Feeds

Securo-boffins uncover new GLOBAL cyber-espionage operation

Two-pronged attack hits victims in 100 countries

Boost IT visibility and business value

Government ministries, technology firms, media outlets, academic research institutions and non-governmental organisations have all fallen victim to an ongoing cyberespionage operation with tendrils all over the world, according to researchers.

Infosec researchers have uncovered SafeNet in as many as 100 countries.

SafeNet targets potential marks using spear-phishing emails featuring a malicious attachment that exploits a Microsoft Office vulnerability that was patched last year (CVE-2012-0158).

The operation appears to involve two campaigns linked together by the use of the same strain of malware and differentiated by the use of different command-and-control infrastructures.

One strand of the operation uses spear-phishing emails with subject lines related to either Tibet or Mongolia. The topic of emails in the second part of the campaign is yet to be identified but appears to have broader appeal since this strand of the operation has claimed victims in countries ranging from India to the US, China, Pakistan, the Philippines, Russia and Brazil. Entities in India appear to have been hit hardest by the malware.

Sloppy coding on one of the campaign's command servers allowed researchers to extract reams of information about the attack, as Trend Micro researchers explain in a white paper (PDF) on the attack.

One of the C&C servers was set up in such a way that the contents of the directories were viewable to anyone who accessed them. As a result, not only were we able to determine who the campaign’s victims were, but we were also able to download backup archives that contained the PHP source code the attackers used for the C&C server and the C code they used to generate the malware used in attacks.

It seems like nearly 12,000 unique IP addresses spread over more than 100 countries were connected to two sets of command-and-control (C&C) infrastructures related to the SafeNet malware.

Trend's researchers reckon the average number of actual victims remained at 71 per day, with few if any changes from day to day. "This indicates that the actual number of victims is far less than the number of unique IP addresses," according to the security researchers.

The people behind the attack are connecting to command servers using VPN technology and the Tor anonymiser network. This means that little evidence about where the attackers are based can be obtained from the command nodes running the campaign. However clues in the coding have led Trend's researchers to speculate the malware at least was brewed in China.

"While determining the intent and identity of the attackers remains difficult, we assessed that this campaign is targeted and uses malware developed by a professional software engineer who may be connected to the cybercriminal underground in China," writes Trend Micro threat researcher Nart Villeneuve in a blog post on the campaign.

"However, the relationship between the malware developers and the campaign operators themselves remains unclear." ®

Bootnote

Trend Micro notes that there is no link between the the attack and SafeNet, Inc, a reputable information security firm. The "SafeNet" name comes from references within the malware itself.

Gartner critical capabilities for enterprise endpoint backup

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?