Elite hacker gang has unlimited supply of zero-day bugs
Group dubbed 'Elderwood' has exploited eight unpatched IE and Flash flaws in the last 20+ months
Computerworld - An elite hacker group targeting defense industry sub-contractors has an inexhaustible supply of zero-days, or vulnerabilities that have yet to be publicized, much less patched, Symantec said today.
In a blog post, the security firm said, "The group seemingly has an unlimited supply of zero-day vulnerabilities."
Symantec also laid out its analysis of the gang, which it said was behind a slew of attacks dubbed the "Elderwood Project," after a source code variable used by the hackers.
Among the group's distinguishing characteristics, said Orla Cox, senior manager at Symantec's security response division, is its exploitation of at least eight zero-day vulnerabilities since late 2010, and four in a 16-week span this spring and summer.
"We've never see a group use so many zero-days," said Cox in an interview today. "We were amazed when Stuxnet used four zero-days, but this group has been able to discover eight zero-days. More, the fact that they have prepared [their attacks] and are ready to go as soon as they have a new zero-day, and the speed with which they use these zero-days, is something we've not seen before."
Stuxnet, first uncovered in 2010, relied on exploits of four different Windows zero-day vulnerabilities to infiltrate its targets, which most analysts now believe were Iranian nuclear fuel enrichment facilities.
Cox said that Symantec believes the hackers found the zero-days themselves, and did not purchase them from other sources.
According to Symantec's research, Elderwood exploited one zero-day in December 2010, three in 2011 and four this year during a stretch from April 24 through Aug. 15.
The 2010 zero-day attributed to the gang was notable: It was used by a Trojan horse called "Aurora" by most security experts, and pegged "Hydraq" by Symantec. Aurora was delivered using an Internet Explorer (IE) zero-day, and targeted a large number of Western companies, including Google.
Google accused Chinese hackers of breaking into its network using Aurora, a charge that prompted the search giant to threaten a shut-down of its Chinese operations.
Symantec found links between the Aurora/Hydraq attacks of late 2009 and early 2010 with the campaigns that exploited eight zero-days over the last 20+ months.
The security company connected the dots between the various attack campaigns by comparing elements ranging from the underlying command-and-control (C&C) infrastructure; the way the code in each Trojan was obfuscated, or masked; and the apparent sharing of a single custom-built malware development platform, said Cox.
The Elderwood campaign's targets also provided clues that the exploits of the eight zero-days were connected.
Elderwood focuses on defense sub-contractors, second-tier companies that manufacture electronic or mechanical components that are then sold to first-tier defense firms.
Symantec believes that the attacks are aimed at sub-contractors because the attackers find them easier to exploit. After infecting Windows PCs there, the hackers use them to forge a beachhead in companies further up the supply chain.
The Elderwood gang specializes in finding and exploiting zero-days in Microsoft's IE browser and Adobe's Flash Player.
- Cyberattacks could paralyze U.S., former defense chief warns
- Syrian Electronic Army shanghais Microsoft's Twitter account, blog
- Is French outrage against U.S. spying misplaced?
- Lawmakers seek answers on Obamacare Data Hub security
- China-based hacking group behind hundreds of attacks on U.S. companies
- How to Prepare for a Potential Syrian Counterattack on the U.S. Power Grid
- New York Times site outage caused by attack on domain registrar, company says
- Cyber drills like Quantum Dawn 2 vital to security in financial sector
- Quantum Dawn 2 will test Wall Street's cyber readiness
- Pentagon accuses China of cyberattacks on U.S military, business targets
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- 10 Things Your Next Firewall Must do Next-Generation Firewalls Defined
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts