Cyberattacks Feb 2011 – Night Dragon Attacks
In review back on Cyberattacks 2011, McAfee has named these attacks Night Dragon. Night Dragon is a major string of attacks designed to steal sensitive data from targeted organization. These attacks are similar to Operation Aurora <http://www.mcafee.com/us/threat-center/operation-aurora.aspx>(but not linked to Operation Aurora) other advanced persistent threats, or APTs, in that it’s a combination of social engineering and well-coordinated, targeted, cyber-attacks using Trojans, remote control software, and other malware. The Night Dragon attackers are currently targeting global oil, energy, and petrochemical companies with the apparent intent of stealing sensitive information such as operation details, exploration research and financial data. But the Night Dragon attacks are not necessarily industry-specific. McAfee has been tracking these attacks for some time and has already added Night Dragon protection (and protection to similar threats) to McAfee security solutions.
Night Dragon attacks leverage coordinated, covert, and targeted cyber-attacks involving: social engineering, spear phishing, vulnerability exploits in the Windows operating system, Active Directory compromises, and Remote Administration Tools (RATs). The attack sequence is as follows:
- Public-facing web servers are compromised via SQL injection; malware and RATs are installed.
- The compromised web servers are used to stage attacks on internal targets.
- Spear phishing attacks on mobile, VPN-connected workers are used to gain additional internal access.
- Attackers use password stealing tools to access other systems – installing RATs and malware as they go.
- Systems belonging to executives are targeted for email and files that are captured by the attackers.
How can you find out if you are infected?
For detection to occur, minimally update your anti-virus DAT files to version 6232 and ensure on-demand scans are working properly and perform a full file system virus scan. Review ePolicy Orchestrator (ePO) anti-virus alerts, and network logs to identify compromised systems.
Night Dragon has no “Worm” infection capability and does not self-propagate. Night Dragon is a Trojan backdoor that is installed on a system using a Trojan dropper (.exe) file that is copied to computers by an attacker – usually over Windows shares. It is usually located in the C:\Windows\System32 or C:\Windows\SysWow64 directory.
– Where applicable ensure DAT 6232 or later is installed.
– It is good practice to install the latest available security updates.