07-31-2014 11:11 AM
Comment/ Another attack campaign against Industries.
Researchers at Kaspersky Lab released a detailed analysis of an advanced attack campaign that has struck about 2,800 victims across multiple industries worldwide.
Dubbed 'Energetic Bear' by CrowdStrike and renamed 'Crouching Yeti' by Kaspersky Lab, the attack campaign has gone on to infect companies worldwide. While CrowdStrike stated the operation was likely the work of a Russian threat actor, researchers at Kaspersky Lab were more hesitant to name names.
"Based in some artifacts, we believe the campaign originated at the end of 2010," according to a blog post by Kaspersky Lab's Global Research and Analysis Team. "The campaign is still alive and getting new daily victims."
"We believe this is an information stealing campaign," the researchers added. "Given the heterogeneous profile of the victims it seems than the attackers were interested in different topics and decided to target some of the most prominent institutions and companies in the world to get latest information."
The attackers used three tactics to distribute malware: spear-phishing using PDF documents armed with an exploit for CVE-2011-0611, an Adobe Flash Player vulnerability; waterhole attacks using a variety of exploits; and Trojanized software installers.
SecurityWeek/ full read here/ http://www.securityweek.com/crouching-yeti-attack-
08-07-2014 06:44 AM
The following article is a update on Crouching Yeti Attack.
(Crouching Yeti still spying)
Kaspersky Lab has warned that the cyber espionage campaign known both as Energetic Bear and Crouching Yeti is still actively spying on a wide range of institutions worldwide.
Energetic Bear/Crouching Yeti has been active since at least 2010, the security company said, with over 2,800 targets worldwide in sectors including industrial/machinery, manufacturing, pharmaceutical, construction, education, and information technology.
A new analysis of the malware and command and control (C&C) infrastructure of the campaign by Kaspersky has shown that the attack does not use highly sophisticated malware, and also throws doubt on the presumed origin of the campaign.
itp.net/ Full Article Here/ http://www.itp.net/599304-crouching-yeti-still-spy
03-17-2015 01:51 PM
The following article is a update:
The threat actor known as Crouching Yeti, Energetic Bear and Dragonfly continues to target organizations across the world. However, experts believe the group has switched targets and infrastructure.
According to Kaspersky, the Russian-speaking group has been involved in several advanced persistent threat (APT) campaigns since 2010, targeting organizations in sectors such as energy, machinery, IT, pharmaceutical, manufacturing, education, and construction.
The actor has leveraged exploits, social engineering, watering hole attacks, and trojanized software installers to distribute the pieces of malware it uses to steal valuable data from the targeted organizations’ systems.
In a blog post published on Tuesday, Kaspersky reported that the 69 command and control (C&C) servers it has been monitoring have communicated to roughly 3,700 victims connecting from nearly 58,000 IP addresses.
The C&C servers are located mainly in the United States, Germany, Russia and the UK, and they handle more than 1,000 unique victim connection each day. However, Kaspersky’s analysis shows that the number of hits has decreased considerably over the past months after security firms started publishing reports on Crouching Yeti’s activities.