Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/20/2014
11:06 AM
Dave Kearns
Dave Kearns
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Boutique Malware & Hackers For Hire

Heads up! Small groups of cyber-mercenaries are now conducting targeted hit-and-run attacks for anyone willing to pay the price.

It’s always a pleasure to go to the Kaspersky Labs annual Analyst Summit, as I did recently. Besides good peer networking, in a convivial atmosphere, the content is always rich with information about the malware landscape and the efforts to confront it. This year was no exception.

While many of my fellow analysts have concentrated on the revelations about the newly discovered exploit called "The Mask" (from the Spanish word "Careto" found in the code), it was another point I found most fascinating -- and dangerous. I’ll get back to "The Mask" in a moment, but first a look at the disturbing trend in malware.

Thirty years ago, hackers were lone wolves who exercised their exploits as a way to improve their prestige among their peers. Later, as they got older, small groups of hackers came together to feed off of and complement each other as a way of creating more sophisticated malware. This trend probably crested with the release of the Stuxnet virus, which, it’s claimed, had dozens of hands involved in its writing and may have cost over a million dollars to develop.

It was also the first exploit which was definitely attributed to a nation-state. But, according to Kaspersky’s Costin Raiu (Director of Kaspersky Lab's Global Research & Analysis Team – GreAT) we’ve now come full circle, though with a twist. In talking about an exploit called "IceFog," Raiu noted it as an example of attacks by small groups of cyber-mercenaries who conduct small hit-and-run attacks. In other words, Hackers for Hire.

These small packs (mostly less than 10 people) have a library of tools that can be combined to target specific files at specific sites. They’ll extract these files (as few as two have been noted) then withdraw from the site. It’s a new form of industrial espionage using malware exploits that have been built up over the years and are available now to anyone willing to pay the price to engage the hacking team. (Hacker1337 is just one example.)

If you are in a competitive industry, and your competition has more money than ethics, this should have you worried. Since the overwhelming number of attacks so far uncovered began with phishing attacks, stopping those should be your first line of defense. (See my blog entry, “No Phishing Allowed” for some hints.)

Beneath "The Mask”
The recently uncovered hack “The Mask” has some interesting aspects not reported on in most of the stories I’ve seen. First, internal evidence leads Kaspersky’s experts to believe it was built by Spanish-speaking hackers -- a major change from the east Asian and eastern European groups who have been most prominent in malware circles. It is noted, though, that the Spanish may be a red herring, injected on purpose to deflect forensic experts from tracking down the source.

The second interesting point is that The Mask targets earlier, unpatched, versions of Kaspersky’s anti-malware tools as a hiding place, which proved rather galling to Raiu and his team! The third notable point, to me, is the sophistication of The Mask. As Costin noted, “this includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone).”

The primary targets are government institutions; diplomatic offices and embassies; energy, oil, and gas companies; research organizations; and activists. This would indicate a state-sponsored attack, perhaps by a Spanish-speaking country, or perhaps a less-than-fully-democratic one heavily involved in energy production (based on the targets). If your organization isn’t involved in the target activities you should be safe. Of course, originally Stuxnet was targeted at Iranian nuclear facilities, but has since spread to hundreds of organizations in dozens of countries. So you should be aware of The Mask, just as you should be aware of all current malware. Stay vigilant, my friends.

Dave Kearns is a senior analyst for Kuppinger-Cole, Europe's leading analyst company for identity-focused information security and networking. His columns and books have provided a thorough grounding in the basic philosophies of directory technology, networking, and identity ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/31/2017 | 2:37:43 PM
Re: Lone wolves turned pack of wolves
These are exactly the types of teams I have always encouraged use of, especially in offensive security situations.  The law is difficult when you are trying to protect data that is under attack, and passive security is no longer an option.  Our government certainly engages teams like this when dealing with the more problematic foreign actors targeting our infrastructure, for instance.  In order to keep teams like this on the right side of the law, we need to get laws changed and moved into the modern era.  We could be doing so much better as a technical leader in the world if we had more freedom in how we combat cybercrime.  Packs like this could turn the tide if used right.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/21/2014 | 4:24:33 PM
Re: Lone wolves turned pack of wolves
In this case, we  can only hope that the mission is truly impossible.
dak3
50%
50%
dak3,
User Rank: Moderator
2/20/2014 | 6:40:43 PM
Re: Lone wolves turned pack of wolves
The packs appear to form as a cooperative - each member brings certain skills/hacks to the table. They also tend to be "ad hoc" associations - brought together for a particular hit. Like a "mission impossible" team, as an example.
dak3
50%
50%
dak3,
User Rank: Moderator
2/20/2014 | 6:38:09 PM
Re: Cost
Not much. I'd expect less than $10K for that. Depending on the grade - could be worth it...
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/20/2014 | 1:23:43 PM
Cost
So, what does it cost to hire one of these packs, just as a ballpark? Say I wanted to get a, shall we say, less than stellar grade on a college transcript changed -- hypothetically, or course :-D
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/20/2014 | 11:21:57 AM
Lone wolves turned pack of wolves
Dave, I suppose that its a natural progression that lone wolves, as they age, turn into packs that prey on sites through malware exploits. Curious about the nature of these packs. Are they organized or just randomly pick their targets? Does a pack mentality work against them, in terms of remaining under law enforcements radar? Interesting post. Thanks.

 

 
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10062
PUBLISHED: 2021-05-13
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attri...
CVE-2020-23995
PUBLISHED: 2021-05-13
An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload.
CVE-2020-23996
PUBLISHED: 2021-05-13
A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbitrary code via the import of personal data.
CVE-2021-29510
PUBLISHED: 2021-05-13
Pydantic is a data validation and settings management using Python type hinting. In affected versions passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date` fields causes validation to run forever with 100% CPU usage (on one CPU). Pydantic has been patche...
CVE-2021-23906
PUBLISHED: 2021-05-13
An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A Message Length is not checked in the HiQnet Protocol, leading to remote code execution.