Feeds

Securo-boffins uncover new GLOBAL cyber-espionage operation

Two-pronged attack hits victims in 100 countries

5 things you didn’t know about cloud backup

Government ministries, technology firms, media outlets, academic research institutions and non-governmental organisations have all fallen victim to an ongoing cyberespionage operation with tendrils all over the world, according to researchers.

Infosec researchers have uncovered SafeNet in as many as 100 countries.

SafeNet targets potential marks using spear-phishing emails featuring a malicious attachment that exploits a Microsoft Office vulnerability that was patched last year (CVE-2012-0158).

The operation appears to involve two campaigns linked together by the use of the same strain of malware and differentiated by the use of different command-and-control infrastructures.

One strand of the operation uses spear-phishing emails with subject lines related to either Tibet or Mongolia. The topic of emails in the second part of the campaign is yet to be identified but appears to have broader appeal since this strand of the operation has claimed victims in countries ranging from India to the US, China, Pakistan, the Philippines, Russia and Brazil. Entities in India appear to have been hit hardest by the malware.

Sloppy coding on one of the campaign's command servers allowed researchers to extract reams of information about the attack, as Trend Micro researchers explain in a white paper (PDF) on the attack.

One of the C&C servers was set up in such a way that the contents of the directories were viewable to anyone who accessed them. As a result, not only were we able to determine who the campaign’s victims were, but we were also able to download backup archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.

It seems like nearly 12,000 unique IP addresses spread over more than 100 countries were connected to two sets of command-and-control (C&C) infrastructures related to the SafeNet malware.

Trend's researchers reckon the average number of actual victims remained at 71 per day, with few if any changes from day to day. "This indicates that the actual number of victims is far less than the number of unique IP addresses," according to the security researchers.

The people behind the attack are connecting to command servers using VPN technology and the Tor anonymiser network. This means that little evidence about where the attackers are based can be obtained from the command nodes running the campaign. However clues in the coding have led Trend's researchers to speculate the malware at least was brewed in China.

"While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China," writes Trend Micro threat researcher Nart Villeneuve in a blog post on the campaign.

"However, the relationship between the malware developers and the campaign operators themselves remains unclear." ®

Bootnote

Trend Micro notes that there is no link between the the attack and SafeNet, Inc, a reputable information security firm. The "SafeNet" name comes from references within the malware itself.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.