w sym168 - Hidden Lynx – Professional Hackers for Hire, Książki IT

[ Pobierz całość w formacie PDF ]
//-->SECURITY RESPONSEHidden Lynx – ProfessionalHackers for HireStephen Doherty,Jozsef Gegeny,Branko Spasojevic,Jonell BaltazarVersion 1.0 – September 17, 2013The Hidden Lynx group is a professional team of attackerswith advanced capabilities.Follow us on Twitter@threatintelVisit our Bloghttp://www.symantec.com/connect/symantec-blogs/srCONTENTSOVERVIEW ..................................................................... 3Background ................................................................... 5Who are the Hidden Lynx group? .................................. 5Who are their targets? .................................................. 7What is their motivation? .............................................. 7Corporate Espionage ............................................... 8Attacks against government contractors ................ 8What are they capable of? ............................................ 8Subverting trust protection models ........................ 8Advanced zero-day access .................................... 13Supply chain attacks ............................................. 14Conclusion................................................................... 16Appendix ..................................................................... 18Related attacks...................................................... 18Resources .................................................................... 25Symantec Protection ................................................... 26OVERVIEWThe Hidden Lynx group is a professional team of attackers with advanced capabilities. Theywere responsible for the compromise of security firm Bit9’s digital code-signing certificatewhich was used to sign malware. The Bit9 breach was part of the much larger VOHOcampaign and that campaign was just one of many operations undertaken by the group overthe last four years.The group likely offers a “hackers for hire” operation and is tasked with retrieving specificinformation from a wide range of corporate and government targets. They are a highlyefficient team who can undertake multiple campaigns at once, breach some of the world’sbest-protected organizations and can change their tactics quickly to achieve their goal.They usually attack using multiple customized Trojans designed for specific purposes.Backdoor.Moudoor is used for larger campaigns and has seen widespread distribution whileTrojan.Naid is reserved for special operations against high value targets. The group usescutting-edge attack techniques which makes this team stand out from other major attackgroups.This paper takes an in-depth look at the Hidden Lynx group, their targets and theirmotivations. It will look into their capabilities and attack strategies through their attackcampaigns including the Bit9 incident.BACKGROUNDA well-knowngroup withaffiliations to“OperationAurora” managedto break into Bit9’snetwork usingan SQL injectionattack.Hidden Lynx – Professional Hackers for HireBackgroundIn February 2013, Bit9 released a statement revealing that in July 2012, their network had been compromised bya malicious third-party. A well-known group named Hidden Lynx with affiliations to “OperationAurora”managedto break into Bit9’s network using an SQL injection attack. These Trojans made their way into the defenseindustrial sector.However, the Bit9 compromise was only a small piece of a much larger watering-hole operation known as theVOHO campaign, which impacted hundreds of organizations in the United States. Further, the VOHO campaignitself was just one campaign of many that is attributable to this incredibly prolific group. Each campaign isdesigned to access information in governmental and commercial organizations that tend to operate in thewealthiest and most technologically advanced countries in the world.Who are the Hidden Lynx group?The Hidden Lynx group has been in operation since at least 2009 and is most likely a professional organizationthat offers a “hackers for hire” service. They have the capability to attack many organizations with concurrentlyrunning campaigns. They operate efficiently and move quickly and methodically. Based on these factors, theHidden Lynx group would need to be a sizeable organization made up of between 50 and 100 individuals.The members of this group are experts at breaching systems. They engage in a two-pronged strategy of massexploitation and pay-to-order targeted attacks for intellectual property using two Trojans designed specificallyfor each purpose:• Team Moudoor distributesBackdoor.Moudoor,a customized version of “Gh0st RAT”, for large-scale campaignsacross several industries. The distribution of Moudoor requires a sizeable number of people to both breachtargets and retrieve the information from the compromised networks.• Team Naid distributesTrojan.Naid,the Trojan found during the Bit9 incident, which appears to be reservedfor more limited attacks against high value targets. This Trojan was leveraged for a special operation duringthe VOHO campaign and is probably used by a specific team of highly skilled attackers within the group. ThisTrojan was also found as part of “Operation Aurora” in 2009.Much of the attack infrastructure and tools used during these campaigns originate from network infrastructurein China. The Hidden Lynx group makes regular use of zero-day exploits and has the ability to rework andcustomize exploits quickly. They are methodical in their approach and they display a skillset far in advance ofsome other attack groups also operating in that region, such as the Comment Crew (also known as APT1). TheHidden Lynx group is an advanced persistent threat that has been in operation for at least four years and isbreaking into some of the best-protected organizations in the world. With a zero-day attack already under theirbelt in 2013, they continue to operate at the leading edge of targeted attacks.Page 5 [ Pobierz całość w formacie PDF ]