Security consultants and the feds are tracking a dozen groups--all out of China--responsible for advanced threats.
Concerned with the amount of U.S. intellectual property being stolen from corporate networks, a group of security professionals sat down and compared notes on the various groups they tracked. They came up with an approximate tally of attackers targeting the intellectual property of U.S. and multinational companies: An even dozen, and all thought to be Chinese.
High-tech firms, oil companies, and defense contractors have all fallen prey to the 12 teams out to steal trade secrets and sensitive or classified information. While attempting to identify and count the groups behind the attacks may seem like an academic exercise, it's not, says Jon Ramsey, executive director of Dell Secureworks' counter threat unit.
"In the general scheme of things, knowing who your enemy is, is enlightening," he says.
One group, for example, is called the Comment Crew by Dell Secureworks because of its signature tactic of embedding command-and-control information in the comments of Web pages.
"Understanding that, if you wanted to deal with the major attack from this one group, you can strip all comments out of the HTML pages as they come into your Web proxy," Ramsey says. "That is a pretty effective technique to deal with this one group."
Moreover, knowing whether an attacker is part of the advanced persistent threat (APT)--the term coined by the defense industry for attackers that don't go away--can determine whether a company calls in help. When a company suspects that a persistent attacker has set up shop inside their network, kicking them back out again is not easy, Richard Bejtlich, chief security officer for security consulting firm Mandiant, said in a recent interview.
Various attributes can be used to classify attackers into groups, including their tools and techniques, the characteristics of their infrastructure, and their targets. Mandiant, for example, keeps dossiers on the 12 groups it tracks, and when called in by a client, compares and gathers network intelligence with what it knows about the usual suspects. The company can analyze an incident under investigation and match it to various groups' modes of operation, including their tools, the passwords, the encryption used, their command-and-control infrastructure, and their targets.
Published: 2014-09-18 GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...
Published: 2014-09-18 Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.
Published: 2014-09-18 Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.
Published: 2014-09-18 Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.