Attacks/Breaches
2/20/2014
11:06 AM
Dave Kearns
Dave Kearns
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Boutique Malware & Hackers For Hire

Heads up! Small groups of cyber-mercenaries are now conducting targeted hit-and-run attacks for anyone willing to pay the price.

It’s always a pleasure to go to the Kaspersky Labs annual Analyst Summit, as I did recently. Besides good peer networking, in a convivial atmosphere, the content is always rich with information about the malware landscape and the efforts to confront it. This year was no exception.

While many of my fellow analysts have concentrated on the revelations about the newly discovered exploit called "The Mask" (from the Spanish word "Careto" found in the code), it was another point I found most fascinating -- and dangerous. I’ll get back to "The Mask" in a moment, but first a look at the disturbing trend in malware.

Thirty years ago, hackers were lone wolves who exercised their exploits as a way to improve their prestige among their peers. Later, as they got older, small groups of hackers came together to feed off of and complement each other as a way of creating more sophisticated malware. This trend probably crested with the release of the Stuxnet virus, which, it’s claimed, had dozens of hands involved in its writing and may have cost over a million dollars to develop.

It was also the first exploit which was definitely attributed to a nation-state. But, according to Kaspersky’s Costin Raiu (Director of Kaspersky Lab's Global Research & Analysis Team – GreAT) we’ve now come full circle, though with a twist. In talking about an exploit called "IceFog," Raiu noted it as an example of attacks by small groups of cyber-mercenaries who conduct small hit-and-run attacks. In other words, Hackers for Hire.

These small packs (mostly less than 10 people) have a library of tools that can be combined to target specific files at specific sites. They’ll extract these files (as few as two have been noted) then withdraw from the site. It’s a new form of industrial espionage using malware exploits that have been built up over the years and are available now to anyone willing to pay the price to engage the hacking team. (Hacker1337 is just one example.)

If you are in a competitive industry, and your competition has more money than ethics, this should have you worried. Since the overwhelming number of attacks so far uncovered began with phishing attacks, stopping those should be your first line of defense. (See my blog entry, “No Phishing Allowed” for some hints.)

Beneath "The Mask”
The recently uncovered hack “The Mask” has some interesting aspects not reported on in most of the stories I’ve seen. First, internal evidence leads Kaspersky’s experts to believe it was built by Spanish-speaking hackers -- a major change from the east Asian and eastern European groups who have been most prominent in malware circles. It is noted, though, that the Spanish may be a red herring, injected on purpose to deflect forensic experts from tracking down the source.

The second interesting point is that The Mask targets earlier, unpatched, versions of Kaspersky’s anti-malware tools as a hiding place, which proved rather galling to Raiu and his team! The third notable point, to me, is the sophistication of The Mask. As Costin noted, “this includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone).”

The primary targets are government institutions; diplomatic offices and embassies; energy, oil, and gas companies; research organizations; and activists. This would indicate a state-sponsored attack, perhaps by a Spanish-speaking country, or perhaps a less-than-fully-democratic one heavily involved in energy production (based on the targets). If your organization isn’t involved in the target activities you should be safe. Of course, originally Stuxnet was targeted at Iranian nuclear facilities, but has since spread to hundreds of organizations in dozens of countries. So you should be aware of The Mask, just as you should be aware of all current malware. Stay vigilant, my friends.

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/21/2014 | 4:24:33 PM
Re: Lone wolves turned pack of wolves
In this case, we  can only hope that the mission is truly impossible.
dak3
50%
50%
dak3,
User Rank: Apprentice
2/20/2014 | 6:40:43 PM
Re: Lone wolves turned pack of wolves
The packs appear to form as a cooperative - each member brings certain skills/hacks to the table. They also tend to be "ad hoc" associations - brought together for a particular hit. Like a "mission impossible" team, as an example.
dak3
50%
50%
dak3,
User Rank: Apprentice
2/20/2014 | 6:38:09 PM
Re: Cost
Not much. I'd expect less than $10K for that. Depending on the grade - could be worth it...
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/20/2014 | 1:23:43 PM
Cost
So, what does it cost to hire one of these packs, just as a ballpark? Say I wanted to get a, shall we say, less than stellar grade on a college transcript changed -- hypothetically, or course :-D
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/20/2014 | 11:21:57 AM
Lone wolves turned pack of wolves
Dave, I suppose that its a natural progression that lone wolves, as they age, turn into packs that prey on sites through malware exploits. Curious about the nature of these packs. Are they organized or just randomly pick their targets? Does a pack mentality work against them, in terms of remaining under law enforcements radar? Interesting post. Thanks.

 

 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4884
Published: 2014-10-21
The Conrad Hotel (aka com.wConradHotel) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4885
Published: 2014-10-21
The CPWORLD Close Protection World (aka com.tapatalk.closeprotectionworldcom) application 3.4.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4887
Published: 2014-10-21
The Joint Radio Blues (aka com.nobexinc.wls_69685189.rc) application 3.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4888
Published: 2014-10-21
The BattleFriends at Sea GOLD (aka com.tequilamobile.warshipslivegold) application 1.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-4889
Published: 2014-10-21
The Diabetic Diet Guide (aka com.wDiabeticDietGuide) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.