Advanced<\/a> and <a href=\"https:\/\/www.kaspersky.com\/business-security\/systems-management\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Systems Management<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>These days, the propagation of zero-day exploits occurs almost literally at the \u00a0speed of light. As soon as such useful exploit makes it to the public, APT authors can begin<\/p>\n","protected":false},"author":611,"featured_media":15593,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3021],"tags":[499,2333],"class_list":{"0":"post-4409","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-apt","10":"tag-bluetermite"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/bluetermite-apt\/4409\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/bluetermite-apt\/14999\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/bluetermite-apt\/4409\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/bluetermite-apt\/4409\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/apt\/","name":"APT"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/4409","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/611"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=4409"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/4409\/revisions"}],"predecessor-version":[{"id":28369,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/4409\/revisions\/28369"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/15593"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=4409"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=4409"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=4409"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}