Mustang panda – stealthy war horse not crashing cartoon caper

There has been recent news from computer security vendor ESET UK and our friends at CyberOwl that the APT known as Mustang Panda has left evidence of its KorPlug loaders in computers owned by shipping companies in Norway, Greece and Netherlands.

Issues of interest

-????????? initial infection by USB key

-????????? up-to-date AV has the signatures

-????????? malware provides remote access

-????????? hitherto purely espionage flavour - but access is access

It’s that old USB again

You will reduce your chance of infection significantly by ensuring that you block USB ports. Where use of a USB port is essential you should scrub your USB keys before you use them, and check their contents against up-to-date anti-virus and anti-malware every time you use them.? The signatures of the infection are known and can be blocked by up-to-date antivirus.

Advanced Persistent Threat - persistence and patience

This APT group has been around a long time and is known to have a track record of intelligence-related activity. The implication of this is that it did not wish to be identified: its trade is the stealthy and covert exfiltration of data.?

Whilst some have pointed fingers at both the origin and the beneficiary of this software, at this point we think it is more important to understand what the malware does, which is currently about gaining unauthorised access to target systems and then sitting there undetected.? While there is some comfort to be drawn perhaps from the fact that ships weren’t intentional targets, we cannot rely on this to remain the case going forward.

This is a vivid example of systems being penetrated long before action is taken to obtain the intelligence information that is being sought.?? Access is access: as John T Chambers (former CEO of Cisco Systems) is quoted as saying ‘there are only two kinds of organisations: those that have been hacked and those that don’t know it yet’.

What’s the lesson?

1.????? Whilst the attack may look sophisticated it’s not a zero day - something can be done about it

2.????? USB are one of your weakest links.? Please ensure that you’re not breaching the terms of your insurance cover; or permitting your employees to breach your policies and procedures.? We believe that most shipping companies have banned or are phasing out their use of USBs. But it only takes one

3.????? Monitor everything - and if something looks odd, do something about it – quickly, and - most importantly

4.????? Call us at @Astaara if you need to talk (#astaaracyber #resilienceandrecovery)