The UK’s National Cyber Security Council (NCSC) has warned of an ongoing attack campaign against multiple companies involved in the Critical National Infrastructure (CNI) supply chain – with the hostile attacks focused on engineering and industrial control companies.
The attack, ongoing since March 2017, has involved the harvesting of NTLM credentials via Server Message Block (SMB) using strategic web compromises and spear-phishing.
Target networks are attacked in one of two main ways, the NCSC said in a comprehensive advisory published on Thursday.
1 – The attacker carries out a watering hole attack, compromising a website of interest to the target, and adding a link to a resource located on a malicious fileserver.
2 – The attacker sends a spear-phishing email from a compromised account containing a document of interest. In several instances, stolen CVs have been used, which are configured to load a remote template from the malicious fileserver.
Running Inveigh PowerShell scripts – a publicly available SMB/HTTP man-in-the-middle tool – on the fileserver, the attacker then harvests all the NTLM hashes sent to it by the target hosts that are attempting to logon and load the various resources.
The attackers have been highlighted by threat intelligence companies and dubbed Berserk Bear, Energetic Bear, Dragonfly, Havex and Crouching Yeti.
Piers Wilson, Head of Product Management at Huntsman Security, said in an emailed statement: “Organisations must accept that traditional defences – firewalls, anti-virus etc. are simply not enough and emphasis needs to shift away from just blocking attackers, to intelligent and rapid detection, containment and mitigation as soon as an attack begins. In the digital age, everyone – from the government and critical infrastructure organisations to businesses and charities – needs to accept that they can’t stop every attack at the boundary. Shifting focus will help to keep them and the rest of the UK safe.”
For mitigation, the NCSC listed the following approaches.