Kaspersky Lab has published a new research report about NetTraveler, which is part of a family of malicious programmes used to compromise more than 350 high-profile victims in 40 countries.
The NetTraveler group has infected victims across multiple establishments in both the public and private sector including government institutions, embassies, the oil and gas industry, research centers, military contractors and activists.
According to Kaspersky Lab’s report, this threat actor has been active since as early as 2004: however, the highest volume of activity occurred from 2010 2013. Most recently, the NetTraveler group’s main domains of interest for cyberespionage activities include space exploration, nanotechnology, energy production, nuclear power, lasers, medicine and communications.
¬∑ Attackers infected victims by sending clever spear-phishing emails with malicious Microsoft Office attachments that are rigged with two highly exploited vulnerabilities (CVE-2012-0158 and CVE-2010-3333). Even though Microsoft already issued patches for these vulnerabilities they’re still widely used for exploitation in targeted attacks and have proven to be effective.
¬∑ The titles of the malicious attachments in the spear-phishing emails depict the NetTraveler group’s dogged effort of customising their attacks in order to infect high-profile target. Notable titles of malicious documents include:
o Army Cyber Security Policy 2013.doc
o Report – Asia Defense Spending Boom.doc
o Activity Details.doc
o His Holiness the Dalai Lama’s visit to Switzerland day 4
o Freedom of Speech.doc
Data Theft and Exfiltration:
¬∑ During Kaspersky Lab’s analysis, its team obtained infection logs from several of NetTraveler’s command and control servers (C&C). C&C servers are used to install additional malware on infected machines and exfiltrate stolen data. Kaspersky calculated the amount of stolen data stored on NetTraveler’s C&C servers to be more than 22 gigabytes.
¬∑ Exfiltrated data from infected machines typically included file system listings, keyloggs, and various types of files including PDFs, excel sheets, word documents and files. In addition, the NetTraveler toolkit was able to install additional info-stealing malware as a backdoor, and it could be customised to steal other types of sensitive information such as configuration details for an application or computer-aided design files.
Global Infection Statistics:
¬∑ Based on Kaspersky Lab’s analysis of NetTraveler’s C&C data, there were a total of 350 victims in 40 countries across including the United States, Canada, United Kingdom, Russia, Chile, Morocco, Greece, Belgium, Austria, Ukraine, Lithuania, Belarus, Australia, Hong Kong, Japan, China, Mongolia, Iran, Turkey, India, Pakistan, South Korea, Thailand, Qatar, Kazakhstan, and Jordan.
¬∑ In conjunction with the C&C data analysis, Kaspersky Lab’s experts used the Kaspersky Security Network (KSN) to identify additional infection statistics. The top ten countries with victims detected by KSN were Mongolia followed by Russia, India, Kazakhstan, Kyrgyzstan, China, Tajikistan, South Korea, Spain and Germany.
¬∑ During Kaspersky Lab’s analysis of NetTraveler, the company’s experts identified six victims that had been infected by both NetTraveler and Red October, which was another cyberespionage operation analysed by Kaspersky Lab in January 2013. Although no direct links between the NetTraveler attackers and the Red October threat actors were observed, the fact that specific victims were infected by both of these campaigns indicates that these high-profile victims are being targeted by multiple threat actors because their information is a valuable commodity to the attackers.
To read Kaspersky Lab’s full research analysis, including indicators of compromise, remediation techniques and details of NetTraveler and its malicious components, please visit Securelist.
Kaspersky Lab’s products detect and neutralize the malicious programmes and its variants used by the NetTraveler Toolkit, including Trojan-Spy.Win32.TravNet and Downloader.Win32.NetTraveler. Kaspersky Lab’s products detect the Microsoft Office exploits used in the spear-phishing attacks, including Exploit.MSWord.CVE-2010-333,Exploit.Win32.CVE-2012-0158.
Telcos want one face
The investments that telecommunications service providers are making in reshaping their online properties into customer-centric portals reflects the growing maturity of self-service and Internet uptake in the industry, says KEVIN MELTZER of Consology.
Many telcos around the world are overhauling their websites to offer customers more holistic portals that give them a single point of entry into the organisation.
They are doing so because they recognise that service will be a key point of differentiation for their businesses in a market that is becoming increasingly competitive. They have also realised that they have a major opportunity to shift customers away from expensive contact centres towards low-cost electronic channels.
In the past, most telecommunications operators ran multiple sites across multiple domains and subdomains. These web-based properties were built around the way that telcos structured their own businesses rather than around the needs of the customer. But we are now seeing the leading operators take a more user-centric approach to the way that they design their web and mobile sites.
This coincides with a change in the industry from slicing customers into numerous segments and then serving them across a range of functional and product areas. For example, many operators split customers into prepaid and postpaid segments or voice and data users, distinctions that are becoming less meaningful in a world of technology convergence. They now want to present a single face to the customer rather than servicing the subscriber through silos.
These changes are starting to percolate through to operators’ customer service and sales strategies. Telcos are starting to pull together disparate products and services that once resided across multiple sites into customer service portals.
These sites put a wide range of information at the subscriber’s fingertips, he adds. Increasingly, for example, subscribers can log directly into their accounts from the operator’s homepage and then access a wealth of services and information. This marks an evolution from the fractured and inconsistent customer experience of the past.
Leading operators are even thinking about how their Self-Service platforms should be integrated with social media strategies to allow customers to pay their electronic bills or top up airtime with a single click from within a social network.
Whereas Self-Service portals on telco sites were once purely about account management functions, they increasingly offer far richer functionality. In addition to allowing subscribers to pay their bills and check their account information, they are also increasingly becoming the first stop for service and commerce.
Operators have started to recognise that splintering their e-commerce, service and account management functions simply makes no sense. Customers want to be able to do everything through one interface rather than needing to visit two or three Web sites, or eventually possibly needing to phone a call centre or visit a store for certain transactions.
Integrated and easy to use online customer service channels will be central for telco operators who want to be competitive in the markets of tomorrow. They form an advantage in an industry where it will be customer relationships rather than cost or service that drive loyalty and purchasing decisions.
Talk for less with MWEB Talk
Today, MWEB announced its consumer VoIP package called MWEB Talk, which allows users to make free network calls and get discounted rates made to landlines and mobile phones.
MWEB, today launched its new Voice over IP (VoIP) offering to South African consumers. The service, MWEB Talk, will offer users’ free on network calls to fellow MWEB Talk users’ and cheap calls to landline and mobile phone numbers. This follows the success and demand of the ISP’s existing VoIP products in recent months.
‚”We have seen a noticeable transformation in users’ Internet behaviour with consumers wanting services that complement their ADSL connectivity solution. We have seen phenomenal growth and by the end of the year will deliver over 100 million minutes on our VoIP platform,‚” says Carolyn Holgate, General Manager of MWEB Connect, the ISP’s Consumer and Small Office/ Home Office Division.
MWEB has made significant investments in its infrastructure and VoIP has been prioritised on its network to ensure performance and stability of the MWEB Talk service for both businesses and consumers.
‚”In addition to the high quality of the service, MWEB Talk is also simple to set-up and users’ should experience a significant reduction in their telephone bills. By implementing a VoIP service consumers and small businesses can cut their monthly telecommunication bills by up to 55% to landline and mobile numbers,‚” says Holgate.
With no subscription fee, existing MWEB customers can log into their MWEB account, register for the service and download the application for PC and Mac as well as mobile applications that turn an iPhone, Android, and Nokia smartphone into a VoIP phone. Customers will also be able to purchase a Desktop VoIP Handset for R99 which will be HD voice ready and will support multi-extensions.
‚”We believe that VoIP is the future of telephony in South Africa and we are extremely excited to see the consumer market shift into the VoIP space,‚” concludes Holgate.