Shulou(Shulou.com)05/31 Report--

At the same time, using the example analysis of multiple botnet attack targets, many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

APT33 often targets the oil and aviation industries, and recent findings show that the group has been using about 12 multiple confusing ClearC servers to attack specific targets. The organization mainly carries out highly targeted malicious attacks in the Middle East, the United States and Asia.

Each botnet consists of more than 12 infected computers, and the malware used to attack has only basic functions, including downloading and running other malware. Active infections in 2019 include a private U.S. company that provides national security-related services, and targets include American universities, the United States military and several victims in the Middle East and Asia.

In the past few years, APT33 has become more aggressive. For example, for two years the group used the private website of a senior European politician, a member of the country's defence council, to send spear phishing emails to oil products supply chain companies. Targets include a water supply facility used by the United States Army to provide drinking water for one of its military bases.

These attacks have infected oil industry facilities. For example, communication between British oil company servers and APT33C&C servers was discovered in the fall of 2018. Another European oil company suffered from APT33-related malware infections on its servers in November and December 2018 for at least three weeks. Several other companies in the oil supply chain were also attacked in the fall of 2018.

The first two e-mail addresses in the above table (ending in .com and .aero) are fake addresses, but the addresses ending in .ga are from the attacker himself. These addresses are posing as well-known airlines and oil and gas companies.

In addition to APT33's attack on the petroleum product supply chain, the group used multiple ClayC to build small botnets.

APT33 attacks are very careful and more difficult to track. ClearC is hosted on cloud servers, and these agents forward URL requests from infected machines to shared Web servers, which can host thousands of legitimate domains, and the backend sends data to aggregation nodes and control servers on private IP addresses. APT33 uses different nodes and transformation rules to form a private vpn network and uses different connections to collect information about infected machines.

The data of 10 real-time data aggregation nodes and control servers were counted in the autumn of 2019, and several of them were tracked for several months. These aggregation nodes get data from a small number of ClearC servers (only one or two), each with a maximum of 12 victims. The following table lists some of the Category C that still exists.

When managing Cobb C servers and scouting, attackers often use commercial VPN services to cover their tracks, and often see attackers use the private VPN network they have set up for themselves.

Private VPN can be easily built by renting servers from data centers around the world and using open source software such as open VPN. Although private VPN network connections come from unrelated IP addresses around the world, this traffic is actually easier to track. Once we know that the exit node is mainly used by a specific attacker, we can query the IP address of the exit node.

The known relevant IP addresses are as follows:

These private VPN exit nodes are also used to spy on networks related to the oil supply chain, and attackers use some of the IP addresses in Table 3 to spy on the networks of Middle Eastern oil exploration companies and military hospitals, as well as United States oil companies.

APT33 uses its dedicated VPN network to access penetration testing companies' websites, web mail, vulnerability sites and sites related to cryptocurrency, as well as read hacker blogs and forums. It is recommended that companies in the oil and gas industry cross-associate their security log files with the IP addresses listed above.

Safety recommendation

The continuous modernization of oil, gas, water and electricity facilities has made it more difficult to secure these facilities. Here are some practices that can be adopted by these organizations:

1. Establish a regular patching and updating strategy for all systems. Download patches as soon as possible to prevent cyber criminals from exploiting these security vulnerabilities.

2. Raise employees' awareness of the latest attack technologies used by cyber criminals.

3. IT administrators should apply the principle of minimum permissions to make it easier to monitor inbound and outbound traffic.

4. Install a multi-layer protection system to detect and prevent malicious intrusions from gateways to endpoints.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.