Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Chinese "Hidden Lynx" Hackers Launch Widespread APT Attacks

Symantec says advanced persistent attack operators are tied to hundreds of cyber break-ins, including Operation Aurora against Google.

Hidden Lynx's bona fides include inventing the "watering hole" attack technique, which involves exploiting a third-party website to infect visitors with malware, thus allowing attackers to gain access to their true target. That attack technique was seen earlier this year in an exploit of an iOS development site, which lead to intrusions at Apple, Facebook, Microsoft and Twitter. Although that attack wasn't ascribed to Hidden Lynx, it shows how the group's cutting-edge exploits are quickly adopted by competitors.

The hackers inside Hidden Lynx also appear to have had early access to multiple zero-day vulnerabilities, which means the group might have discovered the related code bugs itself. Regardless, having such exploits at hand would give the group's attacks a much greater chance of success, because many targeted businesses or government agencies wouldn't have defenses in place.

Given the group's capabilities, it "could easily consist of 50 to 100 individuals," said Symantec, noting that the hackers appear to have been grouped into two different teams, each of which employs a different range of attack tools and techniques. Symantec has dubbed one of these groups "Team Moudoor," after the name of a well-known Trojan -- often used by the group -- that's a customized version of the backdoor "Gh0st RAT" malware. In general, this team "uses disposable tools along with basic but effective techniques to attack many different targets," and apparently doesn't care if its attack tools get spotted. Symantec said one of the group's main functions might simply be to gather intelligence on targets.

The second group, dubbed Team Naid, is more of an elite unit that appears to be tasked with cracking "the most valuable or toughest targets," according to Symantec. Its principle weapon appears to be the Naid Trojan, which "is used sparingly and with care to avoid detection and capture, like a secret weapon that is only used when failure is not an option." Interestingly, the Naid Trojan has been recovered from several high-profile and relatively advanced exploits, including the 2009 Aurora attacks that compromised Google and other businesses.

As that suggests, the hackers appear to be both technically sophisticated and thorough. For example, in July 2012, when Team Naid was attempting to hack into defense contractors, it found itself blocked by trust-based protection software from security vendor Bit9. In response, the Naid attackers turned their sights on Bit9 itself. The attackers used a SQL injection attack to hack into Bit9's network, identified how files were signed using the company's protection mechanisms, then signed a number of their own malicious files, which they used to attack U.S. defense contractors. Bit9 ultimately publicly revealed the attacks in February 2013.

But Symantec said that the Bit9 compromise was part of a much larger series of attacks, known as the VOHO campaign -- first discovered by security firm RSA -- that ultimately compromised 4,000 machines at hundreds of U.S. organizations. Compromised organizations included technology firms, government agencies, financial services firms and educational institutions, among others.

One result of the success of a "hackers for hire" service such as Hidden Lynx is that, as noted, other attackers have likely been learning from the group's success and emulating its techniques. At the same time, "the Hidden Lynx group is not basking in their past glories," said Symantec. "They are continuing to refine and streamline their operations and techniques to stay one step ahead of their competition."

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32716
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-U...
CVE-2021-32717
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
CVE-2021-32712
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
CVE-2021-32713
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
CVE-2021-32710
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below 6.3.5.2. We recommend to update to the current version 6.3.5.2. You can get the update to 6.3.5.2 regularly via the Auto-Updater or directly via the download overview. For older versions o...