Elite hacker gang has unlimited supply of zero-day bugs
Group dubbed 'Elderwood' has exploited eight unpatched IE and Flash flaws in the last 20+ months
Computerworld - An elite hacker group targeting defense industry sub-contractors has an inexhaustible supply of zero-days, or vulnerabilities that have yet to be publicized, much less patched, Symantec said today.
In a blog post, the security firm said, "The group seemingly has an unlimited supply of zero-day vulnerabilities."
Symantec also laid out its analysis of the gang, which it said was behind a slew of attacks dubbed the "Elderwood Project," after a source code variable used by the hackers.
Among the group's distinguishing characteristics, said Orla Cox, senior manager at Symantec's security response division, is its exploitation of at least eight zero-day vulnerabilities since late 2010, and four in a 16-week span this spring and summer.
"We've never see a group use so many zero-days," said Cox in an interview today. "We were amazed when Stuxnet used four zero-days, but this group has been able to discover eight zero-days. More, the fact that they have prepared [their attacks] and are ready to go as soon as they have a new zero-day, and the speed with which they use these zero-days, is something we've not seen before."
Stuxnet, first uncovered in 2010, relied on exploits of four different Windows zero-day vulnerabilities to infiltrate its targets, which most analysts now believe were Iranian nuclear fuel enrichment facilities.
Cox said that Symantec believes the hackers found the zero-days themselves, and did not purchase them from other sources.
According to Symantec's research, Elderwood exploited one zero-day in December 2010, three in 2011 and four this year during a stretch from April 24 through Aug. 15.
The 2010 zero-day attributed to the gang was notable: It was used by a Trojan horse called "Aurora" by most security experts, and pegged "Hydraq" by Symantec. Aurora was delivered using an Internet Explorer (IE) zero-day, and targeted a large number of Western companies, including Google.
Google accused Chinese hackers of breaking into its network using Aurora, a charge that prompted the search giant to threaten a shut-down of its Chinese operations.
Symantec found links between the Aurora/Hydraq attacks of late 2009 and early 2010 with the campaigns that exploited eight zero-days over the last 20+ months.
The security company connected the dots between the various attack campaigns by comparing elements ranging from the underlying command-and-control (C&C) infrastructure; the way the code in each Trojan was obfuscated, or masked; and the apparent sharing of a single custom-built malware development platform, said Cox.
The Elderwood campaign's targets also provided clues that the exploits of the eight zero-days were connected.
Elderwood focuses on defense sub-contractors, second-tier companies that manufacture electronic or mechanical components that are then sold to first-tier defense firms.
Symantec believes that the attacks are aimed at sub-contractors because the attackers find them easier to exploit. After infecting Windows PCs there, the hackers use them to forge a beachhead in companies further up the supply chain.
The Elderwood gang specializes in finding and exploiting zero-days in Microsoft's IE browser and Adobe's Flash Player.
- New docs show DHS was more worried about critical infrastructure flaw in '07 than it let on
- Needed: Breach detection correction
- Evan Schuman: Resurrection of Full Disclosure mailing list is great news, if you're not a cyberthief
- Cyberattacks could paralyze U.S., former defense chief warns
- Syrian Electronic Army shanghais Microsoft's Twitter account, blog
- Is French outrage against U.S. spying misplaced?
- Lawmakers seek answers on Obamacare Data Hub security
- China-based hacking group behind hundreds of attacks on U.S. companies
- How to Prepare for a Potential Syrian Counterattack on the U.S. Power Grid
- New York Times site outage caused by attack on domain registrar, company says
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts