解开Hidden Lynx组织的APT攻击行动过程 - APT防御产品

解开Hidden Lynx组织的APT攻击行动过程

美国时间2013年9月17日,Symantec发布了一份名为《Hidden Lynx - Professional Hackers for Hire》的报告,揭示了Symantec多年来跟踪分析的一个50~100人的顶级黑客组织的发起了多起APT活动行为。这些行动包括:
1)Bit9事件:针对美国著名安全厂商Bit9的攻击行动。先是利用SQL注入攻陷Bit9的WEB服务器,进而进入公司内部获得了一台数字代码签名证书的服务器权限,并对一些木马和恶意代码脚本签发证书。注意:攻击Bit9并未最终目的。接下来,Bit9的客户在遭受攻击时,他们的Bit9软件会将那些恶意代码识别为合法的程序,从而让攻击者顺利进入受害人网络。这有点像之前的针对RSA SecurID的攻击和Comodo的攻击。
2)VOHO行动:针对美国政府、国防等机构的攻击,采用了新型的“水坑”攻击手法。该攻击首先攻陷了最终目标客户可能访问的网站——“水坑”,然后守株待兔,等那些最终受害者访问已经被植入木马的网站。该攻击利用了一个当时的IE 0day漏洞(Microsoft XML Core Services CVE-2012-1889 Remote Code Execution Vulnerability (CVE-2012-1889))和一个当时的JAVA远程代码执行的0day漏洞(Oracle Java SE CVE-2012-1723 Remote Code Execution Vulnerability (CVE-2012-1723))。漏洞利用之后,hidden Lynx植入了两个具有该组织代表性的木马Backdoor.Moudoor和Trojan.Naid,通过与C2连接,用于进行数据窃取。
3)FINSHO行动:针对日本的APT攻击。利用了0day漏洞——JAVA远程代码执行漏洞(CVE-2013-1493)。漏洞利用的程序先于Oracle的补丁出现。出现了Naid。
4)SCADEF行动:针对美国军方的供应链厂商的攻击。也出现了Backdoor.Moudoor。
报告总结道:From the evidence seen, it’s clear that Hidden Lynx belongs to a professional organization. They operate in a highly efficient manner. They can attack on multiple fronts. They use the latest techniques, have access to a diverse set of exploits and have highly customized tools to compromise target networks. Their attacks, carried out with such precision on a regular basis over long periods of time, would require a well-resourced and sizeable organization. They possess expertise in many areas, with teams of highly skilled individuals who can adapt rapidly to the changing landscape. This team could easily consist of 50-100 individuals. This level of resources would be needed to build these Trojans, maintain infection and C&C infrastructure and pursue confidential information on multiple networks. They are highly skilled and experienced campaigners in pursuit of information of value to both commercial and governmental organizations.


转载请注明出处 APT防御产品 » 解开Hidden Lynx组织的APT攻击行动过程

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址