Red October – Cyber-espionage Undetected for 5 Years

January 29, 2013

On January 17, 2013, Kaspersky Labs released, The Red October Campaign – An Advanced Cyber Espionage Network Targeting Diplomatic and Government Agencies. The Kaspersky research discloses a massive network of command and control servers which has, over the past five years, infiltrated computer worldwide at governmental, diplomatic and scientific research organizations. Red October gathered information from computer systems, mobile devices and network equipment.

Kaspersky details the technical means used to evade detection for 5 years. The creators of this software used many clever techniques to cover their tracks and regain control of systems that had been partially disinfected.

What is most striking about this attack and its five years of committing worldwide cyber-espionage is the means used to infiltrate systems.  Spearphishing.  Yet again, we see that the infiltration method of choice was the highly targeted email that delivered a malicious attachment.  This Kaspersky graphic shows first stage of the Red October attack.

Source: Kaspersky Labs

Red October is yet another demonstration of the true nature of cyberwarfare — Dr. Frederick Chang, former NSA Director of Research, warns that:

… cybersecurity is fundamentally about an adversarial engagement. Humans must defend machines that are attacked by other humans using machines.

In Email – Deceptive By Design, Iconix explains how email favors the attacker in the adversarial engagement because email is a deceptive interface which is easily manipulated by the attacker.  Spearphishers deceive by masquerading as trusted senders. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks. You can contact us at 408-727-6342,ext 3 or use our online form.

Advertisements

Mission: Impossible

January 24, 2013

We read about the work of security researchers at Georgia Tech Research Institute (GTRI) with great interest and even greater skepticism.

We wholeheartedly concur with this observation of Andrew Howard, a GTRI research scientist who heads up the organization’s malware unit:

Organizations can spend millions and millions of dollars to protect their networks, but all it takes is one carefully-crafted email to let someone into it. It’s very difficult to put technical controls into place to prevent humans from making a mistake. To keep these attacks out, email users have to do the right thing every single time.

The place where we part company is this plan of action:

To increase their chance of success, criminals attempting to access a corporate network often target more than one person in an organization. Network security tools could use information about similar spear phishing attempts to warn other members of an organization. And by having access to all email, security systems could learn what’s “normal” for each individual — and recognize unusual email that may be suspicious.

“We are looking at building behavioral patterns for users so we’d know what kinds of email they usually receive. When something comes in that’s suspicious, we could warn the user,” Howard said. “We think the real answer is to keep malicious email from ever getting into a user’s in-box, but that is a much more difficult problem.”

The GTRI researchers call the action by the spearphishing victim “a mistake.”  This characterization demonstrates a fundamental misunderstanding of the problem.  The victims aren’t making simple mistakes — the victims are being deceived.  Consider the everyday example of a retail cashier.  The cashier is busy making lots of decisions.  Among these decisions are processing cash. If the cashier hands a customer a $100 bill instead of a $1.00 bill in change, that is a mistake. If, on the other hand, the customer is dishonest and wants to increase the chances of the cashier making an error, the customer can use deception. A classic form of deception is counterfeiting.  Of course, taking a counterfeit bill is a mistake. But it is more than a mistake — it is an error that was induced by the counterfeiter’s malicious manipulation of the cashier’s decision-making process.

Just like counterfeiters, cyber bad guys are thinking adversaries.  The attackers are armed with human brains which they use to devise schemes to deceive their human victims.  Writing in Fourth Quarter 2012 issue of The Next Wave (a research review published by the NSA), Dr. Frederick Chang, former NSA Director of Research, warns that:

… cybersecurity is fundamentally about an adversarial engagement. Humans must defend machines that are attacked by other humans using machines.

The cyber bad guys understand that the key to stopping them is detecting anomalous patterns. That is why the bad guys avoid creating patterns.  They send individually targeted emails.  They know that users will open an attachment from their boss or HR — that is why the attackers do their research to figure out convincing deceptions. They exploit current events.  They use single use throw away domains.  They use malicious attachments to avoid URL detection methods. They use unique malware.  Bad guys compromise access cards, so that the illicit activity occurs only during real sessions of the authorized user.  Bad guys use security software to QA their attacks. The first step in fighting spearphishing is to realize that the attackers understand and use the same technology that is used by the defenders.

At Iconix we focus on the human deception aspect of spearphishing.  Spearphishers deceive by masquerading as trusted senders. SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks. To learn more, you can contact us at 408-727-6342, ext 3 or use our online form.


Malware – Life Imitates Art 3

January 17, 2013
Hawaii Five-0 On CBS

Hawaii Five-O On CBS

The January 14, 2013 episode of the popular CBS cop show Hawaii Five-O offered us more than the great scenery we have come to expect.  It offered us three alternative endings.

What was the key lead that allowed the team to solve the case?  It was the spearphishing email that the perp sent to the victim.  In classic APT style, the email contained malware that gave the perp access to the victim’s files.

The email evidence

The email evidence

In the West Coast ending, the perp missed one key element of an effective APT — he used his own identity in the email attack.   If only real APT attackers left such a trail for investigators.  But they don’t.


Spearphishing Welcomes the New Year!

January 10, 2013

On January 3, 2013, Trend Micro published a research paper describing the newly discovered HeartBeat APT campaign.

Trend Micro reports that the HeartBeat campaign appears to targeted at South Korea.  The attack is estimated to have started in November of 2009.  The HeartBeat campaign targets the following sectors:

  • Political parties
  • Media outfits
  • A national policy research institute
  • A military branch of South Korean armed forces
  • A small business sector organization
  • Branches of South Korean government

The attack used a custom RAT (remote access tool).  Trend Micro summarizes what the RAT does:

These commands give the attackers complete control over their victims’ systems. Attackers also have the option to uninstall the RAT any time to cover their tracks and avoid being discovered.

The RAT was probably installed using the tried and true method — spearphishing.  Trend Micro shows us the process:

heartbeat

Trend Micro tells us one way to fight this class of attack is to avoid opening email attachments and clicking embedded links from unknown sources.  Of course, the bad guys know this, too.  That is why they masquerade as trusted senders.   SP Guard from Iconix provides the ability to distinguish real email from spearphishing attacks. You can contact us at 408-727-6342, ext 3 or use our online form.