Exploit Kit a True Hacking Platform

Tuesday, May 20, 2014 @ 06:05 AM gHale


An exploit kit known as Elderwood shows the attackers using it are more numerous and possibly better funded than previously thought, according to new research from Symantec.

Elderwood is a hacking platform that has attack code which abuses software vulnerabilities in programs such as Adobe Systems’ Flash multimedia program and Microsoft’s Internet Explorer browser in order to spy on computers.

RELATED STORIES
Email Trojan Malware Within Malware
Attacks Continue from Compromised Sites
DDoS Attacks: ‘A Common Pain Point’
Execs Not Sharing Breach Info

Symantec has been tracking Elderwood for two years, saying exploits contained in it targeted defense-related companies, people involved in human rights campaigns and IT and supply-chain firms.

At first, researchers thought a single group controlled Elderwood, but that mindset has changed where they think it is a wider operation. Symantec doesn’t say in which country it believes the attackers come from.

Symantec now thinks several hacking groups are using Elderwood, indicating that its developer may be selling the platform. Another possibility is that the core Elderwood hackers are developing exploits for their own in-house teams, the company wrote in a blog post.

A sub-group called “Hidden Lynx” targets the defense industry and Japanese users. “Vidgrab” prefers targeting Uyghur dissidents in the western China region. Another group known as “Linfo” or “Icefog” goes after manufacturing firms, while “Sakurel” focuses on aerospace companies.

At the start of this year, the Elderwood exploit kit contained three Zero Day vulnerabilities. Those vulnerabilities included one for Flash (CVE-2014-0502) and two for Internet Explorer (CVE-2014-0322 and CVE-2014-0324).

Another clue that all of the groups may be closely connected is the use of shared infrastructure. The Flash exploit and one for Internet Explorer, CVE-2014-0322, were on the same server but used by all four groups, Symantec said.

Creating attack code for those vulnerabilities isn’t cheap, which suggests if hacking groups are purchasing the exploits from Elderwood’s developer, those organizations “must have substantial financial resources.”

If all Elderwood-related attacks come from a larger group split into teams, then “these employees are either being well compensated for their work or have some other motivating factor that prevents them from selling exploits on the open market themselves.”



Leave a Reply

You must be logged in to post a comment.