Elite hacker gang has unlimited supply of zero-day bugs
Group dubbed 'Elderwood' has exploited eight unpatched IE and Flash flaws in the last 20+ months
Computerworld - An elite hacker group targeting defense industry sub-contractors has an inexhaustible supply of zero-days, or vulnerabilities that have yet to be publicized, much less patched, Symantec said today.
In a blog post, the security firm said, "The group seemingly has an unlimited supply of zero-day vulnerabilities."
Symantec also laid out its analysis of the gang, which it said was behind a slew of attacks dubbed the "Elderwood Project," after a source code variable used by the hackers.
Among the group's distinguishing characteristics, said Orla Cox, senior manager at Symantec's security response division, is its exploitation of at least eight zero-day vulnerabilities since late 2010, and four in a 16-week span this spring and summer.
"We've never see a group use so many zero-days," said Cox in an interview today. "We were amazed when Stuxnet used four zero-days, but this group has been able to discover eight zero-days. More, the fact that they have prepared [their attacks] and are ready to go as soon as they have a new zero-day, and the speed with which they use these zero-days, is something we've not seen before."
Stuxnet, first uncovered in 2010, relied on exploits of four different Windows zero-day vulnerabilities to infiltrate its targets, which most analysts now believe were Iranian nuclear fuel enrichment facilities.
Cox said that Symantec believes the hackers found the zero-days themselves, and did not purchase them from other sources.
According to Symantec's research, Elderwood exploited one zero-day in December 2010, three in 2011 and four this year during a stretch from April 24 through Aug. 15.
The 2010 zero-day attributed to the gang was notable: It was used by a Trojan horse called "Aurora" by most security experts, and pegged "Hydraq" by Symantec. Aurora was delivered using an Internet Explorer (IE) zero-day, and targeted a large number of Western companies, including Google.
Google accused Chinese hackers of breaking into its network using Aurora, a charge that prompted the search giant to threaten a shut-down of its Chinese operations.
Symantec found links between the Aurora/Hydraq attacks of late 2009 and early 2010 with the campaigns that exploited eight zero-days over the last 20+ months.
The security company connected the dots between the various attack campaigns by comparing elements ranging from the underlying command-and-control (C&C) infrastructure; the way the code in each Trojan was obfuscated, or masked; and the apparent sharing of a single custom-built malware development platform, said Cox.
The Elderwood campaign's targets also provided clues that the exploits of the eight zero-days were connected.
Elderwood focuses on defense sub-contractors, second-tier companies that manufacture electronic or mechanical components that are then sold to first-tier defense firms.
Symantec believes that the attacks are aimed at sub-contractors because the attackers find them easier to exploit. After infecting Windows PCs there, the hackers use them to forge a beachhead in companies further up the supply chain.
The Elderwood gang specializes in finding and exploiting zero-days in Microsoft's IE browser and Adobe's Flash Player.
- Evan Schuman: Resurrection of Full Disclosure mailing list is great news, if you're not a cyberthief
- Cyberattacks could paralyze U.S., former defense chief warns
- Syrian Electronic Army shanghais Microsoft's Twitter account, blog
- Is French outrage against U.S. spying misplaced?
- Lawmakers seek answers on Obamacare Data Hub security
- China-based hacking group behind hundreds of attacks on U.S. companies
- How to Prepare for a Potential Syrian Counterattack on the U.S. Power Grid
- New York Times site outage caused by attack on domain registrar, company says
- Cyber drills like Quantum Dawn 2 vital to security in financial sector
- Quantum Dawn 2 will test Wall Street's cyber readiness
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Malware and Vulnerabilities White Papers | Webcasts