Feeds

Securo-boffins uncover new GLOBAL cyber-espionage operation

Two-pronged attack hits victims in 100 countries

Protecting against web application threats using SSL

Government ministries, technology firms, media outlets, academic research institutions and non-governmental organisations have all fallen victim to an ongoing cyberespionage operation with tendrils all over the world, according to researchers.

Infosec researchers have uncovered SafeNet in as many as 100 countries.

SafeNet targets potential marks using spear-phishing emails featuring a malicious attachment that exploits a Microsoft Office vulnerability that was patched last year (CVE-2012-0158).

The operation appears to involve two campaigns linked together by the use of the same strain of malware and differentiated by the use of different command-and-control infrastructures.

One strand of the operation uses spear-phishing emails with subject lines related to either Tibet or Mongolia. The topic of emails in the second part of the campaign is yet to be identified but appears to have broader appeal since this strand of the operation has claimed victims in countries ranging from India to the US, China, Pakistan, the Philippines, Russia and Brazil. Entities in India appear to have been hit hardest by the malware.

Sloppy coding on one of the campaign's command servers allowed researchers to extract reams of information about the attack, as Trend Micro researchers explain in a white paper (PDF) on the attack.

One of the C&C servers was set up in such a way that the contents of the directories were viewable to anyone who accessed them. As a result, not only were we able to determine who the campaign’s victims were, but we were also able to download backup archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.

It seems like nearly 12,000 unique IP addresses spread over more than 100 countries were connected to two sets of command-and-control (C&C) infrastructures related to the SafeNet malware.

Trend's researchers reckon the average number of actual victims remained at 71 per day, with few if any changes from day to day. "This indicates that the actual number of victims is far less than the number of unique IP addresses," according to the security researchers.

The people behind the attack are connecting to command servers using VPN technology and the Tor anonymiser network. This means that little evidence about where the attackers are based can be obtained from the command nodes running the campaign. However clues in the coding have led Trend's researchers to speculate the malware at least was brewed in China.

"While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China," writes Trend Micro threat researcher Nart Villeneuve in a blog post on the campaign.

"However, the relationship between the malware developers and the campaign operators themselves remains unclear." ®

Bootnote

Trend Micro notes that there is no link between the the attack and SafeNet, Inc, a reputable information security firm. The "SafeNet" name comes from references within the malware itself.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.