Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/23/2012
01:53 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Gauss Researchers Collide

Kaspersky Lab's sinkhole for the malware mistaken by FireEye researchers as live Gauss activity

[UPDATE 7:40 p.m./Editor's Note: FireEye has now issued a new blog confirming that it mistook another security firm's sinkhole server for Gauss malware activity (see below).]

Sometimes researchers bump into other researchers when studying the same malware -- and if they don't realize it, that can lead them to draw the wrong conclusions.

That's what happened when FireEye earlier today concluded that the sophisticated Gauss attack had re-emerged and was reaching out to Flame's command-and-control (C&C) servers for instructions. FireEye announced in a blog post that it had caught Gauss -- which had gone dormant after its initial discovery recently -- back in action and using the C&C infrastructure of the Flame/SkyWiper attack to receive instructions. The machines were resolving to an IP address in The Netherlands, Ali Islam, FireEye's senior malware researcher told Dark Reading in an interview today about the findings. That was final confirmation that Gauss and Flame operators were one in the same, he said in the interview.

But minutes after reports of the findings went live, researchers from Kaspersky Lab lit up Twitter with posts pointing out what they say was an error in FireEye's findings: The activity FireEye was seeing was from Kaspersky's sinkhole to study Gauss and Flame. Gauss had not come back to life, they said.

"FireEye's post about the Gauss C2 samples connecting to the same servers as Flame are actually our sinkholes they're looking at. With some easy Googling and checking on WhoIs, researchers could have verified all of this," said Alexander Gostev, chief security expert at Kaspersky Lab.

FireEye later pulled down its original post, and tweeted this: "We determined there was an error in our conclusions in our earlier blog of today. We are updating our blog, so please check back soon."

[UDPATE]: FireEye has now published a new post confirming that it had misidentified the sinkhole server as live Gauss C&C activity.

"In our post earlier today, we concluded that there was some sort of relationship between the Gauss and Flame malware actors based on observing CnC communication going to the Flame CnC IP address. At the same time, the CnC domains of Gauss were sink-holed to the same CnC IP. There was no indication or response in the communication originating from the CnC server to indicate that it may have been owned by another member of the security research community. In light of new information shared by the security community, we now know that our original conclusions were incorrect and we cannot associate these two malware families based solely upon these common CnC coordinates," FireEye wrote in its updated post.

"We apologize for any confusion that has resulted from our earlier assumptions. Unfortunately, the lack of a common information exchange about such activities can result in misleading conclusions," the post said.

Kaspersky's Gostev, meanwhile, explained that his firm had been "working with several organizations to investigate the command & control (C2) servers with sinkholes. Given Flame's connection with Gauss, the sinkhole process was being organized to monitor both the Flame and Gauss C2 infrastructures," he said.

He emphasized that Gauss's C&C infrastructure is different than Flame's, and that the Gauss C&Cs have been dormant since July. "During the process of initiating the investigation into Gauss C2s and creating sinkholes we notified trusted members of the security and anti-malware community about the sinkhole IP and operation so that they were aware of any activity," he said.

Researchers at Kaspersky Lab who first discovered Gauss in June while studying Flame all along have said they believe the two families of malware likely are related: They share similar architectural platforms, module structures, code bases, and means of communication with C&C servers.

Gauss is a cyberespionage toolkit aimed at stealing browser passwords, online banking account credentials, cookies, and specifics on the configurations of machines it infects. It mainly targets Middle East banks, namely Lebanese banks such as the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank, and Credit Libanais, as well as users of Citibank and PayPal.

Flame already has been tied to Stuxnet, so the theory is that Gauss is yet another cyberspying weapon for the well-funded, well-oiled operation with its sight set on the Middle East, but mostly on Iran. Published reports have said the U.S. and Israel are behind the operations.

Last week, Kaspersky Lab decided to "crowdsource" the cracking of the mysterious and heavily fortified Gauss payload, asking crypto experts to help them break the encryption hiding what's inside. Gauss uses a 128-bit RC4 key, which proved to resistant to Kaspersky's brute-force hacking efforts.

Below is the original story posted this morning, based on information from FireEye's now-defunct blog post:

The stalled Gauss malware attack has come alive again, this time reaching out to the command-and-control servers of Flame -- providing researchers further confirmation that the two sophisticated malware families are related and run by the same attackers.

FireEye Labs today revealed that it had caught Gauss -- which had gone dormant after its initial discovery recently -- back in action and using the C&C infrastructure of the Flame/SkyWiper attack to receive instructions. The machines are resolving to an IP address in The Netherlands.

"As a security researcher, you can't ask for more evidence, considering everything Kaspersky [had found as well]. You have to believe that they are" the same people behind the two attacks, says Ali Islam, senior malware researcher for FireEye.

More machines are being hit by Gauss now as well, Islam says, two of which were at two major U.S. companies. "We can't name them because they are our customers. They [the attackers] may be using those networks because they are really important," Islam says.

Even so, the targets are primarily Lebanese banks, as was first noticed with Gauss, he says.

Researchers at Kaspersky Lab who first discovered Gauss in June while studying Flame all along have said they believe the two families of malware likely are related: they share similar architectural platforms, module structures, code bases, and means of communication with C&C servers.

Gauss is a cyberespionage toolkit aimed at stealing browser passwords, online banking account credentials, cookies, and specifics on the configurations of machines it infects. It mainly targets Middle East banks, namely Lebanese banks such as the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank, and Credit Libanais, as well as users of Citibank and PayPal.

Flame already has been tied to Stuxnet, so the theory is that Gauss is yet another cyberspying weapon for the well-funded, well-oiled operation with its sight set on the Middle East, but mostly on Iran. Published reports have said the U.S. and Israel are behind the operations.

Last week, Kaspersky Lab decided to "crowdsource" the cracking of the mysterious and heavily fortified Gauss payload, asking crypto experts to help them break the encryption hiding what's inside. Gauss uses a 128-bit RC4 key, which proved to resistant to Kaspersky's brute-force hacking efforts.

Another interesting twist with the Gauss attacks: The attackers don't appear to be trying to hide behind their domain names. "It seems like these guys are getting more confident and blatant with each passing day. Previously in case of Flame, anonymity feature was used while registering domains, they could have done the same for Gauss but they opted for fake names like Adolph Dybevek, Gilles Renaud etc. and now they are openly sharing resources and adding more modules/functionalities (banking as recent example) to their malicious software," FireEye said.

Gauss began operations around September 2011, and its C&C infrastructure was shut down last month, shortly after its discovery. Since late May 2012, more than 2,500 infections were recorded by Kaspersky Lab. The two main C&C domains previously were resolving to IP addresses in Portugal and India, according to FireEye.

"We should be very careful because they're infecting a few more machines and some important networks, and maybe they will use that information for future attacks in the coming days," FireEye's Islam says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...