A highly sophisticated group of hackers who use cutting-edge techniques to shield their attacks from detection has been bedeviling corporations around the world for several years.
The group, which Symantec dubbed “Morpho” and Kaspersky Lab calls “Wild Neutron,” has hit multibillion-dollar corporations in the Internet, software, pharmaceutical and commodities sectors in at least 11 countries.
It’s believed to have been behind attacks on Twitter, Apple, Microsoft and Facebook in 2013.
The victims also include bitcoin companies, the Ansar Al-Mujahideen English jihadist forum, and spyware developer FlexiSpy, which muddies the waters as to the gang’s intentions.
Morpho, or Wild Neutron, is technically proficient, has plenty of resources, and has developed custom malware tools targeting Windows and Apple OSes.
It has used at least one zero-day vulnerability in its attacks.
The group maintains a low profile and cleans up after itself before moving on to a new target.
It appears to have a good working knowledge of the organizations it attacks, and it focuses on stealing specific kinds of information, Symantec said.
In several attacks, the group has compromised Microsoft Exchange or Lotus Domino email servers in order to intercept company emails and, possibly, send counterfeit emails.
The group also has attacked enterprise content management systems and specialist systems.
You Say Tomato…
The group used the OSX.Pintsized backdoor to attack Mac OS X and the Backdoor.Jiripbot for Windows systems, said Symantec.
The group uses a verification certificate stolen from Acer — which is now being revoked — and an unknown Flash Player exploit to launch its attacks, according to Kaspersky Lab.
The exploit delivers a malware dropper package to victims.
The main backdoor is no different from those used in other remote access tools, noted Kaspersky. The distinguishing marks of the group are the care it takes to hide its command-and-control server’s address, and its ability to recover from a C&C shutdown.
“We believe the infection vector discussed by Symantec and Kaspersky is the same,” said Vikram Thakur, Symantec’s principal research manager, when asked why the company’s assessment of the techniques used by the gang differed from Kaspersky Lab’s.
“Our telemetry stops short of telling us what issue within Internet Explorer was problematic,” he told TechNewsWorld.
Different security companies “have different users and abilities to detect attacks,” said Costin Raiu, director of the global research and analysis team at Kaspersky Lab.
Another point of difference is in the identification of the cybercriminals.
The malware’s documentation is written in fluent English, and the cybercriminals display some knowledge of English-speaking pop culture, Symantec noted.
However, the group’s origin is unclear, Kaspersky said, pointing out that some samples have a Romanian phrase to mark the end of C&C communications, and some a Latin transcription of the Russian word “uspeshno,” which means “successfully.”
The Few, the Proud, the Chosen?
When OSX.Pintsized was discovered in 2013, Symantec rated its risk level as very low. The company did the same for Backdoor.Jiripbot in 2014.
Although Symantec and Kaspersky Lab are raising red flags now, there’s no real need for alarm among the general public.
“Since 2012, we’ve seen the threat in less than 50 organizations, which shows the extreme targeted nature of the threat,” Symantec’s Thakur pointed out. “A vast majority of the millions of Symantec customers are not likely to be at the receiving end of the Morpho group.”
Still, the gang is a threat, because “nobody can guarantee a 100 percent defense against unknown attacks,” Kaspersky Lab’s Raiu told TechNewsWorld.
Further, the gang’s reported incursions may be only the tip of the iceberg — 85 percent of 150 IT professionals Lieberman Software surveyed in May said many huge financial hacks go unreported.
Cybercriminals will become more professional and cost businesses more than US$2 trillion by 2019, Juniper Research predicted.
Layered security approaches “will indeed work,” Thakur asserted. “These attacks were detected and blocked in many organizations.”
“Keep all third-party software updated, install a comprehensive Internet security solution on all endpoints and servers, and educate employees about risks,” Raiu advised. “In practice, 85 percent of all targeted attacks can be mitigated with four simple strategies.
Social CRMSee all Social CRM