Security researchers have identified an ongoing cyber-espionage campaign that compromised 59 computers belonging to government organizations, research institutes, think tanks and private companies from 23 countries in the past 10 days.
The attack campaign was discovered and analyzed by researchers from security firm Kaspersky Lab and the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics.
Dubbed MiniDuke, the attack campaign used targeted email messages — a technique known as spear phishing — that carried malicious PDF files rigged with a recently patched exploit for Adobe Reader 9, 10 and 11.
The exploit was originally discovered in active attacks earlier this month by security researchers from FireEye and is capable of bypassing the sandbox protection in Adobe Reader 10 and 11. Adobe released security patches for the vulnerabilities targeted by the exploit on Feb. 20.
The new MiniDuke attacks use the same exploit identified by FireEye, but with some advanced modifications, said Costin Raiu, director of Kaspersky Lab’s global research and analysis team, on Wednesday. This could suggest that the attackers had access to the toolkit that was used to create the original exploit.
The malicious PDF files are rogue copies of reports with content relevant to the targeted organizations and include a report on the informal Asia-Europe Meeting (ASEM) seminar on human rights, a report on Ukraine’s NATO membership action plan, a report on Ukraine’s regional foreign policy and a report on the 2013 Armenian Economic Association, and more.
If the exploit is successful, the rogue PDF files install a piece of malware that’s encrypted with information gathered from the affected system. This encryption technique was also used in the Gauss cyber-espionage malware and prevents the malware from being analyzed on a different system, Raiu said. If run on a different computer, the malware will execute, but will not initiate its malicious functionality, he said.
Another interesting aspect of this threat is that it’s only 20KB in size and was written in Assembler, a method that’s rarely used today by malware creators. Its small size is also unusual when compared to the size of modern malware, Raiu said. This suggests that the programmers were “old-school,” he said.
The piece of malware installed during this first stage of the attack connects to specific Twitter accounts that contain encrypted commands pointing to four websites that act as command-and-control servers. These websites, which are hosted in the U.S., Germany, France and Switzerland, host encrypted GIF files that contain a second backdoor program.
The second backdoor is an update to the first and connects back to the command-and-control servers to download yet another backdoor program that’s uniquely designed for each victim. As of Wednesday, the command-and-control servers were hosting five different backdoor programs for five unique victims in Portugal, Ukraine, Germany and Belgium, Raiu said.These unique backdoor programs connect to different command-and-control servers in Panama or Turkey, and they allow the attackers to execute commands on the infected systems.
The people behind the MiniDuke cyber-espionage campaign have operated since at least April 2012, when one of the special Twitter accounts was first created, Raiu said. However, it’s possible that their activity was more subtle until recently, when they decided to take advantage of the new Adobe Reader exploit to compromise as many organizations as possible before the vulnerabilities get patched, he said.
The malware used in the new attacks is unique and hasn’t been seen before, so the group might have used different malware in the past, Raiu said. Judging by the wide range of targets and the global nature of the attacks, the attackers probably have a large agenda, he said.
MiniDuke victims include organizations from Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russia, Slovenia, Spain, Turkey, Ukraine, United Kingdom and the United States.
In the United States, a research institute, two pro-U.S. think tanks and a health care company have been affected by this attack, Raiu said without naming any of the victims.
The attack is not as sophisticated as Flame or Stuxnet, but is high-level nevertheless, Raiu said. There are no indications regarding where the attackers might operate from or what interests they might be serving.
That said, the backdoor coding style is reminiscent of a group of malware writers known as 29A, believed to be defunct since 2008. There’s a “666” signature in the code and 29A is the hexadecimal representation of 666, Raiu said.
A “666” value was also found in the malware used in the earlier attacks analyzed by FireEye, but that threat was different from MiniDuke, Raiu said. The question of whether the two attacks are related remains open.
News of this cyber-espionage campaign comes on the heels of renewed discussions about the Chinese cyber-espionage threat, particularly in the U.S., that were prompted by a recent report from security firm Mandiant. The report contains details about the years-long activity of a group of cyberattackers dubbed the Comment Crew that Mandiant believes to be a secret cyberunit of the Chinese Army. The Chinese government has dismissed the allegations, but the report was widely covered in the media.
Raiu said that none of the MiniDuke victims identified so far was from China, but declined to speculate on the significance of this fact. Last week security researchers from other companies identified targeted attacks that distributed the same PDF exploit masquerading as copies of the Mandiant report.
Those attacks installed malware that was clearly of Chinese origin, Raiu said. However, the way in which the exploit was used in those attacks was very crude and the malware was unsophisticated when compared to MiniDuke, he said.
Syria, China, Iran, Bahrain and Vietnam are flagrantly spying online, media watchdog RSF said, urging controls on the export of Internet surveillance tools to regimes clamping down on dissent.
Tuesday’s report entitled “Enemies of the Internet” also singled out five companies — Gamma, Trovicor, Hacking Team, Amesys and Blue Coat — that it branded “digital era mercenaries,” who were helping oppressive governments.
Syria’s estimated five million Internet users are subject to rampant state spying, Reporters Sans Frontieres (RSF, Journalists without Borders) said in the report, which coincides with the World Day Against Cyber-Censorship.
Noting that 22 journalists and 18 Internet users had been jailed, it said the network was controlled by two entities including the Syrian Computer Society (SCG) founded by President Bashar al-Assad.
The SCG, it said, controlled Syria’s 3G infrastructure, while the Syrian Telecommunications Establishment (STE) controlled the majority of the fixed connections.
“When the government orders the blocking of a word, of an URL, or of a site, STE transmits the order to service providers,” it said, publishing a leaked 1999 bid invitation from STE to install a national Internet system in Syria.
The requirements include recording of online and offline activities, copying of all e-mail exchanges from within Syria, and the ability to detect, intercept and block any encrypted data.
Damascus beefed up its monitoring in 2011 “adding new technologies to its cyber-arsenal” including proxy Blue Coat servers, RSF said.
Iran meanwhile is in the process of creating a home-grown Internet system, citing a series of cyber attacks on its nuclear installations, RSF said.
“Applications and services such as email, search engines and social networks are proposed to be developed under government control,” to allow for “large-scale surveillance and the systematic elimination of dissent.”
Twenty Internet users were jailed and one had been killed in the past year, it said, warning against the use of Iranian virtual private networks as it “will be like throwing yourself into the lion’s jaws.”
But in terms of sheer numbers, the “Chinese Communist Party runs one of the world’s biggest digital empires, if not the biggest,” RSF said, adding that individuals and companies have to rent their broadband access from the Chinese state or a government-controlled company.
“The tools put in place to filter and monitor the Internet are collectively known as the Great Firewall of China. Begun in 2003, it allows for access to foreign sites to be filtered,” it said, and to block feeds and content deemed undesirable.
“The Chinese cyber-dissident Hu Jia and his wife Zeng Jinyang have had policemen stationed at the foot of their apartment building for months,” it said.
“China jails more people involved in news and information than any other country. Today 30 journalists and 69 netizens are in prison.”
Bahrain, which with an Internet penetration of 77 percent is one of the most connected states in the Middle East, has seen a dramatic increase in surveillance and news blackouts in the past three years, RSF said.
Vietnam’s network is shoddy in quality but under tight state control. Thirty-one Internet users are in prison and Internet cafes are tightly monitored with users obliged to show identity documents before using them.
RSF called for a ban on the sale of surveillance hardware and software to countries that flout basic fundamental rights and crack down on any opposition.
“The private sector cannot be expected to police itself. Legislators must intervene,” it said.
“The European Union and the United States have already banned the export of surveillance technology to Iran and Syria. This praiseworthy initiative should not be an isolated one.”
File photo shows an Iranian youth using a computer at an internet cafe in Iran’s Hamadan province. Syria, China, Iran, Bahrain and Vietnam are flagrantly spying online, media watchdog RSF said.
Graphic on a report about online spying compiled by Reporters Sans Frontiers, alleging that Syria, China, Iran, Bahrain and Vietnam are the worst state offenders for using Internet surveillance to crackdown on dissent.
Image taken on October 11, 2010 shows Syrian President Bashar al-Assad attending a press conference at al-Shaab palace in Damascus. Media watchdog RSF said Syria’s network was controlled by two entities, including the Syrian Computer Society founded by Assad.
Image provided by Zeng Jinyan shows her husband, Chinese dissident Hu Jia, at their home in Beijing on June 27, 2011. “The Chinese cyber-dissident Hu Jia and his wife Zeng Jinyang have had policemen stationed at the foot of their apartment building for months,” an RSF report said.
Image taken on January 15, 2013 shows a man reading the news on his laptop at a coffee shop in Hanoi, Vietnam. Vietnam’s network is shoddy in quality but under tight state control.
The United States has recently stepped up the rhetoric against China on cyber espionage, with President Barack Obama joined the chorus on Wednesday.
He complained billions of dollars could be lost due to theft of American corporate secrets, following warnings by Pentagon officials that cyber espionage could be a dire threat to America’s national security.
Washington’s allegations show it is rather impatient with rampant backdoor thefts in the digital world, but casting China as a specific culprit for the ubiquitous problem is unfair.
Computer hacking is an emerging threat to global security. Both China and the United States are victims of electronic assaults.
In 2012, more than 14 million computers in China were hijacked and controlled from foreign IP addresses, with more than 10 million of those being controlled from IP addresses in the U.S., according to CNCERT, China’s top Internet coordination center.
In fairness, that does not mean the hackers were American, or that Washington was supporting or condoning the digital attacks against China. With computer technologies evolving so fast, hackers can easily hide or change their IPs. That makes hackers anonymous and difficult to trace.
Using the same logic, any hasty accusation aimed at a specific country for cyber attacks is technologically flawed and politically inappropriate.
Blaming the attacks on Chinese hackers is a rash statement that lacks credible evidence, while picking on Beijing as backing such acts sounds like an insidious attempt to tarnish China’s image.
The Chinese government has launched dozens of campaigns against backdoor spying and malicious software, cutting off remote control by tens of millions of IP addresses.
To eradicate cyber crime on the borderless Internet is barely possible without transnational cooperation. In this new field, the United States and China share common interests.
China-U.S. relations are the most important bilateral relations on earth. Instead of trading barbs and taking aggressive steps against each other, the world’s biggest and second largest economies would do well to combine their efforts to build a safer virtual world.
A cybercrime gang that primarily targets companies from the chemical industry has launched a new series of attacks that involve malware-laden emails purporting to be from Symantec, the security vendor responsible for exposing its operation earlier this year.
Dubbed the Nitro attacks, the gang’s original industrial espionage efforts began sometime in July and lasted until September. The attackers’ modus operandi involved sending emails that carried a variant of the Poison Ivy backdoor and were specifically crafted for each targeted company.
Despite being publicly exposed by Symantec in an October report, the gang didn’t give up on its plans and, in fact, stuck to many of its techniques.
“The same group is still active, still targeting chemical companies, and still using the same social engineering modus operandi,” security researchers from Symantec said in a blog post on Monday.
“That is, they are sending targets a password-protected archive, through email, which contains a malicious executable,” they added.
The interesting aspect about the gang’s new attacks is that they are using Symantec’s own report in order to trick victims. One email intercepted by the security company was crafted to appear as if it were sent by its technical support department and warns recipients that many enterprise computers were infected with Poison Ivy.
The rogue messages claim that a special removal tool was released by Symantec in order to help its customers scan their systems. Attached to the email is a 7-Zip archive called the_nitro_attackspdf.7z containing a malicious executable file and a copy of Symantec’s original report about Nitro.
“The attackers, in an attempt to lend some validity to their email, are sending a document to targets that describes their very own activity,” Symantec said. The executable file is a new variant of Poison Ivy that connects to a command-and- control (CC) server hosted by the same provider used in the previous attacks.
The fake Symantec alert is not the only lure this gang is using. Other malicious emails that are part of the same campaign claim to originate from Adobe Systems and contain a fake upgrade for Adobe Reader.
Symantec managed to take down the domain name used by the new CC server and alerted the hosting provider. However, given the determination shown by these attackers so far, it’s unlikely that the Nitro attacks will stop.
The group’s primary goal is to steal domain administrator credentials, as well as to gain access to systems that store intellectual property. After identifying the “desired” IP, the attackers copy it to archives on internal systems used as staging servers, with the content uploaded from there to a site outside of the compromised organization, according to Symantec’s October report.