Elite hacker gang has unlimited supply of zero-day bugs
Group dubbed 'Elderwood' has exploited eight unpatched IE and Flash flaws in the last 20+ months
Computerworld - An elite hacker group targeting defense industry sub-contractors has an inexhaustible supply of zero-days, or vulnerabilities that have yet to be publicized, much less patched, Symantec said today.
In a blog post, the security firm said, "The group seemingly has an unlimited supply of zero-day vulnerabilities."
Symantec also laid out its analysis of the gang, which it said was behind a slew of attacks dubbed the "Elderwood Project," after a source code variable used by the hackers.
Among the group's distinguishing characteristics, said Orla Cox, senior manager at Symantec's security response division, is its exploitation of at least eight zero-day vulnerabilities since late 2010, and four in a 16-week span this spring and summer.
"We've never see a group use so many zero-days," said Cox in an interview today. "We were amazed when Stuxnet used four zero-days, but this group has been able to discover eight zero-days. More, the fact that they have prepared [their attacks] and are ready to go as soon as they have a new zero-day, and the speed with which they use these zero-days, is something we've not seen before."
Stuxnet, first uncovered in 2010, relied on exploits of four different Windows zero-day vulnerabilities to infiltrate its targets, which most analysts now believe were Iranian nuclear fuel enrichment facilities.
Cox said that Symantec believes the hackers found the zero-days themselves, and did not purchase them from other sources.
According to Symantec's research, Elderwood exploited one zero-day in December 2010, three in 2011 and four this year during a stretch from April 24 through Aug. 15.
The 2010 zero-day attributed to the gang was notable: It was used by a Trojan horse called "Aurora" by most security experts, and pegged "Hydraq" by Symantec. Aurora was delivered using an Internet Explorer (IE) zero-day, and targeted a large number of Western companies, including Google.
Google accused Chinese hackers of breaking into its network using Aurora, a charge that prompted the search giant to threaten a shut-down of its Chinese operations.
Symantec found links between the Aurora/Hydraq attacks of late 2009 and early 2010 with the campaigns that exploited eight zero-days over the last 20+ months.
The security company connected the dots between the various attack campaigns by comparing elements ranging from the underlying command-and-control (C&C) infrastructure; the way the code in each Trojan was obfuscated, or masked; and the apparent sharing of a single custom-built malware development platform, said Cox.
The Elderwood campaign's targets also provided clues that the exploits of the eight zero-days were connected.
Elderwood focuses on defense sub-contractors, second-tier companies that manufacture electronic or mechanical components that are then sold to first-tier defense firms.
Symantec believes that the attacks are aimed at sub-contractors because the attackers find them easier to exploit. After infecting Windows PCs there, the hackers use them to forge a beachhead in companies further up the supply chain.
The Elderwood gang specializes in finding and exploiting zero-days in Microsoft's IE browser and Adobe's Flash Player.
- New docs show DHS was more worried about critical infrastructure flaw in '07 than it let on
- Needed: Breach detection correction
- Evan Schuman: Resurrection of Full Disclosure mailing list is great news, if you're not a cyberthief
- Cyberattacks could paralyze U.S., former defense chief warns
- Syrian Electronic Army shanghais Microsoft's Twitter account, blog
- Is French outrage against U.S. spying misplaced?
- Lawmakers seek answers on Obamacare Data Hub security
- China-based hacking group behind hundreds of attacks on U.S. companies
- How to Prepare for a Potential Syrian Counterattack on the U.S. Power Grid
- New York Times site outage caused by attack on domain registrar, company says
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- Software Asset Management: Ensuring Today's Assets Today's trends like BYOD and SaaS are new and exciting in terms of how they will help make our jobs more productive but...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Malware and Vulnerabilities White Papers | Webcasts