Tuesday, October 15, 2024
HomeCyber AttackAPT Group Cyber Attack to Hack Various Companies Web Servers Using Advanced...

APT Group Cyber Attack to Hack Various Companies Web Servers Using Advanced Hacking Tools

Published on

Malware protection

A Well known APT group called Energetic Bear/Crouching Yeti attacked various companies servers with a strong focus on energy and industrial sectors around the World.

This cybercrime group attacking various companies webservers around the world using countless malware since 2010 and stolen a huge amount of sensitive data.

Mainly during 2016 and in early 2017, Energetic Bear group Compromising several webservers from the various organization.

- Advertisement - SIEM as a Service

The main task of these attack is to search and identify the vulnerabilities to gain the access to the various host and stealing the Authentication Data.

Cyber Criminals using phishing Emails with the malicious document to compromise the various servers and some of the compromised servers used for an auxiliary purpose that act as s host tools and logs.

Compromised server based on Russia, Ukraine, UK, Germany, Turkey, USA and other countries with the various role of Attack.

compromised servers                                                                                        Source: Kaspersky

Water Whole Attack & Scanned Resources

An attacker using the Specific pattern to infect the water whole servers by injecting a link into a web page or JS file ( file://IP/filename.png.).

Particular injected link initially request for images but eventually, it makes user connected to the Command & control server over SMB to extract the following data from infected servers.

  • user IP,
  • username,
  • domain name,
  • NTLM hash of the user’s password.

Cyber Criminals using Various hacking Tools such as such as nmap, dirsearch, sqlmap, etc. to scan the vulnerable servers and compromised servers are used to conduct attacks on other resources.

Scanned resources are highly sensitive information such as medical data, cryptocurrency, confidential data including server activities and financial information.

Tools Used For Scanning by APT Group

According to Kaspersky Research, Most of the tools used found on compromised servers are open-source and publicly available on GitHub:

  • Nmap – an open-source utility for analyzing the network and verifying its security.
  • Dirsearch — a simple command-line tool for brute forcing (performing exhaustive searches of) directories and files on websites.
  • Sqlmap — an open-source penetration testing tool, which automates the process of identifying and exploiting SQL injection vulnerabilities and taking over database servers.
  • Sublist3r — a tool written in Python designed to enumerate website subdomains. The tool uses open-source intelligence (OSINT). Sublist3r supports many different search engines, such as Google, Yahoo, Bing, Baidu and Ask, as well as such services as Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS. The tool helps penetration testers to collect information on the subdomains of the domain they are researching.
  • Wpscan — a WordPress vulnerability scanner that uses the blackbox principle, i.e., works without access to the source code. It can be used to scan remote WordPress sites in search of security issues.
  • Impacket — a toolset for working with various network protocols, which is required by SMBTrap.
  • SMBTrap — a tool for logging data received over the SMB protocol (user IP address, user name, domain name, password NTLM hash).
  • Commix — a vulnerability search and command injection and exploitation tool written in Python.
  • Subbrute – a subdomain enumeration tool available for Python and Windows that uses an open name resolver as a proxy and does not send traffic to the target DNS server.
  • PHPMailer – a mail sending tool.

After they find the vulnerable servers then attackers try to bypass and inject the exploit to gain more access and pull out logs file and other sensitives data From compromised Victims.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

Likho Hackers Using MeshCentral For Remotely Managing Victim Systems

The Awaken Likho APT group launched a new campaign in June of 2024 with...