11

Thursday, 28 February 2013

MiniDuke: New cyber-attack 'hacks governments' for political secrets

MiniDuke: New cyber-attack 'hacks governments' for political secrets:
The governments of at least 20 countries may have fallen victimto a sophisticated new cyber-attack. Security experts believe thehackers are attempting to steal political intelligence.
Computer security firms Kaspersky Lab and CrySyS Lab discoveredthat the malware, dubbed "MiniDuke," targeted government computersin the Czech Republic, Ireland, Portugal and Romania along withthink tanks, research institutes and healthcare providers in theUnited States.
“The technical indicators from our analysis show this is anew type of threat actor that hasn't been seen before,” KurtBaumgartner, a senior security researcher with Kaspersky Lab, toldRT.
Although experts avoid speculating on who the attackers may be,Baumgartner clarified that “based on the target victims and thefunctionality of the malware” the objective of MiniDuke’sauthors is “to collect geopolitical intelligence.”
The threat operates on low-level code to stay hidden, and usesTwitter and Google to get instructions and updates. It allegedlyinfected PCs when ‘victims’ opened a cleverly disguised Adobe PDFattachment to an email.
“The high level of encryption in the malware and the flexiblesystem it used to communicate with the C2 via Twitter and Googleindicates this was a strategically planned operation,”Baumgartner said.
The PDF documents were specifically tailored to their targets,according to the researchers. The attachments referred to highlyrelevant topics subjects like “foreign policy,” a “human rightsseminar,” or “NATO membership plans."
When the files were opened, MiniDuke would install itself on theuser's computer.

So far it is only known that the malware then connects to twoservers, one in Panama and one in Turkey, but security researcherssay there are no clear indications of who was behind the onlineattacks.
According to Karpersky Lab the spyware was written in “assemblerlanguage,” a low-level code where each statement corresponds to aspecific command, and is very small in size, only 20 kilobytes.Assembler language codes are written specifically for each systemthey are meant to attack, as opposed to higher-level codes, whichcan infect multiple types of technologies.
The way the malware was created and used indicates that theattackers “have knowledge from the elite, ‘old school’ type of malicious programmers who were extremely effective atcreating highly complex viruses in the past,” Baumgartner says.“MiniDuke’s attackers have combined these skills with the newlyadvanced sandbox-evading exploits to target high-profile victims,which is unique and something we haven’t seen before.”
MiniDuke is a three-stage attack, technology news andinformation website, Arstechnica, explains. First it tricks avictim into opening an authentic-looking PDF document, and theninfected machines start using Twitter or Google “to retrieveencrypted instructions showing them where to report for additionalbackdoors.”
"These accounts were created by MiniDuke’s Command andControl (C2) operators and the tweets maintain specific tagslabeling encrypted URLs for the backdoors,” Kaspersky Lab saidin a statement. “Based on the analysis, it appears that theMiniDuke’s creators provide a dynamic backup system that also canfly under the radar - if Twitter isn’t working or the accounts aredown, the malware can use Google Search to find the encryptedstrings to the next C2.
Stages two and three are hidden inside a GIF image file which isdownloaded from the command server and “disguised as picturesthat appear on a victim’s machine.”
Image from securelist.com
Eugene Kaspersky, founder and chief executive of Kaspersky Lab,compared the highly-advanced MiniDuke to “malicious programmingfrom the end of the 1990s and the beginning of the 2000s”,saying it has the potential to be "extremely dangerous"because it was an "elite, old-school" attack.
"This is a very unusual cyber-attack," the statementemailed to RT read.

"I remember this style of malicious programming from the endof the 1990s and the beginning of the 2000s. I wonder if thesetypes of malware writers, who have been in hibernation for morethan a decade, have suddenly awoken and joined the sophisticatedgroup of threat actors active in the cyber world. These elite, “oldschool” malware writers were extremely effective in the past atcreating highly complex viruses," Kaspersky's CEO added.
Neither Kaspersky nor CrySyS is disclosing what the malware doesonce it takes hold of a victim until they have had a chance toprivately warn infected organizations, Arstechnicareported.
According to the technology news and information website, atleast 60 victims have been affected. Kaspersky has identified atleast 23 affected countries, including the US, Hungary, Ukraine,Belgium, Portugal, Romania, the Czech Republic, Brazil, Germany,Israel, Japan, Russia, Spain, the UK, and Ireland.
Revelations about the new malware come two weeks after SiliconValley security firm FireEye discovered security flaws in Readerand Acrobat software.
Leaked document sample. Image from securelist.com

No comments:

Post a Comment