Online Hacker Group Anonymous claims that they intend to launch a series of attacks on the world’s oil industry, under the operation codename #OpPetrol, as a response to the fact that oil is traded with the US dollar instead of the currency of the country where it was harvested.
While June 20th(US Time) is the day that most attacks are expected to occur and be made public, the group has already begun mobilising since last month. The online attack is expected to target the United States, Canada, England, Italy, France, Germany, Israel, Russia, China and the governments of Saudi Arabia, Kuwait and Qatar.
According to Anonymous, approximately 1,000 websites, 35,000 email credentials, and more than 100,000 Facebook accounts have been compromised as a part of the #OpPetrol operation. In addition, online security vendor Trend Micro has found that compromised systems (botnets) are already hitting websites of the intended targets, possibly as part of a distributed denial-of-service (DDoS) attack.
The particular malware being used to direct infected systems to attack the intended targets is a backdoor trojan known as CYCBOT, which allows attackers unauthorized access and control of an affected computer. After a computer is infected, the trojan connects to a specific remote servers – also known as Command & Control (C&C) servers, to receive commands from attackers. The trojan allows attackers to perform backdoor functions such as launching a DDoS attack or retrieve information from the infected computer. Most importantly, the trojan can disable security-related processes that are running on the system.
Trend Micro researchers have found a significant number of government websites in Kuwait, Qatar, and Saudi Arabia – sites that were in the #OpPetrol target list — have already gone offline. Trend Micro recommends that organizations should partner with local telecommunication service provider to monitor and mitigate a DDoS attacks, and look for any sign of a breach or network compromised by monitoring for C&C communications inside their network.
Trend Micro also revealed Gaps and Challenges with Conventional Security Controls:
- Traditional perimeter security defense are insufficient. Coupled with social engineering techniques, spear-phishing attacks are penetrating perimeters and injecting backdoor trojans inside your network.
- Signature-based anti-virus solutions are useless against customized malware that are tested before putting into actions.
- Exploitation of known or zero-day system vulnerabilities will continue, as attackers bet on the fact that organizations can’t patch systems fast enough.
- Once inside your network, backdoor agents evade detection, steal credentials, establish additional footholds, and perform network reconnaissance to locate assets of interest.
Best Practices Against Targeted Cyber Attacks:
Under the assumption that we will be compromised, organizations must improve detection capabilities that provide visibility of a breach, and establish an incident response process/plan that can quickly mitigate and minimize the impact.
People:
– Educate employee around the risk of sharing too much information on social networking and how it relates to spear-phishing attacks tactics.
– Improve forensic and threat analysis capability within IT security team
Process:
– Remove administrative privilege for most end-users
– Shutting down vulnerabilities early
– Establish incident response plan and team
– Centralize monitoring of security events and logs
Technology:
– Detect & block spear-phishing attempts at the perimeter
– Increase visibility of C&C communication on the network
– Add vulnerability shielding capability to mission critical systems to
– Employ customizable sand-boxing capability to analyze zero-day customized malware
– Monitor critical systems for unauthorized changes with file integrity monitoring
Further information of this threat can be found on the Trend Micro blog.