Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    "Red October" - An Advanced Cyber Espionage Network Targeting Diplοmatic & Govt

    Off-Topic & Non-Support Discussion
    1
    1
    1206
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dhatz last edited by

      This one seems almost out of a Hollywood movie …

      Full article: http://www.securelist.com/en/blog/785/The_Red_October_Campaign_An_Advanced_Cyber_Espionage_Network_Targeting_Diplomatic_and_Government_Agencies

      The "Red October" Campaign - An Advanced Cyber Espionage Network Targeting Diplomatic and Government Agencies

      During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment.

      […]

      Examples of "persistent" tasks

      • Once a USB drive is connected, search and extract files by mask/format, including deleted files. Deleted files are restored using a built in file system parser
        Wait for an iPhone or a Nokia phone to be connected. Once connected, retrieve information about the phone, its phone book, contact list, call history, calendar, SMS messages, browsing history
        Wait for a Windows Mobile phone to be connected. Once connected, infect the phone with a mobile version of the Rocra main component
        Wait for a specially crafted Microsoft Office or PDF document and execute a malicious payload embedded in that document, implementing a one-way covert channel of communication that can be used to restore control of the infected machine
        Record all the keystrokes, make screenshots
        Execute additional encrypted modules according to a pre-defined schedule
        Retrieve e-mail messages and attachments from Microsoft Outlook and from reachable mail servers using previously obtained credentials

      Examples of "one-time" tasks

      • Collect general software and hardware environment information
        Collect filesystem and network share information, build directory listings, search and retrieve files by mask provided by the C&C server
        Collect information about installed software, most notably Oracle DB, RAdmin, IM software including Mail.Ru agent, drivers and software for Windows Mobile, Nokia, SonyEricsson, HTC, Android phones, USB drives
        Extract browsing history from Chrome, Firefox, Internet Explorer, Opera
        Extract saved passwords for Web sites, FTP servers, mail and IM accounts
        Extract Windows account hashes, most likely for offline cracking
        Extract Outlook account information
        Determine the external IP address of the infected machine
        Download files from FTP servers that are reachable from the infected machine (including those that are connected to its local network) using previously obtained credentials
        Write and/or execute arbitrary code provided within the task
        Perform a network scan, dump configuration data from Cisco devices if available
        Perform a network scan within a predefined range and replicate to vulnerable machines using the MS08-067 vulnerability
        Replicate via network using previously obtained administrative credentials
      1 Reply Last reply Reply Quote 0
      • First post
        Last post