Aerosol Posted December 11, 2014 Report Posted December 11, 2014 SECURITY RESEARCHERS have uncovered a sophisticated cyber espionage tool being used to launch "highly targeted attacks" designed to extract confidential information.Security firm Blue Coat Labs claims to have identified the previously undocumented 'Inception' attack framework.The malware's design has "many layers", and so is named Inception after the Hollywood blockbuster about a thief who entered people's dreams to steal secrets. Based on iteration data, Blue Coat has assumed that somewhere between 100 and 200 targets have been affected.The firm found that, in all cases, the malware has been embedded in Rich Text Format (RTF) files.Exploitation of vulnerabilities in these file formats is used to gain remote access to victims' computers. These files are then delivered via phishing emails with exploited Word documents attached.The malware's targets include individuals in strategic positions, such as oil, finance and engineering executives, military officers, embassy personnel and government officials.The Inception attacks began by focusing on targets primarily located in Russia or related to Russian interests, but have since spread to targets in other locations around the world. The preferred malware delivery method is via phishing emails containing trojanised documents.The identity of the attackers is hidden via command and control traffic on the Windows platform, performed indirectly via a Swedish cloud service provider CloudMe using the WebDAV protocol. This may also bypass many current detection mechanisms, said Blue Coat."The attackers have added another layer of indirection to mask their identity by leveraging a proxy network composed of routers, most of which are based in South Korea, for their command and control communication," the firm said in its blog post."It is believed that the attackers were able to compromise these devices based on poor configurations or default credentials."Senior Principal Security Researcher at Blue Coat, Snorre Fagerland, told The INQUIRER that the entire setup is meticulously designed for automation and operational security."When the attackers want to send a phishing mail they use one of their hacked routers. The proxy port on the router cannot be connected to directly, it must first be opened. Attackers do that by connecting to a different port, authenticate by a unique password for this router, and ask the router to open its proxy door," he explained.Fagerland said this was being done in an automated fashion - where computer one unlocks the router, then seconds later computer two logs on and sends mail, and then the router is locked again.Attackers had hundreds of these hacked routers at their disposal, all configured with different passwords and different port configurations," he added. "The attackers obviously had a database of this infrastructure, and were able to script the usage of this so that different machines had to cooperate to perform the necessary actions."The attackers also spread their actions thinly over this network of routers. When the attackers upload new content to CloudMe, they do so while iterating over their router network, so there are new IP's accessing the shares every time.Blue Coat also believes that the framework is continuing to evolve, and that the attackers have created malware for Android, BlackBerry and iOS devices to gather information from as many victims as possible.The firm observed over 60 mobile providers, including China Mobile, O2, Orange, SingTel, T-Mobile and Vodafone, included in these preparations, but said the real number could be even higher.However, though a large scale attack, general users are not to worry, as it is not dangerous to the average person. Nevertheless, if you have an important role, typically a strategically important role, the firm has warned that you would be at risk of attacks."Once compromised, the attack is hard to notice as most of it only exists in memory," said Fagerland. "The WebDAV protocol traffic to CloudMe also looks unremarkable from the point of view of many Intrusion Detection Systems."There is no quick fix to protect yourself from Inception. Blue Coat advises users can best protect themselves with common sense. For example, if you receive a mail or any other contact request that seems in the least out of the ordinary - let your security people check it out first."Targeted attacks are usually poorly covered by your standard blocking product. So, you'll want to cover as many bases and angles as possible, with toolsets that allow you to tailor preventive measures to your own network and provide visibility and intelligence, explained Fagerland. "But the best protection is in the head."Source Quote
