Attacks/Breaches
2/20/2014
11:06 AM
Dave Kearns
Dave Kearns
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Boutique Malware & Hackers For Hire

Heads up! Small groups of cyber-mercenaries are now conducting targeted hit-and-run attacks for anyone willing to pay the price.

It’s always a pleasure to go to the Kaspersky Labs annual Analyst Summit, as I did recently. Besides good peer networking, in a convivial atmosphere, the content is always rich with information about the malware landscape and the efforts to confront it. This year was no exception.

While many of my fellow analysts have concentrated on the revelations about the newly discovered exploit called "The Mask" (from the Spanish word "Careto" found in the code), it was another point I found most fascinating -- and dangerous. I’ll get back to "The Mask" in a moment, but first a look at the disturbing trend in malware.

Thirty years ago, hackers were lone wolves who exercised their exploits as a way to improve their prestige among their peers. Later, as they got older, small groups of hackers came together to feed off of and complement each other as a way of creating more sophisticated malware. This trend probably crested with the release of the Stuxnet virus, which, it’s claimed, had dozens of hands involved in its writing and may have cost over a million dollars to develop.

It was also the first exploit which was definitely attributed to a nation-state. But, according to Kaspersky’s Costin Raiu (Director of Kaspersky Lab's Global Research & Analysis Team – GreAT) we’ve now come full circle, though with a twist. In talking about an exploit called "IceFog," Raiu noted it as an example of attacks by small groups of cyber-mercenaries who conduct small hit-and-run attacks. In other words, Hackers for Hire.

These small packs (mostly less than 10 people) have a library of tools that can be combined to target specific files at specific sites. They’ll extract these files (as few as two have been noted) then withdraw from the site. It’s a new form of industrial espionage using malware exploits that have been built up over the years and are available now to anyone willing to pay the price to engage the hacking team. (Hacker1337 is just one example.)

If you are in a competitive industry, and your competition has more money than ethics, this should have you worried. Since the overwhelming number of attacks so far uncovered began with phishing attacks, stopping those should be your first line of defense. (See my blog entry, “No Phishing Allowed” for some hints.)

Beneath "The Mask”
The recently uncovered hack “The Mask” has some interesting aspects not reported on in most of the stories I’ve seen. First, internal evidence leads Kaspersky’s experts to believe it was built by Spanish-speaking hackers -- a major change from the east Asian and eastern European groups who have been most prominent in malware circles. It is noted, though, that the Spanish may be a red herring, injected on purpose to deflect forensic experts from tracking down the source.

The second interesting point is that The Mask targets earlier, unpatched, versions of Kaspersky’s anti-malware tools as a hiding place, which proved rather galling to Raiu and his team! The third notable point, to me, is the sophistication of The Mask. As Costin noted, “this includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone).”

The primary targets are government institutions; diplomatic offices and embassies; energy, oil, and gas companies; research organizations; and activists. This would indicate a state-sponsored attack, perhaps by a Spanish-speaking country, or perhaps a less-than-fully-democratic one heavily involved in energy production (based on the targets). If your organization isn’t involved in the target activities you should be safe. Of course, originally Stuxnet was targeted at Iranian nuclear facilities, but has since spread to hundreds of organizations in dozens of countries. So you should be aware of The Mask, just as you should be aware of all current malware. Stay vigilant, my friends.

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/21/2014 | 4:24:33 PM
Re: Lone wolves turned pack of wolves
In this case, we  can only hope that the mission is truly impossible.
dak3
50%
50%
dak3,
User Rank: Apprentice
2/20/2014 | 6:40:43 PM
Re: Lone wolves turned pack of wolves
The packs appear to form as a cooperative - each member brings certain skills/hacks to the table. They also tend to be "ad hoc" associations - brought together for a particular hit. Like a "mission impossible" team, as an example.
dak3
50%
50%
dak3,
User Rank: Apprentice
2/20/2014 | 6:38:09 PM
Re: Cost
Not much. I'd expect less than $10K for that. Depending on the grade - could be worth it...
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/20/2014 | 1:23:43 PM
Cost
So, what does it cost to hire one of these packs, just as a ballpark? Say I wanted to get a, shall we say, less than stellar grade on a college transcript changed -- hypothetically, or course :-D
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/20/2014 | 11:21:57 AM
Lone wolves turned pack of wolves
Dave, I suppose that its a natural progression that lone wolves, as they age, turn into packs that prey on sites through malware exploits. Curious about the nature of these packs. Are they organized or just randomly pick their targets? Does a pack mentality work against them, in terms of remaining under law enforcements radar? Interesting post. Thanks.

 

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.