Dragonfly's Attacks Against Energy Suppliers - Are You Protected?
Dragonfly, a group of attackers making headlines recently, has been conducting a malicious campaign targeting the energy sector and industrial control systems (ICS). While the attack vectors in use are common, the group's compromise of update sites for these industries sets them apart.
The various methods of infection employed by this group included:
- PDF attachments via email
- The use of the Hello exploit kit, an obfuscated variant of the Lightsout exploit kit
- Compromise and bundling of malware with ICS and energy sector update sites (a technique known as waterholing)
- Compromises of content management systems for call home activity
While the complexity and approach of malicious actors change, the use of exploits targeting plug-ins such as Java continue to be a tried-and-trusted method, as we stated in our 2014 Predictions. Malware authors will continue to strike at the platforms widely adopted by businesses, as organizations struggle to balance business needs and security requirements.
Websense customers are protected against this threat with ACE, our Advanced Classification Engine, at the stages detailed below:
- Stage 2 (Lure) – websites in the body of the lure emails are classified by ACE.
- Stage 4 (Exploit Kit) – ACE has real-time detection for the malicious code which attempts to deliver exploit content for the Hello exploit kit.
- Stage 5 (Payload) – ACE has detection for the malicious payloads, Trojans Havex and Karagany.
- Stage 6 (Call Home) – Communication to the associated C&C server is detected in real-time.
Websense Security Labs will continue to monitor activity by Dragonfly.