Kaspersky Labs has revealed that hackers are now hacking other attack groups, using their tools and stealing victim data, making more difficult to gather accurate threat intelligence.
Sophisticated threat actors are actively hacking other attack groups in order to steal victim data, borrow tools and techniques and re-use each other’s infrastructure – making accurate threat intelligence ever harder for security researchers, according to Kaspersky Lab’s Global Research and Analysis Team (GReAT).
Accurate threat intelligence relies on identifying the patterns and tools that signpost a particular threat actor. Such knowledge allows researchers to better map different attackers’ goals, targets and behaviours, and to help organisations determine their level of risk. When threat actors start hacking each other and taking over tools, infrastructure and even victims, this model quickly starts to break down.
Kaspersky Lab believes that such attacks are likely to be implemented mainly by nation-state backed groups, targeting foreign or less competent actors. It is important that IT security researchers learn how to spot and interpret the signs of these attacks, so that they can present their intelligence in context.
In a detailed review of the opportunities for such attacks, GReAT researchers identified two main approaches: passive and active. Passive attacks involve intercepting other groups’ data in transit, for example as it moves between victims and command and control servers – and are almost impossible to detect. The active approach involves infiltrating another threat actor’s malicious infrastructure.
There is a greater risk of detection in the active approach, but it also offers more benefits as it allows the attacker to extract information on a regular basis, monitor its target and their victims, and potentially even insert its own implants or mount attacks in the name of its victim. The success of active attacks relies heavily on the target making mistakes in operational security.
GReAT has encountered a number of strange and unexpected artefacts while investigating specific threat actors that suggest such active attacks are already happening in-the-wild.
- Backdoors installed in another entity’s command-and-control (C&C) infrastructure
Installing a backdoor in a hacked network allows attackers to establish persistence inside the operations of another group. Kaspersky Lab researchers have found what appear to be two in-the-wild examples of such backdoors.
One of these was found in 2013, while analysing a server used by NetTraveler, a Chinese-language campaign targeting activists and organisations in Asia. The second one was found in 2014, while investigating a hacked website used by Crouching Yeti (also known as Energetic Bear), a Russian-language threat actor targeting the industrial sector since 2010. The researchers noticed that, for a brief period of time, the panel managing the C&C network was modified with a tag that pointed to a remote IP in China (likely a false flag). The researchers believe this was also a backdoor belonging to another group, although there are no indicators as to who this might be.
- Sharing hacked websites
In 2016, Kaspersky Lab researchers found that a website compromised by the Korean-language DarkHotel also hosted exploit scripts for another targeted attacker, which the team called ScarCruft, a group targeting mainly Russian-, Chinese- and South Korean- organisations. The DarkHotel operation dates from April 2016, while the ScarCruft attacks were implemented a month later, suggesting that ScarCruft may have observed the DarkHotel attacks before launching its own.
Infiltrating a group with an established stake in a certain region or industry sector enables an attacker to reduce costs and improve targeting, benefiting from the specialist expertise of its victim.
Some threat actors share rather than steal victims. This is a risky approach if one of the groups is less advanced and gets caught, as the inevitable forensic analysis that follows will also reveal the other intruders. In November 2014, Kaspersky Lab reported that a server belonging to a research institution in the Middle East, known as the Magnet of Threats, simultaneously hosted implants for the highly sophisticated threat actors Regin and Equation Group (English-language), Turla and ItaDuke (Russian-language), as well as Animal Farm (French-language) and Careto (Spanish). In fact, this server was the starting point for the discovery of the Equation Group.
“Attribution is hard at the best of times as clues are rare and easily manipulated, and now we also have to factor in the impact of threat actors hacking each other. As more groups leverage each other’s toolkits, victims and infrastructure, insert their own implants or adopt the identity of their victim to mount further attacks, where will that leave threat hunters trying to build a clear, accurate picture? Our examples hint that some of this is already happening in-the-wild and threat intelligence researchers will need to pause and adapt their thinking when it comes to analysing the work of advanced threat actors,” said Juan Andres Guerrero-Saade, Principal Security Researcher, Global Research and Analysis Team, Kaspersky Lab.
In order to keep pace with the rapidly evolving threat landscape, Kaspersky Lab advises enterprises to implement a full-scale security platform combined with cutting-edge threat intelligence. Kaspersky Lab’s enterprise security portfolio provides businesses with threat prevention through its next-generation endpoint security suite, detection based on the Kaspersky Anti Targeted Attack platform, and prediction and incident response through its threat intelligence services.
Further details on ways in which threat actors acquire and reuse elements of other groups, including tool repurposing and malware clustering, and their ramifications for threat intelligence can be found in the paper, Walking in your enemy’s shadow: when fourth-party collection becomes attribution hell.
AppDate: DStv taps Xbox, Hisense for app
DStv Now app expands, FNB gets Snapchat lens, Spotify offers data saver mode, in SEAN BACHER’s apps roundup
DStv Now for Xbox and Hisense
Usage of DStv Now, the online DStv service available free to DStv customers, is increasing rapidly with more than two million plays of live and Catch Up content per week. In addition to using DStv Now to watch TV on tablets and smartphones, an increasing number of DStv customers are also opting to use it as their primary method of getting DStv on additional TVs in the house. This is set to increase with the release of two new big-screen TV apps, one for Xbox gaming consoles (Xbox One, Xbox One S, Xbox One X) and another for Hisense smart TVs (2018 and newer models).
Expect to pay: A free download.
Platform: Any of the Xbox One range of gaming consoles and 2018 or later Hisense smart TVs.
Stockists: Visit the store linked to your Xbox console or HiSense smart TV.
Santam Safety Ideas
Start-up businesses that have a FinTech or InsurTech business venture brewing are called to enter the third annual Santam Safety Ideas competition. Safety solutions or InsurTech ventures that are ready for piloting could win up to R150 000 worth of incubation support and R200 000 in seed funding.
The Safety Ideas competition was launched two years ago in partnership with LaunchLab, Stellenbosch University’s startup incubator that facilitates valuable connections for corporates and startups sourced from the startup ecosystem and partner universities in South Africa. The previous winners are Herman Bester and Anton Swanevelder, co-founders of MyLifeLine – a wearable panic device that won the competition last year; and Ntsako Mgiba and Ntandoyenkosi Shezi, co-founders of Jonga – a cost-effective security system for low income families, which won the competition in 2017.
Entries close on 28 February 2019. For more information on how to enter, visit: www.santam.co.za/safetyideas/
Click here to read about the FNB Snapchat lens, Spotify Free with data saver, and 00:37.
Fortnite fixes hackers’ hole
Epic Games has repaired a vulnerability that exposed Fortnite, the world’s most popular game of the moment, to hackers. The hole, which was left in Epic’s web infrastructure, allowed hackers to target players with email that appeared to come from Epic Games, but would have led them to a phishing site, where their log-in details would have been stolen.
Researchers at cyber security solutions provider Check Point Software alerted Epic to vulnerabilities that could have affected any player of the hugely popular online battle game.
Fortnite has nearly 80 million players worldwide. The game is popular on all gaming platforms, including Android, iOS, PC via Microsoft Windows and consoles such as Xbox One and PlayStation 4. In addition to casual players, Fortnite is used by professional gamers who stream their sessions online, and is popular with e-sports enthusiasts.
If exploited, the vulnerability would have given an attacker full access to a user’s account and their personal information as well as enabling them to purchase virtual in-game currency using the victim’s payment card details. The vulnerability would also have allowed for a massive invasion of privacy, as an attacker could listen to in-game chatter as well as surrounding sounds and conversations within the victim’s home or other location of play.
While Fortnite players had previously been targeted by scams that deceived them into logging into fake websites that promised to generate Fortnite’s ‘V-Buck’ in-game currency, these new vulnerabilities could have been exploited without the player handing over any login details
Click here to read how the Fortnite hack worked
To win a set of three Fortnite Funko Pop Figurines, click here.