Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/27/2013
02:18 PM
50%
50%

G20 Summit Becomes Bait For Cyberespionage Attacks

The upcoming G20 Summit in Russia is being used as a lure in a spate of APT-style attacks

With the G-20 Summit a little more than a week away, cyberattackers are using the conference as a theme as they target government and financial institutions.

According to Rapid7, multiple groups -- potentially originating in China -- are responsible for the attacks, including a prominent group known as the Calc Team or APT-12 that has been tied to an attack on The New York Times.

"Within the security community there's the firm belief that the Calc Team is an espionage group operating from China, which originally stood out due to the use of a peculiar algorithm used to calculate the connection details to their Command & Control servers (C&C) out of an initial DNS request," blogs Rapid7 security researcher Claudio Guarnieri. "[This] group has been tracked by researchers for years and is believed to be responsible of numerous attacks against government agencies, financial institutions and defense contractors."

The recent attacks all use the upcoming G20 conference -- scheduled for Sept. 5 and 6 in St. Petersburg, Russia -- as a theme for the bait. The first of the ongoing G20-themed attacks tied to the group was detected in May, and featured a PDF document outlining a development agenda for the Russian presidency, as well as a second document entitled "Global Partnership for Financial Inclusion Work Plan 2013."

"Both are clearly Windows executable files that try to disguise as PDF documents," the researcher notes. "As commonly happen, no exploit has been used here and the attacker uniquely relied on social engineering the targets to open and execute the files contained in the archive. Upon execution, both these files extract an actual embedded PDF to the %Temp% folder and display them to the victim, in order to not raise suspicion."

Earlier this month, two more attacks tied to the group using other G20-themed booby-trapped documents were detected, as well. Once the malware is on the system, it is then used to download additional malware and log the keystrokes of users. In order to intercept keystrokes, the malware constantly loops through an embedded list of keys and checks the state for each key with GetKeyState Windows API. Currently, the command-and-control used by the attackers remains active.

"Assuming that the chain of attribution to Calc is correct, it's interesting to observe that despite major international exposure after The New York Times incident, the intrusion group/s behind these attacks is still operational and doesn't seem to have been affected by the sudden attention received by newspapers and researchers," Guarnieri blogs.

"Unfortunately we have no visibility into the result of the attacks and whether the operators managed to be successful, but it's remarkable that despite the high profile of the average target of these espionage operations, the tactics and tools adopted are not as sophisticated as one would expect," he adds. "As also pointed out by FireEye, the creators of the malware seem to be actively changing things around in order to avoid detection by network defense layers, which combined with the lack of exploitation involved, it leaves a large responsibility on the targeted user to be able to recognize the social engineering attempt and isolate the attack."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9008
PUBLISHED: 2020-02-25
Stored Cross-site scripting (XSS) vulnerability in Blackboard Learn/PeopleTool v9.1 allows users to inject arbitrary web script via the Tile widget in the People Tool profile editor.
CVE-2020-9018
PUBLISHED: 2020-02-25
LiteCart through 2.2.1 allows admin/?app=users&doc=edit_user CSRF to add a user.
CVE-2020-9019
PUBLISHED: 2020-02-25
The WPJobBoard plugin 5.5.3 for WordPress allows Persistent XSS via the Add Job form, as demonstrated by title and Description.
CVE-2020-9391
PUBLISHED: 2020-02-25
An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6 on the AArch64 architecture. It ignores the top byte in the address passed to the brk system call, potentially moving the memory break downwards when the application expects it to move upwards, aka CID-dcde237319e6. This has been ...
CVE-2020-8793
PUBLISHED: 2020-02-25
OpenSMTPD before 6.6.4 allows local users to read arbitrary files (e.g., on some Linux distributions) because of a combination of an untrusted search path in makemap.c and race conditions in the offline functionality in smtpd.c.