Researchers have analyzed servers compromised by the infamous hacker group known as Energetic Bear in recent years.
They have been around since 2010. The group is also known as Dragonfly and Crouching Yeti, and their primary targets are companies in the energy and industrial sectors.
The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) linked the group to the Russian government.
Last Month the same hackers compromised a Cisco router and abused it to steal credentials that allowed them to carry up attacks targeting energy companies in the United Kingdom.
The servers researchers analyzed are scattered around the world in Russia, Ukraine, UK, Germany, Turkey, Greece, and the United States.
Every system can be protected from this kind of cyber attacks by installing a top cybersecurity solution like an antivirus.
Depending on which version of OS your device runs, please install an antivirus for Windows or antivirus for Mac. Companies should run extra tests like penetration test and ethical hacking test on their network to be safe and secured.
Most of the compromised servers were used to launch waterhole attacks, while the remaining ones were employed for collecting user data in the waterhole attack, and some were used for tool hosting.
Energetic Bear has extracted various data from the users worldwide, such as IPs, users names, domains name, and NTLM hash of the user’s password.
Most of the stolen resources were from Russia, Ukraine, Turkey, Brazil, Georgia, Kazakhstan, Switzerland, U.S., France, and Vietnam.
In one of the compromised servers, cybersecurity researchers have found multiple open-source and publicly available tools, including Nmap (network analysis), Dirsearch (brute forcing directories and files on websites), Sqlmap (SQL injection exploitation), Sublist3r (enumerates website subdomains), Wpscan (WordPress vulnerability scanner), Impacket, SMBTrap, Commix (vulnerability search and command injection), Subbrute (subdomain enumeration), PHPMailer (mail sending), and a custom Python script named ftpChecker.py capable of checking FTP hosts from an incoming list.
The researchers also found malicious PHP files and a modified sshd with a preinstalled backdoor.
The backdoor is similar to a tool publicly available on GitHub and can be compiled on any OS.
The hackers logged on to the server at the same time of the day and checked the smbtrap log file on working days.
In most cases, the security researchers determined that the group performed tasks related to searching for vulnerabilities, gaining persistence, and stealing authentication data.
Here are some tips for implementing and maintaining a good and healthy cybersecurity solution:
Regarding individual users: to be safe and secured, depending on which version of OS your device runs, please install an antivirus for Windows or antivirus for Mac.
Regarding companies: make sure that you hire a professional cybersecurity firm that will run various cybersecurity tests on your company’s network to implement only the best possible cybersecurity solution. Always opt for a package that includes at least a penetration test and ethical hacking tests.