Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

Small group cracks the biggest targets

Candid Wueest, Symantec

4-August-2015 They might be watching from your own cameras, right now.

•    They’re not only focused on Windows; they also have a back door to OS X.
•    They’re not your average script kiddies. They bought or created the tools they needed to accomplish their missions. Those tools are pretty basic, yet have flexible back doors.
•    They also use open source tools modified to exfiltrate data
•    They engage in targeted attacks every week.

Who are they?

“We don’t think they’re state-sponsored; it’s a group of individuals who want to get a lot of money,” said Candid Wueest, Principal Threat Researcher at Symantec. “This group made a lot of noise in 2013 when they attacked large IT companies – Twitter, Facebook, Microsoft, and Apple – most of them through an exploit known as a water hole attack with a Java zero day. Even having everything up to date would not have prevented the attack.”

The group, which Symantec researchers have called “Butterfly”, created small tools for password dumping attachments for Windows machines. 

Usually a password stays in memory once a user has logged in. It’s decrypted and dumped from memory, even if you use a strong password.

Those tools, like Mimikatz, while not on the same level as Stuxnet, are still dangerous to unaware users and administrators.

The group has very good operational security (OpSec). Some of the machines they infected they didn’t use. They cleaned up those they used via secure wiping tools, making forensic analysis impossible.

“We’ve seen a few targets, and we can only see evidence in the log files of the attack – on the infected machine itself there was no evidence of activity,” Wueest said. “Which might explain how they’ve been active for some time without raising much noise.”

Another example of good OpSec is the command and control (C&C) server. Groups usually use multiple staged or compromised machines as C&C servers.

This group used a compromised machine from Company A that communicates with the first C&C, serving as a proxy. The victim only sees one IP address, so when investigators go after that proxy there is no evidence of the real C&C.

“We managed to get the second C&C server from one attack when the victims sent us an image of the hard drive,” Wueest said. “All we found was an installation of Linux, an installation of TrueCrypt – used to encrypt files – and virtual machine software Virtual Box. They ran all communications and log files inside an encrypted version of Virtual Box. We only found the encrypted files, so we can’t start the Virtual Box, and therefore have no idea what private log files or scripts are inside.” 

This is not your average basement Joe trying to steal credit cards and passwords.

Symantec identified 49 companies in about 20 countries – 17 in the USA and 4 in Canada, followed by 3 in France. One is a commodity company, another is an airline, and the other two are ISPs.

“It probably was a midsize company target, so maybe it was a worker who was traveling and connected from home or something,” Wueest said. “Looking at all 59, many were investment companies, law firms, and pharmaceutical companies. Perhaps they are hackers for hire, offering their services to find competitor information. Or they used the information for either insider trading or to sell. If you have information about upcoming releases or acquisitions you can make money in the stock market, which gives you ‘clean’ money.”

So who and where are they?

It’s nearly impossible to pinpoint who’s sitting at the keyboard. The different source code indicates the group seems to know English very well.
At least one or two must be native English speakers. One is Russian and one is Romanian. They may have cut and pasted code, or perhaps they are multi-lingual.

Even though there isn’t much information on the C&C, they set the time to EST.

“Given there is so much effort to cover their tracks, the time may have been set on purpose to confuse investigators,” said Wueest. “It’s probably fewer than 10 people, with at least a few English speakers, all of whom are motivated by the money.”

Usually they went after email servers or content management systems (CMS), which makes sense, as that’s where passwords and documents are stored.

In at least one company they managed to breach the physical server controlling cameras, fire alarms, and access control (doors).

“They actually could be watching the guys in the server room who were trying to figure out what happened,” Wueest said. “Right out of Hollywood.”