Académique Documents
Professionnel Documents
Culture Documents
CORPORATE CYBERTHREATS
Protecting Your Organization Today, Tomorrow,
and Beyond
All APTs are vehicles for cybercrime but not all cybercrimes involved
APTs. Although both are based on monetary gain, APTs specifically
target more sensitive data including passwords, competitive intelligence,
schematics, blueprints, and digital certificates and are paid for by
third-party clients or resold in the underground. General cybercrime
operations are direct for profit attacks and target customers personal
and financial information which can be quickly monetized and laundered
underground for ID theft and fraud.
Cybercriminals will either provide the hijacked information to the
third-party who hired them to steal it, or they will repackage and
resell the data underground to interested parties, such as nationstates or competing organizations. Earned through years of hard work
and investment, stolen intellectual property enables third-parties to
accelerate their technological and commercial developments while
weakening corporations intellectual and competitive advantages in
the global economy.
Icefog
Most APT campaigns are sustained over months or years, continuously
stealing data from their victims. By contrast, the attackers behind Icefog,
an APT discovered by the Kaspersky Security Network in September
2013, focused on their victims one at a time, in short-lived, precise
hit-and-run attacks designed to steal specific data. Operational since at
least 2011, Icefog involved the use of a series of different versions of
the malware, including one aimed at Mac OS.
Following Kaspersky Labs publication of Icefog: Threat Analysis and
Defense Strategy, the APTs operations ceased and the attackers closed
down all of the known command-and-control servers. However, ongoing
monitoring of sinkholing domains and analyzing victim connections has
revealed the existence of another generation of Icefog backdoors this
time, a Java version of the malware designated Javafog. Connections
to one of the sinkholed domains, lingdona[dot]com, indicated that the
client could be a Java application; and subsequent investigation turned
up a sample of this application. Detailed analysis can be found on
SecureList.3
3 January 2014, The Icefog APT Hits US Targets With Java Backdoor,
http://www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor
The Mask
In February 2013, the Kaspersky Lab security research team published
a report on a complex cyberespionage campaign called The Mask or
Careto (Spanish slang for ugly face or mask). This campaign was
designed to steal sensitive data from various types of targets. The
victims, located in 31 countries around the world, included government
agencies, embassies, energy companies, research institutions, private
equity firms and activists.
The Mask attacks start with a spear-phishing message containing a
link to a malicious website rigged with several exploits. Once victims
are infected, they are then redirected to the legitimate site described
in the e-mail they received (e.g. a news portal, or video). The Mask
includes a sophisticated backdoor Trojan capable of intercepting multiple
communication channels and of harvesting all kinds of data from
the infected computer. Like Red October and other targeted attacks
before it, the code is highly modular, allowing the attackers to add new
functionality at will. The Mask also casts its net wide - there are versions
of the backdoor for Windows and Mac OS X and there are references
that suggest there may also be versions for Linux, iOS and Android.
The Trojan also uses very sophisticated stealth techniques to hide its
activities.
4 2014, SecureList
The key motivation of The Mask attackers is to steal data from their
victims. The malware collects a range of data from the infected system,
including encryption keys, VPN configurations, SSH keys, RDP files and
some unknown file types that could be related to bespoke military/
government-level encryption tools. Security researchers dont know whos
behind the campaign. Some traces suggest the use of the Spanish
language but that fact doesnt help pin it down, since this language is
spoken in many parts of the world. Its also possible that this could have
been used as a false clue, to divert attention from whoever wrote it. The
very high degree of professionalism of the group behind this attack is
unusual for cybercriminal groups one indicator that The Mask could be
a state-sponsored campaign.
Bitcoin
Bitcoin is a digital crypto-currency. It operates on a peer-to-peer model,
where the money takes the form of a chain of digital signatures that
represent portions of a Bitcoin. There is no central controlling authority
and there are no international transaction charges both of which have
contributed to making it attractive as a means of payment. You can find
an overview of Bitcoin, and how it works, on the Kaspersky Daily website.
As use of Bitcoin has increased, it has become a more attractive
target for cybercriminals. In end-of-year forecasts, security researchers
anticipated attacks on Bitcoin. Attacks on Bitcoin pools, exchanges and
Bitcoin users will become one of the most high-profile topics of the year.
Such attacks will be especially popular with fraudsters as their cost-toincome ratio is very favorable.5
MtGox, one of the biggest Bitcoin exchanges, was taken offline in
February 2014.6 This followed a turbulent month in which the exchange
was beset by problems problems that saw the trading price of Bitcoins
on the site fall dramatically. There have been reports that the exchanges
insolvency followed a hack that led to the loss of $744,408.
Tor
Tor (short for The Onion Router) is software designed to allow someone
to remain anonymous when accessing the Internet. It has been around
for some time, but for many years was used mainly by experts and
enthusiasts. However, use of the Tor network has spiked in recent
months, largely because of growing concerns about privacy. Tor has
become a helpful solution for those who, for any reason, fear the
surveillance and the leakage of confidential information.
Tors hidden services and anonymous browsing enable cybercriminals to
cover their operations and provides a hosting platform to sell the stolen
information using bitcoins as the currency. Since Bitcoins architecture
is decentralized and more difficult to trace than traditional financial
institutions, it provides a more efficient way for cybercriminals to launder
their ill-gotten gains.
In 2013, security experts began to see cybercriminals actively using
Tor to host their malicious malware infrastructure and Kaspersky Lab
experts have found various malicious programs that specifically use
Tor. Investigation of Tor network resources reveals lots of resources
dedicated to malware, including Command-and-Control servers,
About Kaspersky
Kaspersky Lab is the worlds largest privately held vendor of endpoint
protection solutions. The company is ranked among the worlds top four
vendors of security solutions for endpoint users*. Throughout its more than
16-year history Kaspersky Lab has remained an innovator in IT security and
provides effective digital security solutions for large enterprises, SMBs and
consumers. With its holding company registered in the United Kingdom,
Kaspersky Lab operates in almost 200 countries and territories worldwide,
providing protection for over 300 million users worldwide.
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The
rating was published in the IDC report Worldwide Endpoint Security 20132017 Forecast and 2012 Vendor
Shares (IDC # 242618, August 2013). The report ranked software vendors according to earnings from sales of
endpoint security solutions in 2012.
www.kaspersky.com/business