RSA SecurID Breach Malware Tied To Scores Of Other Attacks


Security researchers that have been closely monitoring the attackers behind the 2010 RSA SecurID breach say the targeted attack campaigns go back seven years, infiltrating a string of private companies in the U.S., Europe and Asia.

The attacks are connected to at least 64 campaigns targeting individuals to infiltrate businesses and remain stealthy on them for months and sometimes years, said Joe Stewart, director of malware research at Dell SecureWorks. The attackers harvested account credentials, intellectual property and other proprietary information. About 100 victims have been identified and Stewart said he suspects that there could be many more.

"This is all common code all coming out of those Beijing networks," Stewart told CRN. "We're pretty sure that we're nowhere near the complete set of victims."

[Related: 5 Costly Hacker Attacks Plaguing Enterprises]

Nearly all the advanced persistent threats (APTs) targeted private sector companies from energy and mineral exploration firms to audio and videoconferencing manufacturers, according to the Dell SecureWorks report, "Secrets of the Comfoo Masters," to be released Wednesday at the Black Hat security conference in Las Vegas. The report provides extensive analysis of the Comfoo malware, the attack techniques and how Comfoo can be detected in the enterprise.

Stewart and other researchers identified more than 200 malware families tied to the campaigns. Many of the Comfoo remote access Trojans, or RATs, were custom-made, Stewart said. They were configured to set up a back door into systems and gather system and network information, log the keystrokes of victims to steal account credentials and other information, take screenshots and upload additional malware.

Much of the attack activity was at organizations in Japan and India and South Korea. The attackers targeted trade organizations, telecommunications firms, think tanks and news media, Dell SecureWorks said. Two audio and videoconferencing manufacturers have led Stewart and others to speculate that the data harvested could be used to steal details about the products or conduct surveillance using the devices.

"We don't know what their intentions are with the data, but we do know that they're collecting a lot of it," Stewart said.

The attackers, believed to be one of two major China-based cyberespionage units, set up a series of rendezvous traffic relay servers to control their victims' systems. The complex infrastructure was combined with other techniques to throw off researchers and complicate analysis. It was monitored by Stewart and other researchers over 18 months beginning in January 2012. Stewart said he connected periodically to identify the victim systems connecting to them and warn computer response teams of infections.

"We've found running instances of these rendezvous servers all over the place," Stewart said. "They've had multiple people using the servers for multiple targeted campaigns."

The attackers use many common hacking techniques to first infiltrate their victims. Much like the RSA SecurID breach, nearly all of the attacks involved a phishing or social engineering component, according to Dell SecureWorks. The attackers use a minimal amount of encryption in the malware code to avoid being detected by antimalware technologies and network monitoring appliances, Stewart said.

Stewart said the activity connected with Comfoo has dropped off in recent months, leading investigators to believe the attackers have moved on to another malware family. Once an attack campaign has been identified by security researchers, the cybercriminals behind the activity often reorganize, creating new malware, according to Stewart.

PUBLISHED JULY 31, 2013