Electricity and Control May 2020

CYBERSECURITY

Malicious Trojan uncovered I n March Kaspersky’s Global Research and Analysis Team (GReAT) experts reported a targeted campaign uncovered in the Middle East – to distribute Milum – a malicious Trojan that gains remote control of devices in various organisations, including those in the industrial sector. This operation is still active and has been dubbed WildPressure. Advanced persistent threats (APTs) are commonly associated with the most sophisticated types of cyberattacks. Quite often, the attacker secretly gains extended access to a system to steal information or disrupt its normal operation. The attacks are typically created and deployed by actors that have access to large financial and professional resources. As such, WildPressure quickly gained the attention of Kaspersky researchers. So far, the team has been able to identify several, almost identical samples of the Milum Trojan that share no code similarities with any known malicious campaigns. All possess solid capabilities for remote device management, which means once a system is affected, an attacker can take control from anywhere. In particular, the Trojan can: - Download and execute commands from its operator - Collect various information from the attacked machine and send it to the command and control server - Upgrade itself to a newer version. Kaspersky’s GReAT team first witnessed the spread of the Milum Trojan in August 2019. The analysis of the malware’s code showed that the first three samples were created in March 2019. Based on available telemetry, Kaspersky researchers believe most of the targets of this campaign are located in the Middle East, and the campaign itself is

ongoing. Unfortunately, much is still unclear, including the exact mechanism of how Milum is spread. Senior Security Researcher Denis Legezo says, “Any time the industrial sector is being targeted, it’s concerning. Analysts need to pay attention because the consequences of an attack against an industrial target can be devastating. So far, we haven’t seen any clues that would support the idea that the attackers behind WildPressure have intentions beyond gathering information from the targeted networks. However, the campaign is still actively developing; we’ve already discovered new malicious samples apart from the three originally discovered. At this point, we don’t know what will happen as WildPressure develops, but we will be continuing to monitor its progression.” To protect systems against targeted attack, Kaspersky experts recommend that organisations: - Ensure they update all software used on a regular basis, particularly whenever a new security patch is released. Security products with Vulnerability Assessment and Patch Management capabilities may help to automate these processes. - Choose a proven security solution such as Kaspersky Endpoint Security which is equipped with behaviour- based detection capabilities for effective protection against known and unknown threats, including exploits. - In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform. - Ensure staff understand basic cybersecurity training, as many targeted attacks start with phishing or other social engineering techniques. - Make sure the security team has access to the most recent cyber threat intelligence. Private reports on the latest developments in the threat landscape are available to customers of Kaspersky APT Intelligence Reporting.

For more information visit: www.kaspersky.co.za

WildPressure has been identified by Kaspersky as an Advanced Persistent Threat operation spreading a Trojan called Milum.

Electricity + Control MAY 2020

29