This week we published our next Fusion Report, FR14-013 dealt with another variant of Gh0st RAT... We're not the first to report on Gh0st, nor do I suspect we'll be the last. What we do believe however, was the use of Gh0st this time can be attributed to a group known to be dangerous, very active, and targeting very specific types of technologies.
- One email contained a link to an executable file. That executable, upon analysis, was identified as a variant of the Gh0st RAT malware.
- The second email contained a download link to malware that was identified as a Microsoft Outlook credential stealer.
One of the things we talk about often is the idea of being able to assist a security team with fast classification of activities hitting the sensors and the security management consoles. This, with the vast amount of data coming at a typical defender, is also really (REALLY) hard. How exactly does a security team quickly assess the difference between 'commodity', 'systemic' and 'targeted' events? For dictionary purposes..
- Commodity issues are those that a simple tweak in existing defenses will take care of.. a new virus, a misconfiguration, etc.
- Systemic issues are those that might take down your company -or worse, an industry. Interconnected systems with few controls, central services to large scale operations --with built in credentials or trusts could be considered systemic. Help desk systems where every help desk technician has credentials to every computer; hard coded accounts in databases that connect to each other. These issues are usually a bit harder to identify, but once identified, controls can be placed to manage risk and threat.
- Targeted issues are a little different. Where the first two require largely mechanical mitigation processes, targeted attacks require users step into the role of "security chess". The game is on, and it's not going to stop. Attackers are skilled. In fact, one guy posted to a group the warning that targeted attackers (that hit his environment) mean business. They want something, and they bring the A-team. You need to be ready.
In this case, this group's use of Gh0st was clearly targeted. How can we assess that?
- The Gh0st RAT variant that we analyzed, had few known open source variants
- It leverages dynamic C2 domains previously identified in discussions within the Red Sky portal.
- The initial phish 'bait' was clearly used to social engineering of the intended victims of the high tech company that tipped off the community.
- The products manufactured by this company are known coveted technologies by others in the world (believed associated with the attackers)
- Last, this group rarely operates without either financial gain or espionage motivations (probably both)
In the lab, we began sink-holing operations on a couple of new locations. Within the first day, we collected information suggesting at least four companies had been compromised. The group? The same group associated with Gh0st RAT mentioned above. In two of the victims identified, the RATs used to steal information from these networks appear to have been placed as early as 2009. Three of the four identified were actively sending and receiving information when we identified them. Industries? One company manufactures airplanes and aerospace technologies. Another is a small engineering firm that manufactures propulsion technologies for rockets and spacecraft. The third, an energy company in Asia. The fourth? Apparently we stumbled onto someone else's research network. Sorry guys! ;)
So, we issued three victim notifications. One company never responded, but I was amazed to see how fast the others did. In both cases, we gave them information they hadn't previously known. In both CISOs reacted nearly immediately. These guys were on the ball, and grateful for the heads up.
The information sharing construct works. Red Sky Alliance isn't the only group out there, and it looks like at least some companies are getting the message. In fact, a Ponema Study on Information Sharing (released last week) polled 701 companies. 71% of them believed (at least according to the survey) that participating in threat intelligence forums (like Red Sky Alliance) improves the security posture of their organizations.
It's apparent, and not a secret, that there have to be better ways to share information. Automated means, faster turn-around, simplified exchange protocols and taxonomies, trust (and anti-trust), and competitive concerns all seemingly get in the way, but for those who love this stuff, they REALLY love it. The rest? Well, I'm reminded of my first junior high school dance where the boys stood on one side of the gym and the girls on the other. Only the boldest dared actually dance. At some point in the future, we'll all be on the floor, but don't wait to long. A small company with high value tech doesn't stand a chance on their own.
Drop us a note. You may not want to participate in the Red Sky Portal, but it'll be there if you need it. When you (or your lawyers) finally get up the courage to actually participate and dance, there'll be others in the portal waiting to help, and if you don't have the ability to implement the 'help' yourself, we're happy to make recommendations.
Until next time,
Have a great week!