APT Attacks Continue as Nation-State Threat Actors Launch Targeted Attacks For Economic and Political Gain.
Milpitas, CA -- November 7, 2013 -- FireEye Labs, the threat research and analysis group of FireEye, (NASDAQ: FEYE), today announced a summary of key findings in the global threat landscape for the third quarter of 2013. FireEye Labs provides proactive threat intelligence reports and continuous monitoring through the Oculus service, the industry's first global, real-time continuous protection platform.
"Today's cyber threat landscape is rapidly evolving. Nation-state military operations and other highly motivated adversaries are launching well-funded, extremely sophisticated, and highly targeted attack campaigns," said Zheng Bu, senior director of FireEye Labs. "We're seeing more attacks targeting specific industries or geographic regions, such as the Deputy Dog attack on Japanese targets."
"Economically motivated attacks are also on the rise, often repurposing tools and techniques originally developed by nation-states for politically motivated attacks," added Bahman Mahbod, senior vice president of engineering at FireEye. "This 're-sale' of advanced malware means that garden variety cybercriminals can launch broad attacks on businesses that are undetectable by signature-based security solutions. Finally, we are detecting vulnerabilities in widely downloaded mobile applications that could be used to access corporate networks. We believe more mobile threats like this will be discovered in the near future."
Recent Findings from FireEye Labs
Leveraging visibility into the global threat environment and advanced forensics capabilities, FireEye Labs:
- Presented an in-depth, technical analysis of common evasion tactics used by advanced malware to thwart detection by file-based sandbox solutions at the annual Black Hat USA conference. The FireEye Threat Prevention Platform, with the purpose-built FireEye Multi-Vector Virtual Execution (MVX) engine at the core, is designed to be resistant to evasion techniques.
- Uncovered a coordinated effort by the Chinese to steal American drone technology. The hacking operation, originally known as Operation Beebus, was conducted by a group known as the "Comment Crew," and is one of the most recent signs of the ambitions of China's drone development program.
- Published a report describing the unique international and local characteristics of cyber attack campaigns waged by governments worldwide. Titled "World War C: Understanding Nation-State Motives Behind Today's Advanced Cyber Attacks," the report also discusses future changes to the cyber security landscape, including the emergence of new nation-state actors.
- Outlined new attacks using Poison Ivy, the malware remote access tool (RAT) that was used in the 2011 RSA SecureID compromise. Requiring little technical savvy, RATs are particularly dangerous in that they offer unfettered access to compromised machines. Additionally, they are often delivered as a key component of coordinated attacks that use previously unknown (zero-day) software flaws and clever social engineering. Leveraging open source security tools, FireEye also released Calamine, a free toolset to help organizations detect and monitor Poison Ivy infections.
- Discovered a campaign that leveraged the new zero-day exploit CVE-2013-383 that was announced by Microsoft in early September. This campaign, labeled 'Operation Deputy Dog' began as early as August 19, 2013 and appears to target organizations in Japan. Analysis based on the FireEye Dynamic Threat Intelligence cluster shows that the campaign leveraged a command and control infrastructure similar to the infrastructure used in an attack on Bit 9.
- Detailed new activity by the attackers behind December 2012 breach of the New York Times' computer network. The attackers were identified by FireEye technology alliance partner Mandiant as members of a massive spying operation in China. In activity detected in early August, the attackers appeared to be mounting fresh assaults that leveraged new and improved versions of their malware.
- Revealed a class of mobile threats in a popular ad library included in multiple Android apps that have been downloaded more than 200 million times. This ad library is aggressive at collecting sensitive data and is able to perform dangerous operations such as downloading and running new components on demand. It also contains various vulnerabilities that enable attackers to turn its aggressive behaviors against users. Since discovery, several of the apps have been removed from Google's app stores, and others have updated the ad library to the latest version, which fixes many of the security issues.