The Elderwood Project

In 2009, we saw the start of high profile attacks by a group using the Hydraq (Aurora) Trojan horse. We've been monitoring the attacking group's activities for the last three years as they've consistently targeted a number of industries. These attackers have used a large number of zero-day exploits against not just the intended target organization, but also on the supply chain manufacturers that service the company in their cross hairs. These attackers are systematic and re-use components of an infrastructure we have termed the "Elderwood Platform". The term "Elderwood" comes from the exploit communication used in some of the attacks. This attack platform enables them to quickly deploy zero-day exploits. The attacking methodology has always used spear phishing emails but we are now seeing an increased adoption of "watering hole" attacks (compromising certain websites likely to be visited by the target organization).

We call the overall campaign by this group the "Elderwood Project".

Serious zero-day vulnerabilities, which are exploited in the wild and affect a widely used piece of software, are relatively rare; there were approximately eight in 2011. The past few months however has seen four such zero-day vulnerabilities used by the Elderwood attackers. Although there are other attackers utilizing zero-day exploits (for example, the SykipotNitro, or even Stuxnet attacks), we have seen no other group use so many. The number of zero-day exploits used indicates access to a high level of technical capability. Here are just some of the most recent exploits that they have used:

Adobe Flash Player Object Type Confusion Remote Code Execution Vulnerability (CVE-2012-0779)
Microsoft Internet Explorer Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875)
Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889)
Adobe Flash Player Remote Code Execution Vulnerability (CVE-2012-1535)

In order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly reverse-engineer the compiled applications. This effort would be substantially reduced if they had access to source code. The group seemingly has an unlimited supply of zero-day vulnerabilities. The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent.

The primary targets identified are within the defense supply chain, a majority of which are not top-tier defense organizations themselves. These are companies who manufacture electronic or mechanical components that are sold to top-tier defense companies. The attackers do so expecting weaker security postures in these lower tier organizations and may use these manufacturers as a stepping-stone to gain access to top-tier defense contractors, or obtain intellectual property used in the production of parts that make up larger products produced by a top-tier defense company. Figure 1 below shows a snippet of the various industries that are part of the defense supply chain.

Figure 1. Target sectors

One of the vectors of infection we're seeing a substantial increase in, called a “watering hole” attack, is a clear shift in the attacking group's method of operations. The concept of the attack is similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him. Similarly, attackers find a Web site that caters to a particular audience, which includes the target the attackers are interested in. Having identified this website, the attackers hack into it using a variety of means. The attackers then inject an exploit onto public pages of the website that they hope will be visited by their ultimate target. Any visitor susceptible to the exploit is compromised and a back door Trojan is installed onto their computer. Three zero-day exploits, CVE-2012-0779, CVE-2012- 1875, and CVE-2012-1889 have all been used within a 30-day period to serve up back door Trojans from compromised websites. The increase in the use of this attack technique requires the attackers to sift through a much greater amount of stolen information than a targeted attack relying on email, as the number of victims compromised by a Web injection attack will be much greater.

Figure 2. Web injection process used in watering hole attacks

Any manufacturers who are in the defense supply chain need to be wary of attacks emanating from subsidiaries, business partners, and associated companies, as they may have been compromised and used as a stepping-stone to the true intended target. Companies and individuals should prepare themselves for a new round of attacks in 2013. This is particularly the case for companies who have been compromised in the past and managed to evict the attackers. The knowledge that the attackers gained in their previous compromise will assist them in any future attacks.


Research Paper

We have published a research paper that details the links between various exploits used by this attacking group, their method of targeting organizations, and the Elderwood Platform. It puts into perspective the continuing evolution and sheer resilience of entities behind targeted attacks.


The Elderwood Project (Infographic)

Symantec Security Response have published a research paper revealing details about a series of attacks perpetrated by a highly organized and well funded group using the “Elderwood” Attack Platform. This platform is a series of tools and infrastructure used by this group to perform attacks against targets in a speedy and efficient manner. The group behind this platform used it to carry out a multitude of attacks against targets primarily in the defense industry and other organizations within its supply chain. This group demonstrates a dogged persistence and tenacity, along with a high degree of technical expertise as shown by the seemingly unlimited supply of zero-day exploits that they have employed in the past. This research examines a time window of at least three years in which numerous attacks were conducted and still continues to take place to this day. The paper covers the attack methods used, the possible motives, the scale of the attacks and what to do to stay protected.

The following infographic sums up the facts and figures uncovered in the research. For full details about these attacks, please download the full paper from our Security Whitepaper Repository.


Microsoft Releases September Security Bulletin

Microsoft has released updates to address vulnerabilities in Microsoft Development Tools and Server Software as part of the Microsoft Security Bulletin summary for September 2012. These vulnerabilities may allow an attacker to operate with elevated privileges.

US-CERT encourages users and administrators to review the bulletin and follow best-practice security policies to determine which updates should be applied.

This product is provided subject to this Notification and this Privacy & Use policy.

The Algorithmic Copyright Cops: Streaming Video’s Robotic Overlords

Credit: Smokeghost/Flickr

As live streaming video surges in popularity, so are copyright “bots” — automated systems that match content against a database of reference files of copyrighted material. These systems can block streaming video in real time, while it is still being broadcast, leading to potentially worrying implications for freedom of speech.

On Tuesday, some visitors trying to get to the livestream of Michelle Obama’s widely lauded speech at the Democratic National Convention were met with a bizarre notice on YouTube, which said that the speech had been blocked on copyright grounds.

On Sunday, a livestream of the Hugo Awards — the sci-fi and fantasy version of the Oscars — was blocked on Ustream, moments before Neil Gaiman’s highly anticipated acceptance speech. Apparently, Ustream’s service detected that the awards were showing copyrighted film clips, and had no way to know that the awards ceremony had gotten permission to use them.

“I thought it was a huge pity, and ridiculous,” said Gaiman in an e-mail exchange with Wired. “But I also think it highlights a potential problem that’s just getting bigger.”

Last month, footage from NASA’s triumphant Curiosity rover landing was blocked numerous times on YouTube, despite being in the public domain, because several companies — such as Scripps Local News — claimed copyright on the material.

Those incidents foretell an odd future for streaming video, as bandwidth and recording tools get cheaper, and the demand for instant video grows. Just in the last year, Google Hangouts, a feature of Google+ that allows multiple people to video conference, became a cult hit. Now it’s used by news sites, such as the Huffington Post, for live video interview segments. Ustream and have made it simple to livestream book readings, Meetups and the police siege of Julian Assange’s embassy sleepover.

Copyright bots are being wired into that infrastructure, programmed as stern and unyielding censors with one hand ever poised at the off switch. What happens if the bot detects snippets of a copyrighted song or movie clip in the background? Say a ringtone from a phone not shut off at a PTA meeting? Or a short YouTube clip shown by a convention speaker to illustrate a funny point? Will the future of livestreaming be so fragile as to be unusable?

A swarm of tech companies are rushing in to provide technical solutions to enforce copyright in online sharing communities and video-streaming sites. Those players include Vobile, Attributor, Audible Magic, and Gracenote. And they’re thriving, despite the fact that U.S. copyright law, as modified by the 1998 Digital Millennium Copyright Act, doesn’t require sites that host user-created content to preemptively patrol for copyright violations.

“The companies that are selling these automated takedown systems are really going above and beyond the requirements set for them in the DMCA, and as a result are favoring the interests of a handful of legacy media operators over the free-speech interest of the public,” says Parker Higgins, an activist at the Electronic Frontier Foundation.

The notice-and-takedown regime created by the DMCA allows copyright holders to send a written notice to an online hosting service when they find their copyright being violated. The online service can then escape legal liability by taking down the content fairly promptly, and the original poster has the opportunity to dispute the notice and have the content reinstated after two weeks.

But that regime breaks down for livestreaming. For one, if a valid copyright dispute notice is filed by a human, it’s unlikely that a livestream site would take it down before the event ends, nor, under the law, is it actually required to. On the flipside, if a stream is taken down, the user who posted it has no immediate recourse, and the viewership disappears.

Brad Hunstable, Ustream’s CEO, says the volume of content is overwhelming and content-blocking algorithms are key to keeping copyright holders happy.

“To give you a sense, more video is uploaded on Ustream per second than even YouTube, per minute, per day,” Hunstable said in a phone interview with Wired.