Отчет также указывает на то, что были обнаружены плагины, собирающие информацию о подключенных USB-устройствах, BIOS, системной плате и процессоре, но цель сбора подобных данных осталась неясной. «Зачем злоумышленникам могла бы понадобиться информация о USB и характеристиках BIOS? Вероятно, основываясь на определенных USB-устройствах и BIOS, они могут загружать определенные плагины для выполнения дополнительных действий, — сказали исследователи. — Возможно, деструктивные, возможно, для дальнейшего заражения устройств. Мы пока не знаем».
Project SHINE development started mid-2008 and began ingesting raw data in mid-April 2012. It was initiated to determine a baseline of just how many SCADA/ICS devices and software products are directly connected to the Internet. At the time we started, many people said that the answer to our question would be «very few, if any.»
To date, we have not reached a baseline (aka, «the bottom») in the total number of devices we discovered. The average number of new SCADA/ICS devices found every day is typically between 2000 and 8000. So far we have collected over 1,000,000 unique IP addresses that appear to belong to either SCADA and control systems devices or related software products.
These devices include the traditional SCADA/ICS equipment, such as RTUs, PLCs, IEDs/sensor equipment, SCADA/HMI servers, and DCS. Non-traditional SCADA/ICS devices
«We have observed over a hundred individual victims of these campaigns during our monitoring of the botnets,» he blogged. «Approximately half of these victims are situated in Ukraine and half in Poland, and include a number of state organizations, various businesses, as well as targets which we were unable to identify. The spreading campaigns that we have observed have used either technical infection methods through exploitation of software vulnerabilities, social engineering through spear-phishing emails and decoy documents, or a combination of both.»
In a whitepaper, researchers at F-Secure noted that in the summer of 2014, the firm saw samples of BlackEnergy targeting Ukrainian government organizations for the purposes of stealing information. These samples were nicknamed BlackEnergy 3 by F-Secure and identified as the work of a group the company refers to as «Quedagh.» According to F-Secure, the group is suspected to have been involved in cyber-attacks launched against Georgia during that country's conflict with Russia in 2008.
«The Quedagh-related customizations to the BlackEnergy malware include support for proxy servers and use of techniques to bypass User Account Control and driver signing features in 64-bit Windows systems,» according to the F-Secure whitepaper. «While monitoring BlackEnergy samples, we also uncovered a new variant used by this group. We named this new variant BlackEnergy 3.»
Only Quedagh is believed to be using BlackEnergy 3, and it is not available for sale on the open market, noted Sean Sullivan, security advisor at F-Secure.
«The name [of the group] is based on a ship taken by Captain Kidd, an infamous privateer,» he said. «It is our working theory that the group has previous crimeware experience. Its goals appear to be political but they operate like a crimeware gang. There have been several cases this year of which BlackEnergy is the latest. The trend is one of off-the-shelf malware being used in an APT [advanced persistent threat] kind of way. The tech isn't currently worthy of being called APT, but its evolving and scaling in that direction.»
«The use of BlackEnergy for a politically-oriented attack is an intriguing convergence of criminal activity and espionage,» F-Secure notes in the paper. «As the kit is being used by multiple groups, it provides a greater measure of plausible deniability than is afforded by a custom-made piece of code.»
BlackEnergy2 victims are widely distributed geographically. We identified BlackEnergy2 targets and victims in the following countries starting in late 2013. There are likely more victims.
Russia
Ukraine
Poland
Lithuania
Belarus
Azerbaijan
Kyrgyzstan
Kazakhstan
Iran
Israel
Turkey
Libya
Kuwait
Taiwan
Vietnam
India
Croatia
Germany
Belgium
Sweden
Victim profiles point to an expansive interest in ICS:
power generation site owners
power facilities construction
power generation operators
large suppliers and manufacturers of heavy power related materials
investors
Похоже украинцев уже давно колбасят этим blackEnergy.
isNaN(NaN) // true
isNaN(undefined) // true
isNaN({}) // true
isNaN(new Date().toString()) // true
isNaN(«words») // true
https://cys-centrum.com/ru/news/black_energy_2_3
https://habrahabr.ru/company/eset/blog/274469/
https://threatpost.ru/blackenergy-apt-group-spreading-malware-via-tainted-word-docs/14487/
https://threatpost.ru/zlovred-blackenergy-atakuet-avtomatizirovannye-sistemy-upravleniya/4514/
http://www.slideshare.net/devkambhampati/ics-cert-monitorsep2014feb2015
Сигнатуры YARA для BE2 и BE3: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B
https://threatpost.ru/plaginy-zlovreda-blackenergy-ostavlyayut-za-soboj-destruktivnyj-sled/4600/
Возможно это будет вам более интересно:
https://web.archive.org/web/20150511060634/http://grabberz.com/showthread.php?t=24418
Я давал ссылки выше на два pdf с описанием работы BlackEnergy, в том числе и 3-й версии.
http://almih.narod.ru/lib-en/pue/_a-b-b-c.html
В любом случае, сегодня это стандартная ситуация.
https://www.shodan.io/search?query=scada
https://www.censys.io/ipv4?q=scada+energy
https://www.tofinosecurity.com/blog/project-shine-1000000-internet-connected-scada-and-ics-systems-and-counting
business.kaspersky.ru/blackenergy-2-horoshij-nabor-dlya-durnyh-del/2465
www.sentinelone.com/wp-content/uploads/2016/01/BlackEnergy3_WP_012716_1c.pdf
www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf
securelist.com/blog/research/67353/be2-custom-plugins-router-abuse-and-target-profiles
BlackEnergy2 victims are widely distributed geographically. We identified BlackEnergy2 targets and victims in the following countries starting in late 2013. There are likely more victims.
Russia
Ukraine
Poland
Lithuania
Belarus
Azerbaijan
Kyrgyzstan
Kazakhstan
Iran
Israel
Turkey
Libya
Kuwait
Taiwan
Vietnam
India
Croatia
Germany
Belgium
Sweden
Victim profiles point to an expansive interest in ICS:
power generation site owners
power facilities construction
power generation operators
large suppliers and manufacturers of heavy power related materials
investors
Похоже украинцев уже давно колбасят этим blackEnergy.