Dragonfly Cyberspy Group Ramps Up Attacks Against Energy Sector

Symantec warns that a sophisticated cyberespionage group known as Dragonfly is aggressively targeting companies from the energy sector in Europe and the United States. The company’s researchers have seen evidence that in some cases the group obtained access to operational control systems.

Dragonfly has been operating since 2011 and has significantly ramped up its attacks over the past year. The origin of the group is unclear and, according to Symantec, there is insufficient evidence to draw any definitive conclusions.

Dragonfly uses spearphishing attacks and strategic website compromises to infect computers and doesn’t rely on zero-day exploits. Nevertheless, Symantec describes the group as “highly experienced” and capable of compromising many organizations. Its capabilities include “materially disrupting targeted organizations,” the researchers said.

Dragonfly uses a custom malware program but also relies heavily on system administration tools and publicly available attack frameworks, which could make attribution harder.

“This attack on global power grids did not require technological sophistication—just a strong understanding of the people the attackers were targeting,” said Josh Douglas, chief strategy officer for Cyber Services at Raytheon. “The attackers targeted the intersection of security and human behavior. They succeeded because they knew what employees were most likely to click—things like specialty websites and e-mailed invitations to parties.”

In a separate report released Sept. 6, IBM X-Force also warned that the energy and utilities sector has been increasingly targeted this year. The company recorded 2,522 attacks against industrial control systems (ICS) until mid-July, which is close to the entire number of similar attacks observed last year. That’s significant considering that the volume of ICS attacks doubled in 2016 compared to 2015, according to IBM’s data.

Exploit Released for Apache Struts Flaw

The researchers who found a critical vulnerability in the Apache Struts development framework for Java web applications intentionally held back from publishing their proof-of-concept exploit to give Struts users enough time to patch.

That didn’t help too much because in less than 24 hours someone else figured out where the vulnerability is located and contributed an exploit for it to the popular Metasploit pentesting framework. Companies that haven’t yet applied the patch should do so as soon as possible because attacks are likely to follow.

In March, attackers exploited a remote code execution in another Struts component to compromise web servers and install DDoS bots and ransomware on them.

One problem, however, is that upgrading to Struts 2.5.13, which fixes the new flaw, might actually break existing applications. That’s because the patch implements a whitelist for data types that can be deserialized, so in some cases companies might have to make changes to the whitelist or their applications to make them compatible with the new Struts version.

The WireX Android Botnet Is Capable of UDP DDoS Attacks

Some versions of the WireX malware that infected more than 100,000 Android devices and used them to launch large distributed denial-of-service (DDoS) attacks are also capable of sending malicious UDP traffic.

Researchers from Akamai, Cloudflare, Flashpoint, Google, RiskIQ and Team Cymru, who discovered WireX and worked together to disrupt it, initially thought that the botnet was only capable of hitting web applications with bogus HTTP requests.

However, additional samples obtained by researchers from F5 Networks and Akamai show that WireX can also launch attacks at the network layer using UDP. This also proves that the botnet was intentionally created for DDoS and not click fraud, as some people theorized.

“Discovering, and ultimately confirming, that WireX can also launch UDP-based volumetric attacks is important, as they are more likely to impact additional applications and OSI layers,” researchers from Akamai said in a blog post. “This further expands the botnet’s capabilities, raising additional concerns for defenders.”

It’s unclear how much of a threat WireX’s UDP attack capabilities poses since Google remotely uninstalled a large number of the malicious applications from infected devices, so the botnet is not as large as it used to be. The amount of UDP traffic that individual bots could generate would also vary widely depending on the devices and networks they run on.

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 12 posts and counting.See all posts by lucian-constantin