Red October, RBN and too many questions still unresolved

Pierluigi Paganini January 17, 2013

The recently discovered cyber espionage campaign “Red October” has shocked world wide security community, the principal questions raised are:

  • Who is behind the attacks?
  • How is possible that for so long time the campaign went undetected?
  • Which is the role of AV company in these operations?

To try to understand who is behind the attacks it is necessary to evaluate the way the hackers have operated, they used old Java exploits to infect system from various sectors, in particular government agencies and diplomatic offices.

According the first revelations of Kaspersky team the hackers could have a Russian origin, but they adopted exploits common in Chinese cyber espionage campaign, be aware this not means that Chinese government is involved.

One of exploits for the Microsoft Word documents had been used in previous spear-phishing campaign aimed at Tibetan activists according to Kaspersky experts, the hackers behind the Red October operation have just changed the executable that was embedded in the document.

Symantec experts declared:

“This is not the first time that a high-profile attack campaign has used spear phishing emails and, as a popular method, it likely will not be the last . However, we are now seeing increased adoption of watering hole attacks being used in campaigns (compromising certain websites likely to be visited by the target organization).”

Kaspersky researchers verified two exploits for Microsoft Word flaws (CVE-2010-3333 and CVE-2012-0158) flaws and one exploit for an Excel vulnerability (CVE-2009-3129), all patched prior to attacks between May 2010 and December 2012.

The malware is without doubt the work of professionals that have targeted various platforms and vendors in many countries mainly localized in Eastern Europe.

BAckdoorRocraDistribution

Red October’s primary attack methods relied on exploits for flaws in Microsoft documents typically sent via email, one tested scheme. What is sure is that the attackers have evolved their methods of attack over the time using every time new exploit to target also vulnerabilities recently found such as the Java (CVE-2011-3544) flaw, patched by Oracle in October 2011.

The circumstance that is concerning is that none of the exploits used for the Red October attacks were zero days vulnerabilities.

Kaspersky researchers identified that at least three different known vulnerabilities have been exploited

  • CVE-2009-3129 (MS Excel) [attacks dated 2010 and 2011]
  • CVE-2010-3333 (MS Word) [attacks conducted in the summer of 2012]
  • CVE-2012-0158 (MS Word) [attacks conducted in the summer of 2012]

The security researchers from Seculert have discovered the usage of another delivery vector in the Red October attacks that allows the attackers to infiltrated victim network(s) via Java exploitation (MD5:35f1572eb7759cb7a66ca459c093e8a1 – ‘NewsFinder.jar’), known as the ‘Rhino’ exploit

  • (CVE-2011-3544)

787

Another interesting data provided by the investigation is that oldest domain name used in the Red October network was registered in November, 2007, and the newest in May, 2012.

In January 16th Kaspersky team published a new post on the investigation “Red October – Java Exploit Delivery Vector Analysis” in which is revealed that the early February 2012 timeframe that hackers would have used ‘Rhino’ exploit. It seems that this vector was not heavily used by the attackers, in fact when the security experts downloaded the php used to serve the ‘.jar’ malcode archive, the line of code delivering the java exploit was commented out.

The post states:

“The domain involved in the attack is presented only once in a public sandbox at malwr.com (http://malwr.com/analysis/c3b0d1403ba35c3aba8f4529f43fb300/), and only on February 14th, the very same day that they registered the domain hotinfonews.com. Following that quick public disclosure, related MD5s and links do not show up in public or private repositories, unlike the many other Red October components.

We could speculate that the group successfully delivered their malware payload to the appropriate target(s) for a few days, then didn’t need the effort any longer. Which may also tell us that this group, which meticulously adapted and developed their infiltration and collection toolset to their victims’ environment, had a need to shift to Java from their usual spearphishing techniques in early February 2012. And then they went back to their spear phishing.”

It becomes clear the importance of the discovery, probably this is one of the most extended cyber espionage campaign, what is singular, as observed by Kaspersky in its last post, is that it hasn’t detected any PDF exploits yet, which common for this kind of operations.

Costin Raiu, director of Kaspersky’s global research and analysis team, declared that other methods of distributing the cyberespionage malware might have been used although they are not yet identified.

Jeffrey Carr, founder and CEO of Taia Global, Inc, published an excellent post on his blog making interesting observations on the event.
Malicious servers
178.63.208.49  matches to 178.63.
188.40.19.247 matches to 188.40.
78.46.173.15 matches to 78.46.
88.198.30.44 matches to 88.198.

Mini-motherships
91.226.31.40 matches to 91.226.

I agree with Carr when he assumed a collaboration of RBN with Russian government, probably the RBN never stopped its action but simply operated below the radar.

Russia has always been known for its skill in virus design, just to provide some samples Bagel, Netsky  and MyDoom. RBN in considered a cybercrime company able to provide any kind of malicious service such as  phishing, DDoS, malware hosting, gambling and child pornography.

RBN

 

Carr states:

“It provides distance and deniability to the FSB (Federal Security Service of the Russian Federation) for certain offensive cyber operations and, in exchange, the FSB allows the RBN to operate as a criminal enterprise; a portion of which involves selling the data that it steals to whomever is interested.”

I agree with Carr when he assumes that Kaspersky is one of the most important discoveries of the decade.

To the RBN are recognized multiple skills

  • Network skills
  • System skills
  • Internet understanding
  • Cybercrime relations
  • Legitimate companies relations
  • Law enforcement corruption

that make the organization very dangerous

RBNNetwork

Many exponents of worldwide security comminity believe that Red October campaign is the work of a group of cyber criminals that are collecting high-value information to sell subsequently to interested parties. Of course governments and intelligence agencies could be most interested in the information stolen.

In the post “Every Month is Red October” probably is provided the answer to the second question, the article in fact reiterates that security firms  “see thousands of similar documents in our systems every month. The Red October attacks are interesting because of the large scale of the espionage done by a single entity, and the long timespan they cover. However, the sad truth is that companies and governments are constantly under similar attacks from many different sources. In that sense, this really is just everyday life on the Internet.”

It ‘s really impossible to avoid similar incidents despite the fact that AV systems installed are update?

Referring to the third question that is impossible to answer without proof … is it possible that some government had done pressure on AV manufacturers in exchange for “favors” to make sure that some threats do their course?
Despite this theory could appear extremely imaginative it is shared by many conspirationists and for this reason we could ignore it…often the reality surpasses the imagination.

Pierluigi Paganini



you might also like

leave a comment