Unleash Your Potential - Namagunga Girls Coding Club
Insight live om It-sikkerhed- Peter Schjøtt
1. Hidden Lynx - Professional Hackers for Hire
Peter Schjøtt, Symantec Denmark
Symantec Security Response
1
2. Who is the Hidden Lynx group?
• “Hackers for Hire” established < 2009
• Based in China
• Highly customize tools & access to 0-day exploits
• Pioneered large scale “Watering Hole” attacks
(AKA the VOHO Campaign)
TOOLS
• More capable than Comment Crew/APT1
• Proficient, Innovative, Methodical
Symantec Security Response
2
3. Characteristics of Hidden Lynx
Diverse range of targets
Well resourced
50-100 people
Can penetrate
tough targets
Concurrent campaigns
Symantec Security Response
3
4. The Two Sides of Hidden Lynx
Same organization but different teams…
Team Naid
Team Moudoor
Elite, Precise, Surgical
Uses: Trojan.Naid
Scope: Special operations (small team)
Targets: Information of national interest
Examples: Bit9 attack, Operation Aurora
Skilled, Prolific, Indiscriminant
Uses: Backdoor.Moudoor
(custom “Gh0st RAT”)
Scope:
Wide scope attacks (large team)
Targets: Financial sector, all levels of
government, healthcare, education and legal
Symantec Security Response
4
5. Motivations
NAID
MOUDOOR
Government espionage
Corporate espionage
• Government &
contractors, especially in the
defense industry
• Seeking access to confidential
information of significant interest
to nation states
• Investment banks, asset
management & law firms
• Stock markets/brokers
• Insider information on mergers &
acquisitions
• Financially motivated, corporate
advancement, access to trade
secrets
Symantec Security Response
5
6. Who’s Targeted – Verticals
Hundreds of
targets
Symantec Security Response
Dozens of
campaigns
Direct/Indirect
attacks
6
7. Who’s Targeted – Top 10 Countries
52.7% USA
15.5% Taiwan
9% China
4% Hong Kong
3% Japan
2.4% Canada
2.2% Germany
1.7% Russian Federation
1.5% Australia
1.5% Republic of Korea
Symantec Security Response
7
8. Tools, Tactics and Procedures
• Custom Trojans
• Early adopters of watering hole techniques (VOHO)
• Spear-phishing
• Supply chain attacks
– Trojanizing driver files in the supply chain to infiltrate final targets
• 0-day and known exploits
– Since 2011, 5 exploits including 3 0-day exploits
– Including gaining early access to exploit details (Oracle Java CVE-2013-1493)
• Adaptable and resourceful
– Stole Bit9 signing certificate to bypass their trust
protection model
• Tell-tale characteristics of a professional and skilled group
Symantec Security Response
8
9. The Bit9 Attack
• A branch of the VOHO campaign
• Bit9 offers a trust-based security platform
– Everything signed by Bit9 is trusted and allowed to run
• Initial incursion
– SQL injection on Bit9 server (July 2012)
– Installed Backdoor.Hikit as a beach head
• Bit9’s code-signing certificate was
compromised
– Used to sign 32 malicious binaries, including
Trojan.Naid
– Files used in subsequent attacks against
United States defense industry
Symantec Security Response
9
10. The VOHO Campaign – A Recap
• Large watering hole attack on ten strategic websites
• A two-phased attack with C&C logs showing 4000+ infections
• Started on June 25 and finished July 18, 2012
• Exploits
– IE zero-day (CVE-2012-1889)
– Oracle Java (CVE-2012-1723)
• Once the zero-day vulnerability got patched, activities
temporarily halted to avoid drawing attention
• Malware
– Backdoor.Moudoor & Trojan.Naid
Symantec Security Response
10
11. Vital Links
Clues that link the campaigns of group Hidden Lynx
together:
• Consistent use of the same two customized Trojans
– Backdoor.Moudoor
– Trojan.Naid
• Use of same C&C server over multiple campaigns
• Use of same infected websites for distribution of NAID or
MOUDOOR, depending on victim
• Repeated attacks on same set of target organizations
– In particular, finance, government, and IT/ICT organizations
Symantec Security Response
12
12. Hidden Lynx, conclusion
• Active since 2009 with many attack campaigns
• Highly motivated, skilled and efficient
• Used three zero-day vulnerabilities since 2011
• Many different targets, therefore most likely a
“Hackers for Hire” service
• Majority of attacks originated through watering hole techniques,
but spear phishing & supply chain hacks have also been used
• Usually seeking intellectual property
• Anybody who supplies a targeted organization is a
potential victim including IT/ICT, financial and
legal service, and manufacturing organizations
Symantec Security Response
14
13. Corporate espionage – closer to home
”Amerikanerne spionerer mod os, også
handels- og industrimæssigt, ligesom vi
spionerer mod dem. Det er i vor nationale
interesse at forsvare erhvervslivet.”
Bernard Squarcini, fhv. chef for Frankrigs
efterretningstjeneste
”Vi har altid været klar over, at
Citat fra Børsen, 25. oktober efterretningstjenesterne og
2013
erhvervslivet i USA arbejder tæt
sammen”
Markus Stäidinger, tysk IT-sikkerhedsekspert
Citat fra Børsen, 30. oktober 2013
Corporate espionage, closer to home
15
14. Last words…
• The described ”Hidden Lynx” group not the only ”Hackers for
hire” – although one of the most skilled and professional
• Hacker(s) for Hire – many exists
• Hacker(s) for hire a threat to your business
• Threat does not disappear -> should you adjust your Risk
Assessment?
Hackers for hire – last words
16
15. How to get more information
Blog
http://www.symantec.com/connect/symantec-blogs/sr
Twitter
http://twitter.com/threatintel
Whitepapers
http://www.symantec.com/security_response/whitepaper
s.jsp
Symantec Security Response
17
gain access to information from organizations operating in the defense-industrial base
Infodev: Maybeaddas bar chartinsteadofpieAgain Elderwood shows the variety of organisations attacked. 2 tiers of organisations targeted. Those targeted by watering hole attacks are not the primary targets. They’re used stepping stones to infiltrate the primary targets. Dozens of campaigns since Nov 2011 100’s of organizations affected Predominantly private and governmental organizations Finance and Technology All levels of Government Some targets are secondary targets,leveraged to meet the primary objective Bit9 Incident Supply Chain attacks
Watering hole attack (VOHO)
Bit9 is a security company headquartered in Waltham Massachusetts. As an alternative to traditional anti-virus solutions, Bit9 offers a trust based security platform. They use cloud based reputation, policy driven application controls and whitelisting to protect against cyber threats.
Cyber espionage campaigns are becoming increasingly common, with countless threat actors attempting to gain footholds into some of the best protected organizations. These attacks are becoming increasingly sophisticated. The capabilities and tactics used by these threat actors vary considerably. From focuses attacks against niche targets to large scale campaigns targeting multiple organization’s on a global scale. Red Manis is capable of both and operates at the forefront in terms of tactics and techniques used. They have attacking prolifically since 2009, and repeatedly attack their targets with cutting edge techniques. They quick adapt to security counter measures and are highly motivated. They are one of the most well-resourced and capable attack groups in the targeted threat landscape. It’s clear this is the work of a professional organization. They operate in a highly efficient manner. They are capable of attacking on multiple fronts. They use the latest technique, a diverse set of exploits and have highly customized tools to compromise target networks. The attack with such precision on a regular basis over long periods of time would require a sizeable organization which is well resourced. They possess expertise in many areas, with teams of highly skilled individuals who can quick adapt to the changing landscape. This team could easily consist of 50-100 individuals. To build these Trojans, maintain infection and C2 infrastructure and pursue confidential information on multiple network concurrently would easily require this degree of manpower. They are highly skilled and experienced campaigners in pursuit of information of value to both private and governmental organizations. The incident in Bit9, which lead to successful compromises during the VOHO campaign, only serves to highlight this fact. The evolving targeted attack landscape is becoming increasingly sophisticated. As organizations implement security counter-measures, the attackers are adapting. They are adapting at a rapid rate. With an ever increasing number of threat actors participating in these campaigns, organizations have to understand that sophisticated attackers are working hard to bypass each layers of security. It’s no longer safe to say that any one solution will protect a company’s assets. A variety of solutions need to be combined and with a better understanding of the adversary, tailored to adequately protect the information of most interest to the attackers. Their mission is large and Red Manis is targeting a diverse set of information. The frequency and diversity of these attacks would indicate that the group is tasked with sourcing information from many organizations. These tasks are likely distributed within the team. The goal of Red Manis is to gain access to information at organization in some of the wealthiest and most technologically advanced countries across the globe. It is unlikely Red Manis are capable of using this information for direct financial gain, and the diversity of the information and number of distinguishable campaigns would suggest they receive tasks from multiple sources. This leads us to believe this is a professional organization that offers a “Hackers for Hire” service. This group is actively attacking on multiple fronts, and other actors are adopting their techniques. The attackers are continuing to sophisticate and streamline their operations. Organizations that are being attacked on multiple fronts need to better protect the information that is most valuable to them. We expect Red Manis to be involved in many more high profile campaign in the coming years. They will continue to adapt. They will continue to innovate. They will continue to provide information servicing interests at both a corporate and state level. Groups like Red Manis are certainly winning some of the battles, but as organizations gain a better understanding of how these groups operate, they can prevent there most valuable information falling into their hands.