The media has reported that several companies in the past year have suffered significant security breaches, as a result of hackers compromising companies’ third party vendors. Instead of going after large organizations directly, some threat actors are opting to target smaller, third party vendors who do business with the larger companies. The criminals are hoping these third party vendors will have fewer security protections in place. If the hackers are able to break into one of these vendors, get their hands on the credentials the vendor uses to access the larger company’s network and successfully use those credentials, then the criminals have just gained their initial foothold into the target company— all under the guise of a trusted partner. From there, the hackers might go after valuable trade secrets and Intellectual Property, customer credit and debit card data, or Personal Identifiable Information for Employees and Customers (names, addresses, social security numbers, email addresses and phone numbers).
On September 24, 2014, the Bash command injection vulnerability described by CVE-2014-6271 was publicly disclosed. The Dell SecureWorks Counter Threat Unit™ (CTU) research team released a set of countermeasures to its iSensor devices (Dell SecureWorks’ proprietary Intrusion Protection/Detection systems) to address this vulnerability, as well as related vulnerabilities that were identified in the following days. As of Monday, September 29, 2014, Dell SecureWorks iSensor devices repelled more than 140,000 scanning and exploit attempts.
Dell SecureWorks Counter Threat Unit™ (CTU) analysts were recently engaged with a client thought to have been compromised by a threat group CTU researchers have named Threat Group-0416 (TG-0416) . Various artifacts from the initial phases of the incident provided strong indications of the existence of this particular threat group within the client’s infrastructure. TG-0416 is a stealthy and extremely successful Advanced Persistent Threat (APT) group known to target a broad range of verticals since at least 2009, including technology, industrial, manufacturing, human rights groups, government, pharmaceutical, and medical technology.
Since the evening of July 21, 2014, Dell SecureWorks Counter Threat Unit™ (CTU) researchers have observed a threat group the CTU research team refers to as Threat Group-0110 (TG-0110)[i] phishing many organizations in the manufacturing and financial verticals. TG-0110 is known for using the Pirpi backdoor to access endpoints. Pirpi can search for and exfiltrate files, run other executable files, and execute commands. It also has reverse shell capabilities.
Dell SecureWorks CTU(TM) researchers have observed the distribution of a modified version of the Gameover Zeus malware. The global Gameover Zeus infrastructure was disrupted in late May 2014 by law enforcement and private industry partners during Operation Tovar. The infrastructure, including its peer-to-peer (P2P) network, remains under the control of those organizations and is not available to the threat actors who originally operated it. The new version observed in distribution on July 10, 2014 has jettisoned the P2P component in favor of a centralized command and control (C2) infrastructure that is based on a domain generation algorithm (DGA).
As early as February 8th of this year, computer users began to notice their Synology Network Attached Storage (NAS) boxes were performing sluggishly and had a very high CPU usage. As a result, investigations ensued and eventually a Facebook post, directed at Synology, was made. Ultimately, it was discovered that the cause of the excessive resource consumption was due to illegitimate software that had infected the systems, which ironically, was stored in a folder labeled “PWNED.”
Dell SecureWorks partnered with international law enforcement and industry to take proactive action against the infrastructure of the Gameover Zeus botnet and the CryptoLocker ransomware, as well as the operators responsible for these threats. This action has been named Operation Tovar. Law enforcement organizations including the Federal Bureau of Investigation (FBI), the UK’s National Crime Agency, and Europol’s European Cybercrime Center (EC3) seized infrastructure assets relating to these threats, while technical measures were enacted to neutralize the command and control (C2) infrastructure.
Dell SecureWorks Counter Threat Unit™ (CTU) analysts previously observed the use of Unicode characters within the Windows Registry to obscure the presence of malware on a system. Similar techniques can be used within the file system. CTU analysts examined a system infected with the Win32/Vercuser.B worm, which was obscured, in part, through the use of a Unicode character.
Unicode character sets are used throughout Windows systems, largely to make it easier to present the same information (warning messages, alerts, notices, etc.) in different languages. Windows applications, including the Windows Explorer shell, understand Unicode character sets, control characters, and know how to present them to the user. This functionality can also be subverted for malicious purposes in order to hide the presence of malware, often in plain sight.
Hactivists, disgruntled employees, and other cyber threat actors intent on sabotaging an organization, are expanding their tactics beyond Distributed Denial of Service (DDoS) attacks, warns Dell SecureWorks’ Enterprise Brand and Executive Threat Surveillance team. This team is constantly monitoring social media sites, forums, and other public information sources, looking for conversations and other indicators that a customer’s brand or its executives might be the target of a cyber-attack. Using their highly honed investigative skills, the team has worked numerous cases where they have obtained solid intelligence of an attack being planned by the threat actors. Dell SecureWorks has then worked with the organizations to quickly shut down the attack before it could happen or implemented countermeasures to block the attack, effectively protecting the organization’s infrastructure, assets and brand.