Attacks/Breaches
2/20/2014
11:06 AM
Dave Kearns
Dave Kearns
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Boutique Malware & Hackers For Hire

Heads up! Small groups of cyber-mercenaries are now conducting targeted hit-and-run attacks for anyone willing to pay the price.

It’s always a pleasure to go to the Kaspersky Labs annual Analyst Summit, as I did recently. Besides good peer networking, in a convivial atmosphere, the content is always rich with information about the malware landscape and the efforts to confront it. This year was no exception.

While many of my fellow analysts have concentrated on the revelations about the newly discovered exploit called "The Mask" (from the Spanish word "Careto" found in the code), it was another point I found most fascinating -- and dangerous. I’ll get back to "The Mask" in a moment, but first a look at the disturbing trend in malware.

Thirty years ago, hackers were lone wolves who exercised their exploits as a way to improve their prestige among their peers. Later, as they got older, small groups of hackers came together to feed off of and complement each other as a way of creating more sophisticated malware. This trend probably crested with the release of the Stuxnet virus, which, it’s claimed, had dozens of hands involved in its writing and may have cost over a million dollars to develop.

It was also the first exploit which was definitely attributed to a nation-state. But, according to Kaspersky’s Costin Raiu (Director of Kaspersky Lab's Global Research & Analysis Team – GreAT) we’ve now come full circle, though with a twist. In talking about an exploit called "IceFog," Raiu noted it as an example of attacks by small groups of cyber-mercenaries who conduct small hit-and-run attacks. In other words, Hackers for Hire.

These small packs (mostly less than 10 people) have a library of tools that can be combined to target specific files at specific sites. They’ll extract these files (as few as two have been noted) then withdraw from the site. It’s a new form of industrial espionage using malware exploits that have been built up over the years and are available now to anyone willing to pay the price to engage the hacking team. (Hacker1337 is just one example.)

If you are in a competitive industry, and your competition has more money than ethics, this should have you worried. Since the overwhelming number of attacks so far uncovered began with phishing attacks, stopping those should be your first line of defense. (See my blog entry, “No Phishing Allowed” for some hints.)

Beneath "The Mask”
The recently uncovered hack “The Mask” has some interesting aspects not reported on in most of the stories I’ve seen. First, internal evidence leads Kaspersky’s experts to believe it was built by Spanish-speaking hackers -- a major change from the east Asian and eastern European groups who have been most prominent in malware circles. It is noted, though, that the Spanish may be a red herring, injected on purpose to deflect forensic experts from tracking down the source.

The second interesting point is that The Mask targets earlier, unpatched, versions of Kaspersky’s anti-malware tools as a hiding place, which proved rather galling to Raiu and his team! The third notable point, to me, is the sophistication of The Mask. As Costin noted, “this includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone).”

The primary targets are government institutions; diplomatic offices and embassies; energy, oil, and gas companies; research organizations; and activists. This would indicate a state-sponsored attack, perhaps by a Spanish-speaking country, or perhaps a less-than-fully-democratic one heavily involved in energy production (based on the targets). If your organization isn’t involved in the target activities you should be safe. Of course, originally Stuxnet was targeted at Iranian nuclear facilities, but has since spread to hundreds of organizations in dozens of countries. So you should be aware of The Mask, just as you should be aware of all current malware. Stay vigilant, my friends.

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/21/2014 | 4:24:33 PM
Re: Lone wolves turned pack of wolves
In this case, we  can only hope that the mission is truly impossible.
dak3
50%
50%
dak3,
User Rank: Apprentice
2/20/2014 | 6:40:43 PM
Re: Lone wolves turned pack of wolves
The packs appear to form as a cooperative - each member brings certain skills/hacks to the table. They also tend to be "ad hoc" associations - brought together for a particular hit. Like a "mission impossible" team, as an example.
dak3
50%
50%
dak3,
User Rank: Apprentice
2/20/2014 | 6:38:09 PM
Re: Cost
Not much. I'd expect less than $10K for that. Depending on the grade - could be worth it...
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/20/2014 | 1:23:43 PM
Cost
So, what does it cost to hire one of these packs, just as a ballpark? Say I wanted to get a, shall we say, less than stellar grade on a college transcript changed -- hypothetically, or course :-D
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/20/2014 | 11:21:57 AM
Lone wolves turned pack of wolves
Dave, I suppose that its a natural progression that lone wolves, as they age, turn into packs that prey on sites through malware exploits. Curious about the nature of these packs. Are they organized or just randomly pick their targets? Does a pack mentality work against them, in terms of remaining under law enforcements radar? Interesting post. Thanks.

 

 
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4725
Published: 2014-07-27
The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/.

CVE-2014-4726
Published: 2014-07-27
Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors.

CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-2625
Published: 2014-07-26
Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023.

CVE-2014-2626
Published: 2014-07-26
Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.