In 2009, there was the start of high profile attacks by a group using the Hydraq (Aurora) Trojan horse. Symantec has been monitoring the attacking group’s activities for the last three years as they’ve consistently targeted a number of industries. These attackers have used a large number of zero-day exploits against not just the intended target organization, but also on the supply chain manufacturers that service the company in their cross hairs. These attackers are systematic and re-use components of an infrastructure Symantec termed the “Elderwood Platform”. The term “Elderwood” comes from the exploit communication used in some of the attacks. This attack platform enables them to quickly deploy zero-day exploits. The attacking methodology has always used spear phishing emails but now there is an increased adoption of “watering hole” attacks (compromising certain websites likely to be visited by the target organization).
The “watering hole” attack is a clear shift in the attacking group’s method of operations. The concept of the attack is similar to a predator waiting at a watering hole. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him. Similarly, attackers find a Web site that caters to a particular audience, which includes the target the attackers are interested in. Having identified this website, the attackers hack into it using a variety of means. The attackers then inject an exploit onto public pages of the website that they hope will be visited by their ultimate target. Any visitor susceptible to the exploit is compromised and a back door Trojan is installed onto their computer.
Symantec published a research paper that details the links between various exploits used by this attacking group, their method of targeting organizations, and the Elderwood Platform. It puts into perspective the continuing evolution and sheer resilience of entities behind targeted attacks.
Read more …
Security company FireEye reported Friday night that the CFR website had been compromised as early as Dec. 21 and was still hosting malware last Wednesday, the day after Christmas. Researchers there said the attackers were exploiting a zero-day vulnerability in Microsoft’s Internet Explorer browser.
“We can confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability,” wrote FireEye’s Darien Kindlund on the company’s blog. “We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time.”
Dustin Childs, group manager, Response Communications, Microsoft Trustworthy Computing said in an email to Threatpost the zero day is in IE 6-8 and that the impact is limited.
“We will take appropriate action to help keep customers protected once our analysis is complete. People using Internet Explorer 9-10 are not impacted,” said Childs.
The head of the NSA’s Information Assurance Directorate, said, “we’re starting to see nation-state resources and expertise employed in what we would characterize as reckless and disruptive, destructive behaviors,” Reuters reported.
Even adversaries during the Cold War, who were always trying to spy on or disrupt each other, operated within boundaries, she said. “Some of today’s national cyber actors don’t seem to be bound by any sense of restraint,” she said.
Meanwhile, Symantec issued a report saying that Aurora, the group behind those attacks, which the company has dubbed the Elderwood gang because of some of the source code they used, has consistently targeted defense-related and other industries with “seemingly an unlimited number of zero-day exploits.”
Although Symantec’s report and Plunkett’s talk were not related, they both underscore the growth in international cyber activity.