ics-cert.kaspersky.com
Open in
urlscan Pro
185.105.225.103
Public Scan
URL:
https://ics-cert.kaspersky.com/publications/reports/2023/08/10/common-ttps-of-attacks-against-industrial-organizations-implants...
Submission: On August 14 via api from DE — Scanned from DE
Submission: On August 14 via api from DE — Scanned from DE
Form analysis 4 forms found in the DOM
<form class="header__search-form">
<input type="text" class="header__input">
</form><form class="header__search-form">
<input type="text" class="header__input">
</form>POST #
<form class="modal-m__form form-subscription" method="POST" action="#">
<input type="hidden" name="Услуга" id="advisories_info">
<span class="modal-m__title">Подписка на рассылку</span>
<label class="modal-m__label">
<span>E-mail</span>
<input type="text" class="modal-m__input field__input input" id="email">
<div class="input--info"></div>
</label>
<div class="arcs-modal__field-wrapper_checkbox field_checkbox checkbox modal-m__privacy form-check">
<label for="vulnerabilities" class="checkbox__label modal-m__text"> Данные по уязвимостямо </label>
<input type="checkbox" class="checkbox__input visually-hidden" name="vulnerabilities" checked="" id="vulnerabilities">
<span class="checkbox__input-fake"></span>
</div>
<div class="arcs-modal__field-wrapper_checkbox field_checkbox checkbox modal-m__privacy">
<label for="threats" class="checkbox__label modal-m__text"> Информация об угрозах </label>
<input type="checkbox" class="checkbox__input visually-hidden" name="threats" checked="" id="threats">
<span class="checkbox__input-fake"></span>
</div>
<div class="arcs-modal__field-wrapper_checkbox field_checkbox checkbox modal-m__privacy">
<label for="condition" class="checkbox__label modal-m__text"> I agree to provide my contact information to Kaspersky Lab (first name, last name, email address, phone, country postal code) to be contacted by Kaspersky Lab sales representatives by
phone for a personalized offer that could be based, in particular, on geography and company size information provided; to receive information via email about Kaspersky Lab products and services including promotional offers, product updates and
premium assets like white papers, webcasts, videos, events etc.; to participate in surveys to vocalize opinion on various aspects of Kaspersky Lab business, in particular, about products, and technical support. I understand that I can withdraw
this consent at any time via unsubscribe link from email or via <a href="#" class="modal-m__link">
Privacy Policy </a>
</label>
<input type="checkbox" class="checkbox__input visually-hidden" name="condition" id="condition">
<span class="checkbox__input-fake"></span>
</div>
<div class="g-recaptcha" data-sitekey="6Lc4EwkUAAAAAMHZJ47EcbYQ2SNuyT-nYvVtRfqq">
<div style="width: 304px; height: 78px;">
<div><iframe title="reCAPTCHA"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Lc4EwkUAAAAAMHZJ47EcbYQ2SNuyT-nYvVtRfqq&co=aHR0cHM6Ly9pY3MtY2VydC5rYXNwZXJza3kuY29tOjQ0Mw..&hl=de&v=3kTz7WGoZLQTivI-amNftGZO&size=normal&cb=a1fycqi8rwu5"
width="304" height="78" role="presentation" name="a-9uiwkbq4ucnd" frameborder="0" scrolling="no" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"></iframe>
</div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div>
<br>
<button class="arcs-modal__form-button button-ajax" type="submit">
<span class="button__text">Подписаться</span>
</button>
</form>POST https://ics-cert.kaspersky.com/wp-content/themes/new_ics_cert/ajax/cookie-usage.php
<form action="https://ics-cert.kaspersky.com/wp-content/themes/new_ics_cert/ajax/cookie-usage.php" class="notification_form js-cookie-notification" method="post">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="cbde7fa9ed"><input type="hidden" name="_wp_http_referer" value="/publications/reports/2023/08/10/common-ttps-of-attacks-against-industrial-organizations-implants-for-uploading-data/"> <input
type="hidden" name="agree" value="true">
<div class="notification_description">
<p>We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking
on <a class="external-link" href="https://www.kaspersky.com/web-privacy-policy" rel="nofollow">more information</a>.</p>
</div>
<button class="footer__download-key button_hover" style="border: none" type="submit">Accept and Close</button>
</form>Text Content
* Publications
* Services
* Advisories
* Events
* Statistics
English English Русский
English
English
Русский
* Publications
* Services
* Advisories
* Events
* Statistics
English English Русский
English
English
Русский
Contents:
* Stack of implants used to upload files to Dropbox
* Tools for manual exfiltration of stolen files
* Implant used to upload files via the Yandex email service
* Conclusion
* Recommendations
* Appendix I – Indicators of compromise
* Appendix II – MITRE ATT&CK Mapping
Filter
* Main
* Publications
* Reports
* Common TTPs of attacks against industrial organizations. Implants for
uploading data
* Common TTPs of attacks against industrial organizations. Implants for
uploading data
10 August 2023
COMMON TTPS OF ATTACKS AGAINST INDUSTRIAL ORGANIZATIONS. IMPLANTS FOR UPLOADING
DATA
*
*
*
*
Download PDF
* Stack of implants used to upload files to Dropbox
* Tools for manual exfiltration of stolen files
* Tool used to upload files to Yandex Disk
* Tool used to upload files to temporary file sharing services
* Implant used to upload files via the Yandex email service
* Conclusion
* Recommendations
* Appendix I – Indicators of compromise
* Stack of implants used to upload files to Dropbox
* MD5
* Tool used to upload files to Yandex Disk
* MD5
* Tool used to upload files to temporary file sharing services
* MD5
* IP/URL
* Implant used to upload files via the Yandex email service
* MD5
* Appendix II – MITRE ATT&CK Mapping
This is the third part of our research based on an investigation of a series of
attacks against industrial organizations in Eastern Europe.
The attackers aimed to establish a permanent channel for data exfiltration,
including data stored on air-gapped systems.
In total we have identified over 15 implants and their variants planted by the
threat actor(s) in various combinations.
The entire stack of implants used in attacks can be divided into three
categories based on their roles:
* First-stage implants for persistent remote access and initial data gathering
* Second-stage implants for gathering data and files, including from air-gapped
systems
* Third-stage implants and tools used to upload data to C2
In this part we present information on the four types of implants and two tools
used during the last (third) stage of the attacks discovered. The third-stage
implants were deployed by the threat actor(s) via the first-stage, as well as
the second-stage, implant.
Third-stage implants have much in common with the first-stage implants,
including the use of a cloud-based data storage (e.g. Dropbox, Yandex Disk),
code obfuscation, and the implementation of DLL hijacking techniques.
The full report is available on the Kaspersky Threat Intelligence portal.
For more information please contact ics-cert@kaspersky.com.
STACK OF IMPLANTS USED TO UPLOAD FILES TO DROPBOX
In the course of our research, we identified a stack of implants for uploading
files to Dropbox, designed to work in tandem with a second-stage file-gathering
implant.
The malware stack consists of three implants forming a straight execution chain
(which consists of three steps).
The first step is used for persistence, the deployment and startup of the
second-step malware module, which is responsible for uploading the files
collected to the server by calling the third-step implant and cleaning up.
This architecture allows the threat actor to change the execution flow by
replacing a single module in the chain. During our analysis, we identified five
variants of third-step and two variants of second-step implants deployed a few
months after the initial attack.
The very first variants of second-step implants in the chain were designed to
decrypt a third-step payload and inject it into a legitimate process (e.g.,
“msiexec.exe”). All variants of third-step payloads in this chain were almost
identical, except for the C2 address.
Second-step implant creating “msiexec.exe” to host the malicious payload
The C2 IP address in one of the third-step variants caught our attention because
it was a local IP address. This means that the threat actor deployed a C2 inside
the corporate perimeter and apparently used it as a proxy to exfiltrate data
from hosts that didn’t have direct access to the internet.
Third-step implant variant sending “.rar” files to some local C2
Later, the threat actor deployed a new variant of the second-step implant, whose
capabilities included looking up file names in the Outlook folder (i.e., email
account names), executing remote commands and uploading local or remote “.rar”
files to Dropbox by calling the third-step implant.
The table below summarizes all commands with which this second-step implant
expects to be executed (it terminates if called with no command-line arguments):
Command Parameters Description uploadlocal Call third-step implant to upload
local .rar files from “C:\ProgramData\NetWorks\ZZ” to a Dropbox folder and clean
up. Uploadremote [username] [domain] [SID] [host] [ntlm-hash] Copy .rar files
from ”C:\ProgramData\NetWorks\ZZ” on a remote machine to a local folder, then
delete files on the remote machine and call third-stage implant to upload local
.rar files to a Dropbox folder, then clean up checkoutlook [username] [domain]
[SID] [host] [ntlm-hash] Search for an Outlook folder on a local or remote host
and print file listing to stdout. Wmic [username] [domain] [SID] [host]
[ntlm-hash] [command] Execute a cmd command locally or remotely and log output
to the file “c:\windows\debug\out.txt”, then read the file and print its
contents to stdout, then delete the file “out.txt” (locally or remotely)
Before executing any remote command, the implant checks if the privileges are
sufficient to access the remote host by calling a tool named “libvlc.exe”, which
was not identified in the course of the research, with the following parameters:
username, domain, SID, hostname, and ntlm hash.
Using some unknown tool to check privileges to access a remote host
To upload local files, the second-step implant calls a third-step implant, which
is supposed to be already deployed on the machine either at the statically
defined path “c:/users/public/” or at the same path as the second-step implant.
Second-step implant starts a third-step implant (named “cl.exe”) to upload
“.rar” files to Dropbox
It should be noted that before calling the third-step implant to upload files,
the second-step implant prepends a custom header to each “.rar” file. The header
contains the name of the host which is the source of the file and the original
file name (which is simply the file creation date and a time). The threat actor
does this to avoid losing such metadata: when a file is uploaded to Dropbox, the
implant changes its name to a pseudorandom sequence of numbers.
All the third-step variants are designed to upload the “.rar” files collected to
Dropbox from “C:\ProgramData\NetWorks\ZZ” on the local machine. This operation
is performed as follows:
* Connect to Dropbox using an embedded OAuth token, create a folder with a name
matching that of the local machine.
* Upload a small “host” file, which contains basic information about the local
machine (machine name, user name, IP address, MAC address) encrypted with
RC4.
* Encrypt all “.rar” files with RC4 and upload them to Dropbox.
* Remove all “.rar” files located in “C:\ProgramData\NetWorks\ZZ” on the local
machine.
Along with the stack of implants described above, we have discovered a “.bat”
script file used to delete intermediate steps and artifacts in
“c:\Users\Public”. The script was probably used before updating the stack of
implants or if the threat actor decided to abandon an infected machine.
Batch CMD script used for cleanup
TOOLS FOR MANUAL EXFILTRATION OF STOLEN FILES
Along with various other implants, we discovered two tools used by the threat
actor for manual data exfiltration.
TOOL USED TO UPLOAD FILES TO YANDEX DISK
One tool, named “AuditSvc.exe”, was designed for uploading and downloading
arbitrary files to and from Yandex Disk. The OAuth token, file path and some
other parameters could be passed as command line arguments. Alternatively, the
parameters could be defined in a config file named “MyLog.ini”.
Tool used to upload data to Yandex Disk
TOOL USED TO UPLOAD FILES TO TEMPORARY FILE SHARING SERVICES
The second tool discovered, named “transfer.exe”, was designed to upload and
download arbitrary files to and from any of 16 supported temporary file sharing
services.
Service URL address imgonl(onl) https://img[.]onl/api/upload.php litterbox(lit)
https://litterbox.catbox[.]moe/resources/internals/api.php imgbb(ibb)
https://imgbb[.]com/ transfer(trs) https://transfer[.]sh schollz
https://share.schollz[.]com null(0x0) https://0x0[.]st/ tinyimg(tin)
https://tinyimg[.]io/upload gifyu(gif) https://gifyu[.]com/ imgshare(ims)
https://imgshare[.]io/ imgpile(imp) https://imgpile[.]com/ zippyimage(zip)
https://zippyimage[.]com/ extraimage(ext) https://extraimage[.]info/
picpaster(pic) https://upload.picpaste[.]me/ imaurupload(imu)
https://imgurupload[.]org sm.ms(sms) https://sm[.]ms/api/v2/upload
easycaptures(esy) https://easycaptures[.]com/upload_file_new.php
Along with various parameters designed for flexibility and optimization, the
tool can generate and use a client-side RSA key.
Commands and parameters accepted by “transfer.exe”
After uploading data, the tool creates a JSON file with the “upload_” prefix,
which contains a URL generated by the file sharing service to access the data
stored.
JSON log produced by the tool
The threat actor most probably used the tool manually or semi-manually to upload
logs and other files to file sharing services, while the resulting JSON
containing URLs could be uploaded by any of the first-stage implants described
in the first part of the article or by the implant designed to send a single
file, “111.log”, as an email attachment via the Yandex email service (that
implant is described below).
IMPLANT USED TO UPLOAD FILES VIA THE YANDEX EMAIL SERVICE
The implant designed to send files via the Yandex email service was downloaded
from Yandex Disk. It was also statically linked with libcurl.dll.
The implant is designed to exfiltrate a single file located at the static path
“C:\Users\Public\Downloads\111.log” (which was hard-coded into the implant). The
“.log” file is sent as an attachment to an email with the text “Download the
attachment pls.”. The implant formatted the email body and used the
“curl_perform” API of libcurl.dll to send the email via smtp.yandex.ru on TCP
465.
The file “111.log” is most probably produced by one of the previous-stage
implants and can contain the output of CMD commands or URLs for files uploaded
to a temporary data sharing service by a tool described above.
Code fragment from the implant’s main function
After a single attempt to send an email, the implant terminates. Such straight
execution flow and the absence of persistence capabilities may mean that the
implant was expected to be used as a tool rather than a self-sufficient service.
Nevertheless, the threat actor may possibly have used a simple task scheduling
technique to make it persistent and to have it executed periodically, as in the
case of FourteenHi variant “E”.
CONCLUSION
In this research we analyzed a broad set of implants used by the threat actor(s)
for remote access, to gather data and to upload data.
Abusing popular cloud-based data storages may allow the threat actor(s) to evade
security measures. At the same time, it opens up the possibility for stolen data
to be leaked a second time in the event that a third party gets access to a
storage used by the threat actor(s).
RECOMMENDATIONS
* Install security software with support for centralized security policy
management on all servers and workstations and keep the antivirus databases
and program modules of your security solutions up-to-date.
* Check that all security solution components are enabled on all systems and
that a policy is in place which requires the administrator password to be
entered in the event of attempts to disable protection.
* Consider using Allowlisting and Application Control technologies to prevent
unknown applications from being executed.
* Check that Active Directory policies include restrictions on user attempts to
log in to systems. Users should only be allowed to log in to those systems
which they need to access in order to perform their job responsibilities.
* Restrict network connections, including VPN, between systems on the OT
network; block connections on all those ports the use of which is not
required by the industrial process.
* Use smart cards (tokens) or one-time codes as the second authentication
factor when establishing a VPN connection. In cases where this is applicable,
use the Access Control List (ACL) technology to restrict the list of IP
addresses from which a VPN connection can be initiated.
* Train employees of the enterprise to use the internet, email, and other
communication channels securely and, specifically, explain the possible
consequences of downloading and executing files from unverified sources.
* Restrict the use of accounts with local administrator and domain
administrator privileges, with the exception of cases where such privileges
are necessary to perform the job responsibilities.
* Consider using a password management solution to manage the passwords of
local administrator accounts on all systems.
* Enforce a password policy that has password complexity requirements and
requires passwords to be changed on a regular basis.
* Consider using Managed Detection and Response class services to gain quick
access to high-level knowledge and expertise of security professionals.
* Use dedicated protection for the industrial process. Kaspersky Industrial
CyberSecurity protects industrial endpoints and enables network monitoring on
the OT network to identify and block malicious activity.
APPENDIX I – INDICATORS OF COMPROMISE
Note: The indicators in this section are valid at the time of publication.
The full version of indicators of compromise, including Yara rules, is available
in a .ioc file on the Kaspersky Threat Intelligence portal.
STACK OF IMPLANTS USED TO UPLOAD FILES TO DROPBOX
MD5
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
1A1B8EFE8D72984C4744662D2D233C02 (CrashReport.dll)
03C74722A8E6E5E7EA0A5ED0C9F23696 (a.exe)
19BC4620FB5DA10192676F01C3DC71B3 (cl.exe)
EE8AFC6F3BB68F86A64FC6389F2EDC3F (cl.exe)
F8553382DE7E1E349D8E91EDB7C57953 (cu.exe)
5137C61734E2096018CEE99149DAC009 (conhost.exe)
5660CB556D856D081A3DCD497549F47A (Rar2.exe)
976B59F170136B9C3C88BD9A8FC4CE4E (Rar3.exe)
D6CC6A4AF4720DAF8EEE0835D6E5D374 (Rar4.exe)
1A1B8EFE8D72984C4744662D2D233C02 (CrashReport.dll)
03C74722A8E6E5E7EA0A5ED0C9F23696 (a.exe) 19BC4620FB5DA10192676F01C3DC71B3
(cl.exe) EE8AFC6F3BB68F86A64FC6389F2EDC3F (cl.exe)
F8553382DE7E1E349D8E91EDB7C57953 (cu.exe) 5137C61734E2096018CEE99149DAC009
(conhost.exe) 5660CB556D856D081A3DCD497549F47A (Rar2.exe)
976B59F170136B9C3C88BD9A8FC4CE4E (Rar3.exe) D6CC6A4AF4720DAF8EEE0835D6E5D374
(Rar4.exe)
1A1B8EFE8D72984C4744662D2D233C02 (CrashReport.dll)
03C74722A8E6E5E7EA0A5ED0C9F23696 (a.exe)
19BC4620FB5DA10192676F01C3DC71B3 (cl.exe)
EE8AFC6F3BB68F86A64FC6389F2EDC3F (cl.exe)
F8553382DE7E1E349D8E91EDB7C57953 (cu.exe)
5137C61734E2096018CEE99149DAC009 (conhost.exe)
5660CB556D856D081A3DCD497549F47A (Rar2.exe)
976B59F170136B9C3C88BD9A8FC4CE4E (Rar3.exe)
D6CC6A4AF4720DAF8EEE0835D6E5D374 (Rar4.exe)
TOOL USED TO UPLOAD FILES TO YANDEX DISK
MD5
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
5C3A88073824A1BCE4359A7B69ED0A8D (AuditSvc.exe)
5C3A88073824A1BCE4359A7B69ED0A8D (AuditSvc.exe)
5C3A88073824A1BCE4359A7B69ED0A8D (AuditSvc.exe)
TOOL USED TO UPLOAD FILES TO TEMPORARY FILE SHARING SERVICES
MD5
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
8BA9EE9FD6BD4B9304F7FB868CE975D8 (transfer.exe)
8BA9EE9FD6BD4B9304F7FB868CE975D8 (transfer.exe)
8BA9EE9FD6BD4B9304F7FB868CE975D8 (transfer.exe)
IP/URL
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
img[.]onl/api/upload.php
litterbox.catbox[.]moe/resources/internals/api.php
imgbb[.]com
transfer[.]sh
share.schollz[.]com
0x0[.]st/
tinyimg[.]io/upload
gifyu[.]com/
imgshare[.]io
imgpile[.]com/
zippyimage[.]com
extraimage[.]info
upload.picpaste[.]me
imgurupload[.]org
sm[.]ms/api/v2/upload
easycaptures[.]com/upload_file_new.php
img[.]onl/api/upload.php litterbox.catbox[.]moe/resources/internals/api.php
imgbb[.]com transfer[.]sh share.schollz[.]com 0x0[.]st/ tinyimg[.]io/upload
gifyu[.]com/ imgshare[.]io imgpile[.]com/ zippyimage[.]com extraimage[.]info
upload.picpaste[.]me imgurupload[.]org sm[.]ms/api/v2/upload
easycaptures[.]com/upload_file_new.php
img[.]onl/api/upload.php
litterbox.catbox[.]moe/resources/internals/api.php
imgbb[.]com
transfer[.]sh
share.schollz[.]com
0x0[.]st/
tinyimg[.]io/upload
gifyu[.]com/
imgshare[.]io
imgpile[.]com/
zippyimage[.]com
extraimage[.]info
upload.picpaste[.]me
imgurupload[.]org
sm[.]ms/api/v2/upload
easycaptures[.]com/upload_file_new.php
IMPLANT USED TO UPLOAD FILES VIA THE YANDEX EMAIL SERVICE
MD5
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
971B0687C8281778B28721239801084E (qclite.dll)
971B0687C8281778B28721239801084E (qclite.dll)
971B0687C8281778B28721239801084E (qclite.dll)
APPENDIX II – MITRE ATT&CK MAPPING
The table below contains all the TTPs identified in the analysis of the activity
described in this report.
Tactic Technique Number Technique Name and Description Initial Access T1566.001
Phishing: Spearphishing Attachment
Threat actors used lure documents to deploy off-the-shelf spyware. Execution
T1204.002 User Execution: Malicious File
A system is infected when the user runs the malware believing it to be a
legitimate document. T1059.003 Command and Scripting Interpreter: Windows
Command Shell
Uses cmd.exe to execute multiple commands. T1106 Native API
Uses CreateProcessW function to execute Windows Command Line T1053.005 Scheduled
Task/Job: Scheduled Task
Malware is executed via a Windows task created by the threat actor. Persistence
T1547.001 Registry Run Keys / Startup Folder:
Malware achieves persistence by adding itself to the Registry as a startup
program. T1543.003 Create or Modify System Process: Windows Service
Installs itself as a service to achieve persistence. T1053.005 Scheduled
Task/Job: Scheduled Task
Malware is executed via a Windows task created by the threat actor. Defense
Evasion T140 Deobfuscate/Decode Files or Information
Uses an RC4 key to decrypt the malware configuration as well as communication.
T1055.002 Process Injection: Portable Executable Injection
Malware injects itself into various legitimate processes upon execution
(msiexec.exe, svchost.exe). T1497.001 System Checks
Employs various system checks to detect and avoid virtualization and analysis
environments. T1497.003 Time Based Evasion
Employs various time-based methods to detect and avoid virtualization and
analysis environments. T1574.002 Hijack Execution Flow: DLL Side-Loading
Threat actors abused a legitimate application binary to load a malicious DLL.
Discovery T1083 File and Directory Discovery
The malware attempts to discover files of various types (.doc, .docx, .xls,
.xlsx, .ppt, .pptx, .pdf, .rtf, .eml). T1016 System Network Configuration
Discovery
Threat actors use the netstat and ipconfig utilities to get local network
interface configuration and enumerate open ports. T1033 System Owner/User
Discovery
Threat actors use the systeminfo, whoami, and net utilities to get information
about the user and the infected system. T1057 Process Discovery
Threat actors use tasklist to enumerate running processes. Command and Control
T1071.001 Application Layer Protocol: Web Protocols
Malware uses HTTPS and raw TCP for communication with C2. T1573.001 Encrypted
Channel: Symmetric Cryptography
Malware uses RC4 and SSL TLS v3 (by libssl.dll) to encrypt communication.
Credential Access T1003.004 OS Credential Dumping: Cached Domain Credentials
Threat actors use Mimikatz and Reg to extract cached credentials. Collection
T1005 Data from Local System
Malware designed to collect and exfiltrate arbitrary data, including air-gapped
systems, by abusing removable devices. Exfiltration T1041 Exfiltration Over C2
Channel
Threat actors exfiltrate data using Dropbox, Yandex Disk, Yandex email and
temporary file sharing services as a C2 channel
Authors
* Kirill Kruglov
Senior Research Developer, Kaspersky ICS CERT
* Vyacheslav Kopeytsev
Senior Security Researcher, Kaspersky ICS CERT
* Artem Snegirev
Security Researcher, Kaspersky ICS CERT
DLL hijacking
FourteenHi
cloud services
APT
*
*
*
*
DLL hijacking
FourteenHi
cloud services
APT
Download PDF
See also
* Common TTPs of attacks against industrial organizations. Implants for
gathering data
31 July 2023
* Common TTPs of attacks against industrial organizations. Implants for remote
access
20 July 2023
* Why APTs are so successful – stories from IR trenches
30 May 2023
Back to top
See also
* Common TTPs of attacks against industrial organizations. Implants for
gathering data
31 July 2023
* Common TTPs of attacks against industrial organizations. Implants for remote
access
20 July 2023
* Why APTs are so successful – stories from IR trenches
30 May 2023
Подписка на рассылку E-mail
Данные по уязвимостямо
Информация об угрозах
I agree to provide my contact information to Kaspersky Lab (first name, last
name, email address, phone, country postal code) to be contacted by Kaspersky
Lab sales representatives by phone for a personalized offer that could be based,
in particular, on geography and company size information provided; to receive
information via email about Kaspersky Lab products and services including
promotional offers, product updates and premium assets like white papers,
webcasts, videos, events etc.; to participate in surveys to vocalize opinion on
various aspects of Kaspersky Lab business, in particular, about products, and
technical support. I understand that I can withdraw this consent at any time via
unsubscribe link from email or via Privacy Policy
Подписаться
A global project run by Kaspersky to coordinate the efforts of industrial
automation system vendors and industrial facility owners and operators.
RSS feed
* Publications
* Services
* Advisories
* Statistics
* Events
* About
Download PGP/GPG key
Authorized to Use CERT™
CERT is a mark owned by
Carnegie Mellon University
© 2023 AO Kaspersky Lab
Privacy policy
If you have any questions remaining, please email us at ics-cert@kaspersky.com
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
Accept and Close
We'd like to show you notifications for the latest news and updates.
AllowCancel