Stakes rising as malware matures
With the constant drumbeat of cybersecurity worries that government has to deal with, it’s easy to lose sight of the trees when it comes to threats, and to consider them all as part of the same dark forest. But as two recently discovered exploits show, malware writing is as much a creative industry as any legitimate software business, and organizations need to be aware of the details to successfully defend their data and systems.
One of the newest pieces of malware is actually a throwback of sorts. MiniDuke was first identified in February 2013 by Kaspersky Lab, which described it as a “highly customized malicious program” used to attack multiple government entities and institutions both in the United States and around the world using a backdoor exploit.
The head of the Lab, Eugene Kaspersky, said then that it reminded him of older style of malware of the late 1990s and early 2000s, written with Assembler language and being very small in size, just 20 kilobytes or so. The combination of these “experienced, old school writers using newly discovered exploits and clever social engineering” against high profile targets he believed to be “extremely dangerous.”
In particular, according to the Lab’s analysis, MiniDuke was programmed to avoid analysis through a hard-coded set of tools in certain environments such as VMware, showing that the writers “know exactly what antivirus and IT security professionals are doing in order to analyze and identify malware.”
Following that first discovery, MiniDuke attacks decreased and eventually seemed to disappear. Apparently, however, it was only going underground, and it reappeared in an even more sophisticated form earlier this year. Among others, the targets apparently include organizations involved with government, energy, telecom and military contracting.
The new backdoor, also known as TinyBaron or CosmicDuke, spoofs a number of popular applications that run in the background on a system, can start up via the Windows Task Scheduler and can steal information using a broad range of extensions and file name keywords. Kaspersky Lab says it assigns a unique ID to each of the malware’s victims, which allows for specific updates of the malware. It also uses a custom obfuscator to prevent anti-malware tools from detecting it.
Remote access attacks
At the end of June, US-CERT issued an advisory about malware apparently aimed at industrial control systems, which some analysts claimed could cause Stuxnet-level damage to power plants and other sites through denial of service attacks. According to security firm Symantec, the attackers, known as Dragonfly, could potentially cause much greater chaos than Stuxnet, with victims already compromised in the United States, Spain, France, Italy, Germany, Turkey and Poland.
The attackers use two main pieces of malware called remote access tools, Symantec said. Backdoor.Oldrea, also known as Havex or Energetic Bear, acts as a backdoor to a victim’s system and, once installed, can extract system information. The other main tool is Trojan.Karagany, openly available on the underground malware market, which can upload stolen data, download new files and run executable files on infected computers.
The Dragonfly group, possibly Eastern European and state sponsored, is “technically adept and able to think strategically,” Symantec said. “Given the size of some of its targets, the group found a ‘soft underbelly’ by compromising [the targets’] suppliers, which are invariably smaller, less protected companies.”
Defenses against the Dragonfly attacks include both antivirus and intrusion prevention signatures, but, given that the attacks had been ongoing and undetected for a while, a large number of systems probably remain infected.
As well as targeted attacks, general phishing attacks by cybercriminals aimed at stealing personal and financial information from institutions are also on the rise. While government sites are less than 2 percent of the overall targets for these attacks, according to the Anti-Phishing Working Group, the United States has by far the biggest number of phishing websites. Globally, it said, the number of infected machines has risen to nearly 33 percent.
The question is how government can best position itself against these attacks, which seem to be increasing both in number and sophistication. Keeping them out entirely no longer seems a plausible strategy, and the consensus is moving more towards limiting the damage they can cause.
Posted by Brian Robinson on Jul 07, 2014 at 12:53 PM