Internet Explorer Zero-Day Attackers Linked to Bit9 Hackers
A criminal group exploiting the recently discovered Internet Explorer browser zero-day vulnerability has been linked to the Chinese hackers who compromised the Bit9 security platform earlier this year.
Tue, September 24, 2013
CSO — A criminal group exploiting the recently discovered Internet Explorer browser zero-day vulnerability has been linked to the Chinese hackers who compromised the Bit9 security platform earlier this year.
The connection between the two groups is in the command and control infrastructure used, says security vendor FireEye. Within the two infrastructures were similar malware, IP addresses and email addresses used to register domains.
The latest attack, which FireEye has dubbed Operation DeputyDog, appears to target manufacturers, government entities and media organizations in Japan, said Darien Kindlund, manager of FireEye Threat Intelligence. The group hid IE exploits on three Japanese news sites, hoping to compromise visitors' PCs.
The compromised sites recorded more than 75,000 page views before the exploits were discovered. The attackers apparently were casting a wide net in looking for systems belonging to the desired targets. The exploit would have worked on all versions of IE, starting with IE 6.
"Maybe only a fraction of those compromised systems are really their true intended targets," Kindlund said. "The others are considered collateral damage."
Microsoft acknowledged Sept. 17 that there was a previously unknown vulnerability in IE that was being exploited by cybercriminals on the Internet. The attack in Japan was discovered two days after Microsoft disclosed the flaw, which enables criminals to execute code on victims' computers.
Researchers have said that nearly 70 percent of Windows business users are open to attack. The threat is serious enough that experts believe Microsoft will release a fix before its scheduled monthly patch release set for Oct. 8.
Bit9 revealed in February that its code-signing certificates had been stolen, making it possible for the thieves to bypass the vendor's security platform and run malware on customer's systems.
The certificates are used to identify trusted applications on customers' whitelists of approved software. The hackers apparently figured out a way to go around this normally effective system by going after the vendor first.
In a report released last week, Symantec identified the Bit9 attackers, dubbed the Hidden Lynx group, as a professional team of hackers for hire who have operated since at least 2009.
The group is able to run multiple campaigns at once and has breached some of the "world's best-protected organizations," Symantec said. The infrastructure and tools used by the hackers originate from network infrastructure in China.
The hackers typically use Trojans designed specifically for a pay-to-order attack to steal intellectual property.