Attacks/Breaches
2/20/2014
11:06 AM
Dave Kearns
Dave Kearns
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Boutique Malware & Hackers For Hire

Heads up! Small groups of cyber-mercenaries are now conducting targeted hit-and-run attacks for anyone willing to pay the price.

It’s always a pleasure to go to the Kaspersky Labs annual Analyst Summit, as I did recently. Besides good peer networking, in a convivial atmosphere, the content is always rich with information about the malware landscape and the efforts to confront it. This year was no exception.

While many of my fellow analysts have concentrated on the revelations about the newly discovered exploit called "The Mask" (from the Spanish word "Careto" found in the code), it was another point I found most fascinating -- and dangerous. I’ll get back to "The Mask" in a moment, but first a look at the disturbing trend in malware.

Thirty years ago, hackers were lone wolves who exercised their exploits as a way to improve their prestige among their peers. Later, as they got older, small groups of hackers came together to feed off of and complement each other as a way of creating more sophisticated malware. This trend probably crested with the release of the Stuxnet virus, which, it’s claimed, had dozens of hands involved in its writing and may have cost over a million dollars to develop.

It was also the first exploit which was definitely attributed to a nation-state. But, according to Kaspersky’s Costin Raiu (Director of Kaspersky Lab's Global Research & Analysis Team – GreAT) we’ve now come full circle, though with a twist. In talking about an exploit called "IceFog," Raiu noted it as an example of attacks by small groups of cyber-mercenaries who conduct small hit-and-run attacks. In other words, Hackers for Hire.

These small packs (mostly less than 10 people) have a library of tools that can be combined to target specific files at specific sites. They’ll extract these files (as few as two have been noted) then withdraw from the site. It’s a new form of industrial espionage using malware exploits that have been built up over the years and are available now to anyone willing to pay the price to engage the hacking team. (Hacker1337 is just one example.)

If you are in a competitive industry, and your competition has more money than ethics, this should have you worried. Since the overwhelming number of attacks so far uncovered began with phishing attacks, stopping those should be your first line of defense. (See my blog entry, “No Phishing Allowed” for some hints.)

Beneath "The Mask”
The recently uncovered hack “The Mask” has some interesting aspects not reported on in most of the stories I’ve seen. First, internal evidence leads Kaspersky’s experts to believe it was built by Spanish-speaking hackers -- a major change from the east Asian and eastern European groups who have been most prominent in malware circles. It is noted, though, that the Spanish may be a red herring, injected on purpose to deflect forensic experts from tracking down the source.

The second interesting point is that The Mask targets earlier, unpatched, versions of Kaspersky’s anti-malware tools as a hiding place, which proved rather galling to Raiu and his team! The third notable point, to me, is the sophistication of The Mask. As Costin noted, “this includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone).”

The primary targets are government institutions; diplomatic offices and embassies; energy, oil, and gas companies; research organizations; and activists. This would indicate a state-sponsored attack, perhaps by a Spanish-speaking country, or perhaps a less-than-fully-democratic one heavily involved in energy production (based on the targets). If your organization isn’t involved in the target activities you should be safe. Of course, originally Stuxnet was targeted at Iranian nuclear facilities, but has since spread to hundreds of organizations in dozens of countries. So you should be aware of The Mask, just as you should be aware of all current malware. Stay vigilant, my friends.

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/21/2014 | 4:24:33 PM
Re: Lone wolves turned pack of wolves
In this case, we  can only hope that the mission is truly impossible.
dak3
50%
50%
dak3,
User Rank: Apprentice
2/20/2014 | 6:40:43 PM
Re: Lone wolves turned pack of wolves
The packs appear to form as a cooperative - each member brings certain skills/hacks to the table. They also tend to be "ad hoc" associations - brought together for a particular hit. Like a "mission impossible" team, as an example.
dak3
50%
50%
dak3,
User Rank: Apprentice
2/20/2014 | 6:38:09 PM
Re: Cost
Not much. I'd expect less than $10K for that. Depending on the grade - could be worth it...
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/20/2014 | 1:23:43 PM
Cost
So, what does it cost to hire one of these packs, just as a ballpark? Say I wanted to get a, shall we say, less than stellar grade on a college transcript changed -- hypothetically, or course :-D
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/20/2014 | 11:21:57 AM
Lone wolves turned pack of wolves
Dave, I suppose that its a natural progression that lone wolves, as they age, turn into packs that prey on sites through malware exploits. Curious about the nature of these packs. Are they organized or just randomly pick their targets? Does a pack mentality work against them, in terms of remaining under law enforcements radar? Interesting post. Thanks.

 

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio