Another global spying campaign that targets governments
Get a great Linux dedicated server for less than $3 a day!Tweet Share on Twitter.
January 14, 2013
Kaspersky Labs said today that it has discovered yet another global spying campaign that targets numerous governmental agencies, political groups, universities and research institutions.
On the same level as the memorable 'Flame Malware' Kaspersky and a number of Cyber Emergency Response Teams (CERTs) discovered the malware, known as 'Rocra or Red October' which mostly targets institutions based in Eastern Europe, former USSR members and countries in Central Asia.
Kaspersky Labs says that Red October has been gathering a lot of data and intelligence from "mobile devices, computer systems and network equipment" and is currently still active. Data is gathered and sent to multiple command-and-control servers which the security firm says rivals the complex nature of Flame.
The malware is sent via a spear-phishing email which, according to Kaspersky, targets carefully-selected victims within an organization such as a government agency or the like. Containing at least three different exploits in Microsoft Excel and Word, once downloaded, the infected files drop a trojan on the affected computer which then scans the local network or the PC's hard drive to detect if any other devices are vulnerable to the same security hole.
By simply dropping modules that can complete a number of tasks, usually as .dll libraries, an infected computer obeys various commands sent by the command center and then immediately discards the evidence.
Separated in to "persistent" and "one-time" tasks, the malware is able to spy and steal in a number of ways, including:
Some .exe tasks remain on the system while waiting for the correct environment. For example, waiting for a phone to connect. Microsoft's Windows Phone 8, Nokia smartphones and even the iPhone are all said to be vulnerable.
Engineered specifically to steal encrypted files and even those that have been deleted from a victim's computer, the malware -- named after the novel movie "The Hunt for Red October" -- has several key features which suggests it may be state-sponsored, although there is no official word on this yet.
And it gets worse. A lot worse... Among some of the features of Red October, there is a resurrection module within the malware which keeps the infection hidden and disguised as a plugin for a program such as Microsoft Office, which can then reincarnate the infection after its removal.
Additionally, Red October doesn't simply focus on standard computers, but is also able to infect and steal information from mobile devices, hijacking information from external storage drives, accessing FTP servers and stealing information from a number of email databases.
In order to control the network of infection, Kaspersky says that over sixty domain names and several different servers, hosted in various countries, are employed. In order to keep the main command center secret, the C&C infrastructure works as a huge network of proxies.
Kaspersky believes that the cyberattackers have been active for a minimum of at least five years, based on domain name registration dates and various timestamps, and the firm "strongly believes" that the origins of the malware are Russian.
This high-profile network may suggest that state sponsorship could be involved. As Kaspersky Labs notes: "The data stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states."
"Such data could be traded in the underground and sold to the highest bidder, which can be of course, anywhere. Any information harvested, including stolen credentials or confidential data, is stored for later use. For example, if an attacker needs to guess a password in another location, it is possible that harvested data could provide clues, creating an espionage network full of intelligence that hackers can refer to in need," says Kapersky.
After at least five years of activity, Kapersky believes that at least 5 terabytes of confidential information could easily have been stolen.
"Since 2008, the attackers collected information from hundreds of high profile victims although it's unknown how the data was used so far. However, it's possible that the information was sold on the black market, or used directly," Kaspersky warns.
The overall majority of infections are based in Russia, although Kazakhstan, Azerbaijan, the U.S. and even Italy have all reported a few cases already. The exploits also appear to have Chinese origins, whereas the malware modules may have a Russian background.
Red October was first brought to Kaspersky's attention in October 2012 after a tip of of an anonymous source. A full report on the spying campaign is due to be published this week. We will keep you posted.
In other internet security news
Political and hactivist collective group Anonymous has managed to hack into some of MIT's websites earlier this morning in protest against the role computer crime laws and U.S. prosecutors may have played in the suicide of Aaron Swartz on Friday.
Twenty-six year old Internet activist Aaron Swartz was found hanged in his apartment in New York on Friday, having taken his own life at such a young age. He was under indictment for computer and wire fraud, facing fines and over thirty years in federal prison, and some are now blaming strict computer laws and the U.S. justice system for his untimely death.
Anonymous posted its message in red on a black background, claiming that Swartz's prosecution was unjust and his actions were political activism, not criminal activities.
"Whether or not the government contributed to his suicide, the government's prosecution of Swartz was a grotesque miscarriage of justice, a distorted and perverse shadow of the justice that Aaron died fighting for," the message read.
"The situation Aaron found himself in highlights the injustice of U.S. computer crime laws, particularly their punishment regimes and the highly-questionable justice of pre-trial bargaining. Aaron's act was undoubtedly political activism, and it had some very tragic consequences: his own death."
Swartz was arrested in 2011 after allegedly using a laptop stashed at MIT to access J-STOR, an archive of academic journals, with a custom Python script and downloading 4.8 million articles. J-STOR charges for the documents, meaning the value of the articles amounted to a few millions of dollars.
Although J-STOR wasn't interested in pressing charges, the U.S. government nevertheless proceeded with the indictment just the same. Swartz's lawyer, Elliot Peters, was attempting to negotiate a plea bargain with prosecutors, but they remained insistent that he would have to spend time in prison.
Downloading the articles was part of Swartz's campaign for free information online. He had pulled a similar stunt in 2008, when he snatched about 21 percent of U.S. court documents stored online and made them freely available to anyone, a bit similar to what Wiki Leaks did in 2010 and 2011.
While Swartz was suffering from severe depression, his family has attributed some of the blame for his death to his experiences of the U.S. criminal justice system. The Swartz family said in a statement that the justice system in the United States is "rife with intimidation and prosecutorial overreach".
For its part, MIT has said that it will investigate how it handled the network breach and its role in Swartz's prosecution. The Anonymous hackers were careful to say that they didn't blame MIT, even apologizing for hijacking the university's websites.
Anonymous called on the U.S. government to see the tragedy as a basis to reform computer crime and intellectual property laws and commit to a "free and unfettered internet for everybody".
In other internet news
Internet security observers are predicting that 2013 could be the year when country-sponsored cyberwarfare goes mainstream, and some say that such attacks could also lead to actual deaths of citizens.
Last year, large-scale cyberattacks targeted at the Iranian government were uncovered, and in return, Iran is believed to have launched massive attacks aimed at U.S. banks and Saudi oil companies. At least twelve of the world's fifteen largest military powers are currently building cyberwarfare programs, according to James Lewis, a cybersecurity expert at the Center for Strategic and International Studies.
And the situation could get a lot worse before it gets better. A full-fledged cyber Cold War is already in progress according to some. However, some security companies believe that the battle will become even more heated this year.
"Nation states and their armies will be more frequent actors and victims themselves of cyberthreats," a team of researchers at McAfee Labs wrote in a recent report. McAfee Labs is now a subsidiary of Intel.
Michael Sutton, head of security research at cloud security company Zscaler, said he expects governments to spend furiously on building their cyber arsenals. Some may even outsource attacks to online hackers, in an effort to speed up the process.
The Obama administration and many in Congress have been more vocal about how an enemy nation or a terrorist cell could target the United States' critical infrastructure in a cyberattack. Banks, stock exchanges, nuclear power plants and water purification systems are particularly vulnerable, according to numerous assessments delivered to Congress last year.
But after legislation aimed at preventing such attacks stalled in Congress last year, some experts believe this will be the year when cyberattacks will turn really deadly.
"Nation-state attackers will target critical infrastructure networks such as power grids at an unprecedented scale in 2013," predicted Chiranjeev Bordoloi, CEO of security company Top Patch. "These types of attacks could grow more sophisticated, and the slippery slope could lead to the loss of human life."
Security firm IID also predicted that cyberattacks will lead to the loss of life in 2013. But others say that such events are unlikely. Our most potent online foes, Russia and China, haven't shown an interest in infrastructure attacks, at least not yet. Those that would pursue them -- Iran is often mentioned -- haven't yet proven capable of pulling off something on that scale.
Others disagree. Verizon, which runs an extensive cybersecurity business, is in the doubters' camp. "Many security experts are using anecdote and opinion for their predictions, whereas Verizon's researchers are applying empirical evidence," said Wade Baker, head of Verizon's security division.
"First and foremost, we simply don't believe there will be an all-out cyber war, although it's always possible," added Baker.
The U.S. has already put would-be attackers on notice. Defense Secretary Leon Panetta said recently that the United States reserves the right to use military force against a nation that launches a cyberattack on the country.
Even if hackers aren't capable of killing with a cyberattack, there is no doubt that they've become more destructive in their attempts.
The August 2012 attack on oil company Saudi Aramco, for instance, crashed 30,000 computers. Then in September, a series of additional attacks brought down the websites of several of the largest U.S. banks. It was the largest "denial of service" (DoS) attack ever recorded, and by a very significant margin.
Those kinds of attacks will grow "exponentially" in 2013, McAfee predicts. And other internet security experts seem to agree.
"Recently, we have seen several attacks in which the only goal was to cause as much damage as possible; we expect this malicious behavior to grow in 2013," the McAfee researchers wrote. "The worrying fact is that companies appear to be rather vulnerable to such attacks," the company added.
But there may be some good news on the cybersecurity front. Hacktivist group Anonymous is starting to fade. The leaderless collective's attacks have gained less attention lately, and many proposed operations have simply failed. That's because companies are beefing up their defenses against Anonymous' main weapon, the denial of service attack.
"Anonymous' level of technical sophistication has stagnated and its tactics are better understood by its potential victims," McAfee said in a recent research report. "While hacktivist attacks won't end in 2013, if ever, they are expected to decline in number, nevertheless. Sympathizers of Anonymous are also suffering."
In other internet security news
Internet security company McAfee warns that there is a real threat of a coordinated hack attack against at least 30 major U.S. banks early next year that would most likely be committed by Eastern European fraudsters.
The so-called Project Blitzkrieg's rumors started after a message in September on a hacking board from a user identifying himself as VorVzakone, who was looking for recruits for a campaign against large U.S. banks, credit unions, and Wall Street brokerages.
The poster claims to have made $5 million from a similar attempt in 2008 and posted malware screenshots of the code to be used. It had been suspected that the VorVzakone character was in fact a sting operation by the Russian security services.
However, after studying the information posted and cross-referencing it with its own malware logs, McAfee Labs suspects that the threat may be real and more widespread than initially believed, and Fidelity, E-Trade, Charles Schwab, PayPal, Citibank, Wachovia Securities, Wells Fargo, Capital One, and others are at high risk of being the subject of a concerted attack.
Overall, the McAfee team thinks that the malware that is being used is a variant of a four year-old family of trojan horses dubbed Gozi. A new version, dubbed Gozi Prinimalka and said to have a payload more advanced than Zeus or other banking-optimized malware, and has been quietly spreading in targeted attacks, with varying degrees of success.
"Not only did we find evidence validating the existence of an early pilot campaign operated by VorVzakone and his group using the Trojan Prinimalka that infected at a minimum 300 to 500 victims across the United States, but we were also able to track additional hacking campaigns as a result of the forum posting," wrote the report's author Ryan Sherstobitoff, a threats researcher with McAfee Labs.
"Some recent reports argue that VorVzakone has called off this attack because it has been made public. Yet it is possible that the publicity may merely drive his activities deeper underground," added Sherstobitoff.
The command and control servers used in the previous Prinimalka attacks are largely found in Romania, Russia, and the Ukraine, with an outpost in The Netherlands. Sherstobitoff said that the fact that new Prinimalka command and control servers are now starting to pop up outside these zones suggests that there are new recruits to the plan, and he warns security teams to be ready and alert.
"These campaigns will not initially target hundreds or thousands of victims, rather they will stay under the radar by attacking selected groups," he suggested.
"On average, this strategy is necessary if the attackers hope to succeed in transferring several million dollars over the course of the attacks. A limited number of infections reduces the malware's footprint and makes it more difficult for network defenses to detect its activities, something that has been planned from the start."
In other internet security news
A new Linux malware and rootkit has been discovered late yesterday that security researchers say is designed to inject iFrames and viruses into specific websites and then push traffic to malicious sites that then propagate the malware even further.
News of the rootkit has circulated for the past few days after an anonymous user of the Full Disclosure mailing list posted about it online. Since then, researchers at Kaspersky Lab and CrowdStrike have looked into the malware and shared their findings.
Originally designed for 64-bit Linux systems, it specifically targets kernel version 2.6.32-5-amd64, which is the latest kernel used in the 64-bit Debian Squeezy Linux flavor.
"The rootkit at hand seems to be the next step in iFrame injecting cyber crime operations, driving traffic to exploit rootkits," says George Wicherski, senior security researcher at CrowdStrike. "It could also be used in a Waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail," he added.
According to CrowdStrike, the malware doesn't appear to be a modified version of any known malware, and appears to be the work of an intermediate-level programmer. It is believed that it could be the work of a Russian software contractor.
Get a great Linux dedicated server for less than $3 a day!Tweet Share on Twitter.
Source: Kapersky Labs.
You can link to the Internet Security web site as much as you like.