Security researchers have uncovered hacking tools used by, what they
say are, China’s second most-active cyber attackers to spy on companies
and governments in the Asia-Pacific region.
Targeted attacks, by nature, are low in volume and therefore go unnoticed, but for the victim they can be just as costly as a widespread malware threat.
Comfoo, a stealthy information-stealing malware used in a high-profile attack in 2010 that hit Australian businesses, fits that bill, Dell security researchers say.
Hackers in 2010 employed simple but effective phishing emails that were sent to low-level staff at RSA, the security arm of storage giant EMC. Using remote-access malware known as Poison Ivy, the attackers gained access to data that is believed to have compromised the widely used SecurID two-factor authentication system used by many Australian enterprise and government customers.
Poison Ivy was the main focus of initial reports about the attack, but Comfoo slipped through the cracks, says Don Jackson, senior security researcher at Dell Secure Works.
‘‘[Comfoo] was one of the tools that was used in the RSA breach, but it wasn’t named ... We found it was another backdoor with similar capabilities to Poison Ivy, but it was used by a group we call the Beijing Group,’’ Mr Jackson told IT Pro.
The company on Friday released a cache of data or ‘‘indicators’’, such as domain names and IP addresses, that organisations can use to determine whether a threat lies on their corporate network.
The group behind Comfoo, whom Mr Jackson calls ‘‘the Beijing group’’, is on par with ‘‘APT1’’, the notorious Chinese hacking crew fingered in a recent report by US security firm Mandiant. APT refers to ‘‘advanced persistent threat’’, a class of attacker that typically hunts for intellectual property and strives to maintain a silent, persistent presence on the target’s network.
“If you see an APT report in the last few years and it mentions APT1, the chances are that anything else in that report is being carried out by this Beijing group. Those two groups account for 90 percent or more of all the attacks that we track,” said Mr Jackson.
The Beijing group primarily used attacks for patched flaws in popular software like Adobe’s Acrobat and Reader PDF products, said Mr Jackson. As with financially motivated attackers though, the attackers are not necessarily interested in the unpatched flaws. Old flaws work, so long the target is familiar to the attacker. “[Attackers] do a lot of recon, for example, probing the [target’s] website or they’ve been at a conference and got contact information from the conference,” said Mr Jackson.
Surprisingly, even after the researchers alert companies to an infection on the network, some victims still fail to address the problem. According to Jackson, the time between an infection and when it is removed is between six moths to one year.
“We disclose to them who we are and what we’ve noticed, but we still have organisations that have not remediated this infection.
“One, they’re not our customers, so they don’t know who we are, and sometimes there’s a language barrier, and sometimes there’s a ‘if we don’t know about it, we can’t do anything about it.
“Usually, it’s more than a year that this very dangerous adversary has been on the network monitoring and or manipulating data to their liking and stealing whatever they want from the network for that long."
Targeted attacks, by nature, are low in volume and therefore go unnoticed, but for the victim they can be just as costly as a widespread malware threat.
Comfoo, a stealthy information-stealing malware used in a high-profile attack in 2010 that hit Australian businesses, fits that bill, Dell security researchers say.
Hackers in 2010 employed simple but effective phishing emails that were sent to low-level staff at RSA, the security arm of storage giant EMC. Using remote-access malware known as Poison Ivy, the attackers gained access to data that is believed to have compromised the widely used SecurID two-factor authentication system used by many Australian enterprise and government customers.
Poison Ivy was the main focus of initial reports about the attack, but Comfoo slipped through the cracks, says Don Jackson, senior security researcher at Dell Secure Works.
‘‘[Comfoo] was one of the tools that was used in the RSA breach, but it wasn’t named ... We found it was another backdoor with similar capabilities to Poison Ivy, but it was used by a group we call the Beijing Group,’’ Mr Jackson told IT Pro.
The company on Friday released a cache of data or ‘‘indicators’’, such as domain names and IP addresses, that organisations can use to determine whether a threat lies on their corporate network.
The group behind Comfoo, whom Mr Jackson calls ‘‘the Beijing group’’, is on par with ‘‘APT1’’, the notorious Chinese hacking crew fingered in a recent report by US security firm Mandiant. APT refers to ‘‘advanced persistent threat’’, a class of attacker that typically hunts for intellectual property and strives to maintain a silent, persistent presence on the target’s network.
“If you see an APT report in the last few years and it mentions APT1, the chances are that anything else in that report is being carried out by this Beijing group. Those two groups account for 90 percent or more of all the attacks that we track,” said Mr Jackson.
The Beijing group primarily used attacks for patched flaws in popular software like Adobe’s Acrobat and Reader PDF products, said Mr Jackson. As with financially motivated attackers though, the attackers are not necessarily interested in the unpatched flaws. Old flaws work, so long the target is familiar to the attacker. “[Attackers] do a lot of recon, for example, probing the [target’s] website or they’ve been at a conference and got contact information from the conference,” said Mr Jackson.
Surprisingly, even after the researchers alert companies to an infection on the network, some victims still fail to address the problem. According to Jackson, the time between an infection and when it is removed is between six moths to one year.
“We disclose to them who we are and what we’ve noticed, but we still have organisations that have not remediated this infection.
“One, they’re not our customers, so they don’t know who we are, and sometimes there’s a language barrier, and sometimes there’s a ‘if we don’t know about it, we can’t do anything about it.
“Usually, it’s more than a year that this very dangerous adversary has been on the network monitoring and or manipulating data to their liking and stealing whatever they want from the network for that long."
No comments:
Post a Comment