Stage 2: Weaponization Throughout the spear-phishing campaign, threat actors used email attachments to leverage legitimate Microsoft Office functions to retrieve a document from a remote server using the Server Message Block (SMB) protocol.
(An example of this request is: file[:]///Normal.dotm).
The initial victims are peripheral organizations such as trusted third party suppliers with less secure networks.
The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.Analysis also revealed that the threat actors used compromised staging target networks to conduct open-source reconnaissance to identify potential targets of interest and intended targets.The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims.The ultimate objective of the cyber threat actors is to compromise organizational networks, which are referred throughout this alert as “intended target.”The threat actors in this campaign employed a variety of TTPs, including: DHS leveraged the Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity.In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information.
As an example, the threat actors downloaded a small photo from a publically accessible human resources page.Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective.This section will provide a high-level overview of activity within this framework.Yes, there are verified malware programs out there for both the Macintosh and for Linux. Equally importantly, if you don't at least run an antivirus program, you run the risk of passing a virus on to your Windows friends (assuming any of them actually talk to you). So I've split the Tango into parts - Windows, Linux, the Macintosh, etc. But you get to all of them by that same "Let's Dance! This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). and international partners, DHS and FBI identified victims in these sectors.This alert provides information on advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. This report contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks.Once actors obtain valid credentials, they are able to masquerade as authorized users.