September 21, 2014

Kaspersky unveils The Mask, a 5 year cyber-espionage operation

Kaspersky Labs has revealed details of Careto/The Mask, a complex advanced persistent threat (APT) that has been running since 2007. The Mask is highly complex and uses a sophisticated set of tools including malware, rootkits and bootkits to infect Windows, OS X and Linux machines.

Kaspersky first noticed The Mask when it observed attempts by the malware used to hide itself from Kaspersky Lab products by attempting to exploit vulnerabilities in those programs. the mask APT Those vulnerabilities where fixed five years ago and Kaspersky has been researching this operation since then. Kaspersky rate The Mask higher than Duqu in terms of its sophistication and it is possible that the operation was state sponsored.

The main targets of The Mask fall into the following categories:

  • Government institutions
  • Diplomatic offices and embassies
  • Energy, oil and gas companies
  • Research institutions
  • Private equity firms
  • Activists
  • In the top five infected countries were the United Kingdom, Spain and France with Morocco being the most target country with over 380 IP addresses found in Mask related traffic.

    Once a machine is infected, Mask intercepts all the communication channels and start stealing data including encryption keys, VPN configurations, SSH keys and RDP files. It is also possible that it steals data related to custom military/government-level encryption tools.

    “Detection is extremely difficult because of its stealth rootkit capabilities. In addition to built-in functionalities, the operators of Careto can upload additional modules which can perform any malicious task. Given the nature of the known victims, the impact is potentially very high,” wrote members of the Global Research & Analysis Team (GReAT) at Kaspersky Lab.

    Among the exploits used by The Mask is an Adobe Flash Player vulnerability which was discovered by VUPEN and used to win the CanSecWest Pwn2Own contest in 2012. The exploit, which included a tactic for escaping Google Chrome’s sandbox, was sold to VUPEN’s customers and not disclosed publically. It is possible that the group behind The Mask purchased the exploit from VUPEN.

    At the moment the command and control servers used by The Mask are offline. The attackers began taking them offline in January 2014 but it is possible that the attackers could resurrect the campaign at some point in the future. The high degree of professionalism on the part of those running The Mask, including the way it was shutdown and the use of wipe instead of delete for log files, is another reason to believe that the operating was state sponsored.

    Cyber-attack of 9/11 Scale Likely in Near Future

    Organisations should prepare for the possibility of a global cyber-attack has warned HP chief executive Meg Whitman. Speaking at a HP customer event in London, Whitman said that she believes a “cyber-attack of 9/11 scale” is likely to take place in the near future. With promises to be on hand when such an attack does occur, the CEO’s comments come at a time when HP is trying to position itself as a leader in the security market.

    “We will darken the skies with our agenda to help organisations,” she said.

    Last year HP established an enterprise security business unit based around its Security Intelligence and Risk Management (SIRM) platform. SIRM is based on tools like ArcSight, Fortify, and TippingPoint.

    “To protect organizations against a wide range of attacks, HP has established a global network of security researchers who look for vulnerabilities that were not publicly disclosed,” said Michael Callahan, in a recent security related press release. “The intelligence gained from this research group is built into HP enterprise security solutions in an effort to proactively reduce risk.”

    Meg Whitman is not alone in her opinion. “We haven’t had a significant terrorism cyber related attack in this country, but that’s not to say that we are not preparing for that potential,” said Ralph Boelter, Assistant Director of the FBI’s Counterterrorism Division at a recent conference. He was joined by Gordon Snow, Assistant Director of the FBI’s Cyber Division who added that the most likely targets of future cybercrimes will be first responders, public infrastructures, iPads, and smartphones.