Feeds

Go ahead, Asia, have a look in your Dropbox... We DARE you - hackers

10-country trade group targeted by NYT hacking crew, claim researchers

Choosing a cloud hosting partner with confidence

The hacking crew that made headlines worldwide after a high-profile series of attacks against the New York Times last year has returned with assaults against South East Asia, at least according to threat intelligence firm Cyber Squared.

The latest attacks are unusual because instead of using standard tactics such as spear phishing, they feature a malicious document delivered via Dropbox.

The innocent-looking Word document contains a malicious embedded custom backdoor that interacts with a WordPress blog used as the command-and-control channel by the hackers.

The attackers have simply registered for a free Dropbox account, uploaded a document that contains embedded malware, and then publicly shared it with their targeted users.

The shift in tactics offers benefits for cyberspies because it means that victims are less likely to realise they are even under attack.

Many organisations are not scrutinising web traffic to services such as WordPress or Dropbox, which are far less likely to raise alarm bells than unexplained links to IRC chat servers in China, for example. As an added bonus, malware can be distributed via essentially anonymous accounts on Dropbox, so attackers are less likely to be traced.

How it works

The malicious documents deliver a backdoor called Yayih using a Flash exploit, as a blog post by Cyber Squared on the attack explains. Yayih has previously been associated with other APT-style attacks.

After the malware has placed copies of itself in the victim's PC's systems folders, it contacts a hacker-controlled WordPress blog, which also contains links to other blogs containing coded instructions for compromised zombie drones.

"Traditionally attackers compromise their midpoint infrastructure - such as web servers and SMTP relays - to launch and maintain their targeted attacks," Adam Vincent, chief exec of Cyber Squared, explained.

"In this case, the attacker used Dropbox to distribute the malware and WordPress for first-stage command and control. This represents a shift from existing methods where attackers leverage their own infrastructure to directly spear-phish and interact with their victims."

Political motivations?

The attack appears to be targeted at individuals and organisations associated with commerce and trade within the Association of Southeast Asian Nations (ASEAN) member nations.

"One of the documents used in the attack (the decoy document) was a US-ASEAN business council internal memo," Vincent explained. "The document that was opened when the victim clicked on the malicious attachment was a decoy document so the user was unaware that they had been compromised.

"This suggests the recipients would likely have an interest in, or an affiliation with the ASEAN [so] most likely [would be] individuals or representatives of regional member nations.

"The ASEAN itself, as well as many of the associated regional member nations, would be of strategic diplomatic, economic, or military interest to China," he added.

The ASEAN is an international, non-governmental, geo-political and economic association that represents the interests of 10 south-east Asian countries. Cyber Squared reckons a Chinese hacking crew is to blame.

"Based on threat intelligence of this particular threat developed within ThreatConnect.com, it is highly likely that this activity is part of the same Chinese APT threat group that compromised the New York Times for several months during the fall of 2012 and again in the spring of 2013," the security intelligence firm concludes.

"This incident reinforces that Comment Crew, aka APT1, is not the only Chinese Advanced Persistent Threat (APT) group using web-enabled content as a command and control technique to interact with their victim’s hosts."

Vincent told El Reg: "Anyone within ASEAN would have been fair game."

The more famous APT1 crew has been linked to a PLA division based in the suburbs of Shanghai.

Rob Kraus, a director of research at managed security services firm Solutionary, said Cyber Squared's findings illustrate the need for Dropbox and WordPress to develop a "process for taking down or disabling accounts if they are identified as malware/APT C&C hosts".

It came from the CLOUD

The abuse of cloud-based systems by malware authors and cyberspies itself comes as no great surprise, according to Kraus.

"Cloud infrastructure has been used to host malware content used in conjunction with droppers and downloader components for malware for some time," Kraus explained.

"Regardless of whether or not this is an APT or standard mass-distributed malware, it is not real surprise the attackers are using legitimate infrastructure and cloud computing to accomplish their goals."

Cyber Squared reached its findings based on data from its ThreatConnect community, a collaborative cyber intelligence exchange whose members include government agencies, banks, non-profits, and manufacturers in various industries. The exchange - run by Cyber Squared and akin to a neighbourhood watch scheme - collects, analyses and shares threat intelligence. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Apple grapple: Congress kills FBI's Cupertino crypto kybosh plan
Encryption would lead us all into a 'dark place', claim G-Men
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.