Eight zero-day vulnerabilities in one bottle, and that's not all
Our experts went on the trail of a cybercrime group that carried out large-scale targeted attacks conducted in the framework of an activity called the “Elderwood Project”.
For the first time, this group attracted the attention of our analysts in 2009, launching an attack on Google and other organizations using the Trojan program Hydraq (Aurora).
')
Over the past three years, its attacks have been directed at enterprises of various industrial sectors, as well as at non-governmental organizations. The companies chosen were predominantly the United States and Canada, as well as China, Hong Kong, Australia, as well as some European and Asian countries. Recent attacks demonstrate a shift in the interest of intruders towards enterprises producing components of armaments and defense systems. Moreover, one of the main operational scenarios is penetration through one of the partner organizations included in the supply chain.
Attackers exploit a large number of zero-day vulnerabilities and use a systematic approach to organizing attacks and creating malicious code. We recorded their repeated use of platform components, called the “Elderwood Platform” (after the name of one of the exploits from their arsenal), which ensures that exploits are quickly applied to zero-day vulnerabilities. The methodology of such ongoing attacks usually involves the use of phishing emails, but now they are added to the attacks of the “watering hole” class - the compromise of the websites most likely visited by the victim.
Comparing the facts, our analysts concluded that a certain grouping exploits zero-day vulnerabilities and seems to have unlimited access to information about them. Hackers steal information from the computers of selected victims, infecting them with a Trojan program through the sites they frequently visit. The main purpose of fraudsters is the inside information of defense companies.
As you know, serious zero-day vulnerabilities that provide unauthorized access to widely used software components are very rarely available. For example, within the framework of perhaps the most well-known project Stuxnet, only four of them were used. However, in the framework of the “Elderwood Project” they are already used twice as much - eight. And no other group has ever demonstrated anything of the kind. Applying so many exploits to zero-day vulnerabilities suggests a very high level of preparation - to identify such vulnerabilities, hackers had to access the source code of a number of widely used software applications or decompile them, which requires very, very serious resources. It seems that the group has an almost unlimited number of zero-day vulnerabilities. Vulnerabilities are used on demand - one after another, and often one replaces the other if the previous one is already closed.
The main objectives of the recorded attacks were organizations from the supply chain of defense enterprises, mainly the leading defense industry enterprises. The group is interested in companies that produce electronic or mechanical components of weapons and systems that are sold to leading defense corporations. The attackers seem to be counting on a lower level of security for such manufacturers, and use them as steps of a ladder leading to intellectual property intended for the production of components or large-scale products by leading suppliers. The chart below shows the distribution of the various industries that make up the supply chain for the defense industry.
One of the vectors of the attacks of the “Elderwood” group is the use of the so-called “watering hole” sites, demonstrating an unambiguous change in the methods used by the attackers. The concept of attack in this case is similar to the actions of a predator waiting for its prey in an oasis in the middle of the desert. He knows that the victim, sooner or later, will come to the watering place, and waits, instead of actively hunting. The attackers act in the same way - they identify websites that are visited by specific people of interest, hack them and embed exploits into the pages that the victim should visit. Any visitor to the site will be exposed to embedded exploits, and if his computer is hacked by them, a Trojan program will be installed on it.
Figures and facts:
0-days summary:
Details and technical details on the full Symantec report “ The Elderwood Project ”
For the first time, this group attracted the attention of our analysts in 2009, launching an attack on Google and other organizations using the Trojan program Hydraq (Aurora).
')
Over the past three years, its attacks have been directed at enterprises of various industrial sectors, as well as at non-governmental organizations. The companies chosen were predominantly the United States and Canada, as well as China, Hong Kong, Australia, as well as some European and Asian countries. Recent attacks demonstrate a shift in the interest of intruders towards enterprises producing components of armaments and defense systems. Moreover, one of the main operational scenarios is penetration through one of the partner organizations included in the supply chain.
Attackers exploit a large number of zero-day vulnerabilities and use a systematic approach to organizing attacks and creating malicious code. We recorded their repeated use of platform components, called the “Elderwood Platform” (after the name of one of the exploits from their arsenal), which ensures that exploits are quickly applied to zero-day vulnerabilities. The methodology of such ongoing attacks usually involves the use of phishing emails, but now they are added to the attacks of the “watering hole” class - the compromise of the websites most likely visited by the victim.
Comparing the facts, our analysts concluded that a certain grouping exploits zero-day vulnerabilities and seems to have unlimited access to information about them. Hackers steal information from the computers of selected victims, infecting them with a Trojan program through the sites they frequently visit. The main purpose of fraudsters is the inside information of defense companies.
As you know, serious zero-day vulnerabilities that provide unauthorized access to widely used software components are very rarely available. For example, within the framework of perhaps the most well-known project Stuxnet, only four of them were used. However, in the framework of the “Elderwood Project” they are already used twice as much - eight. And no other group has ever demonstrated anything of the kind. Applying so many exploits to zero-day vulnerabilities suggests a very high level of preparation - to identify such vulnerabilities, hackers had to access the source code of a number of widely used software applications or decompile them, which requires very, very serious resources. It seems that the group has an almost unlimited number of zero-day vulnerabilities. Vulnerabilities are used on demand - one after another, and often one replaces the other if the previous one is already closed.
The main objectives of the recorded attacks were organizations from the supply chain of defense enterprises, mainly the leading defense industry enterprises. The group is interested in companies that produce electronic or mechanical components of weapons and systems that are sold to leading defense corporations. The attackers seem to be counting on a lower level of security for such manufacturers, and use them as steps of a ladder leading to intellectual property intended for the production of components or large-scale products by leading suppliers. The chart below shows the distribution of the various industries that make up the supply chain for the defense industry.
One of the vectors of the attacks of the “Elderwood” group is the use of the so-called “watering hole” sites, demonstrating an unambiguous change in the methods used by the attackers. The concept of attack in this case is similar to the actions of a predator waiting for its prey in an oasis in the middle of the desert. He knows that the victim, sooner or later, will come to the watering place, and waits, instead of actively hunting. The attackers act in the same way - they identify websites that are visited by specific people of interest, hack them and embed exploits into the pages that the victim should visit. Any visitor to the site will be exposed to embedded exploits, and if his computer is hacked by them, a Trojan program will be installed on it.
Figures and facts:
- 8 zero day vulnerabilities
- Attacked 2 applications - Internet Explorer and Adobe Flash Player
- 2 Basic attack methods - phishing e-mails and watering hole
- Possible motives: theft of intellectual property or trade secrets, scouting plans, contacts, infrastructure information, analytics for further attacks
- Suspects: (1) a large, well-funded criminal group, (2) a group behind which the state stands, (3) a state
- The main geography of attacks: USA - 72%, Canada - 9%, China - 6%, Australia - 3%, Hong Kong - 3%, the rest - less
- Recommended protection: at the file level - antivirus, at the network level - protection against intrusions. Advanced Reputation Technology and SONAR
0-days summary:
Details and technical details on the full Symantec report “ The Elderwood Project ”
Source: https://habr.com/ru/post/151086/
All Articles