On Tuesday September 17, 2013, Symantec’s Security Response organization published a whitepaper report and blog on Hidden Lynx, a group of professional hackers with advanced capabilities. Evidence suggests that Hidden Lynx is a hacker group operating out of China with affiliations to “Operation Aurora”. This group was responsible for the compromise of security firm Bit9’s digital code-signing certificate, used to sign 32 pieces of malware. They have been involved in a number of operations over the last four years.
The group offers a “hackers for hire” operation that is tasked with retrieving information from a wide range of corporate and government targets. They are a highly efficient team who can undertake multiple campaigns at once, breach some of the world’s best-protected organizations, and can quickly change their tactics to achieve their goal.
They usually attack using multiple customized Trojans designed for specific purposes. Backdoor.Moudoor is used for larger campaigns and has seen widespread distribution, while Trojan.Naid is reserved for special operations against high value targets. The group uses cutting-edge attack techniques which makes this team stand out from other major attack groups. Symantec has been tracking this group since 2009.
The Hidden Lynx group has been in operation since at least 2009 and appears to be a professional organization that offers a “hackers for hire” type service. They have the capability to attack many organizations with concurrent running campaigns. They operate efficiently and move quickly and methodically. Based on these factors, the Hidden Lynx group would need to be a sizeable organization made up of between 50 and 100 individuals. The members of this group are experts at breaching systems.
Their method for exploitation and pay-to-order targeted attacks involve a two-pronged strategy using two Trojans designed for each purpose:
· Team Moudoor distributes Backdoor.Moudoor, a customized version of “Gh0st RAT”, for large-scale campaigns across several industries. The distribution of Moudoor requires a sizeable number of people to both breach targets and retrieve the information from the compromised networks.
· Team Naid distributes Trojan.Naid, the Trojan found during the Bit9 incident, which appears to be reserved for more limited attacks against high value targets. This Trojan was leveraged for a special operation during the VOHO campaign and is probably used by a specific team of highly skilled attackers within the group. This Trojan was also found as part of “Operation Aurora” in 2009.
The group makes use of regular zero-day exploits. They are methodical in their approach and they display a skillset far in advance of some other attack groups also operating in that region, such as the Comment Crew (also known as APT1). The Hidden Lynx group is an advanced persistent threat that is breaking into some of the best-protected organizations in the world. With a zero-day attack already under their belt in 2013, they continue to operate at the leading edge of targeted attacks.
This broad range of targeted information would indicate that the attackers are part of a professional organization. They are likely tasked to obtain very specific information that could be used to gain competitive advantages at both a corporate and nation state level.
The financial services sector has been identified as the most heavily targeted industry overall. There is a tendency to target specific companies within this sector. Investment banks and asset management agencies account for the majority of organizations targeted within this industry.
Attacks against Government Contractors
In attacks that have targeted all levels of government from local to national level, this group has repeatedly attempted to infiltrate these networks. Attacks against government contractors and, more specifically, the defense industry indicate that the group is in pursuit of confidential information and suggests that the group had been working for other nation states.
WHAT ARE THEY CAPABLE OF?
The Hidden Lynx group’s advanced capabilities are clearly demonstrated in three major campaigns. In the VOHO campaign, they showed how they could subvert Bit9’s established trust models. In the FINSHO campaign, they managed to get advanced knowledge of a zero-day exploit. In the SCADEF operation, they undertook supply chain attacks in their campaign.
Despite the exposure of the Hidden Lynx Hacker group, Symantec believes they will continue their activities. Symantec will continue to monitor activities and provide protection against these attacks. We advise customers to use the latest Symantec technologies and incorporate layered defenses to best protect against attacks by groups like Hidden Lynx.
SOC DETECTION CAPABILITIES:
For customers with MSS IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor’s recommendation. If you would like further information regarding the signature states on your devices, or would like to request the activation of a specific signature, please email@example.com.
For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring for these vulnerabilities once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.
COMPONENTS AND DETECTION
· Backdoor.Moudoor – MSS Detection
[MSS URL Detection] Backdoor.Moudoor Command and Control Communications
· Backdoor.Moudoor – Vendor Detection
Symantec SEP/AV - Backdoor.Moudoor
· Trojan.Naid – MSS Detection
[MSS URL Detection] Possible Trojan.Naid HTTP Request (Vector: CVE-2013-1493)
[MSS URL Detection] Trojan.Naid Malware Callbacks
· Trojan.Naid – Vendor Detection
Symantec SEP/AV - Trojan.Naid
· Trojan.Hydraq – MSS Detection
MSS Hot IP Detection - Possible Trojan.Hydraq Traffic
MSS Hot IP Detection - Trojan.Hydraq C&C Server
MSS Hot IP Detection - Trojan.Hydraq Data Exfiltration Site
MSS Hot IP Detection - Trojan.Hydraq Traffic
· Trojan.Hydraq – Vendor Detection
SSIM - Possible Hydraq Activity
Symantec SEP/AV - Trojan.Hydraq
Snort/SourceFire - Trojan.Hydraq - Beaconing activity
· Trojan.Hikit – MSS Detection
[MSS URL Detection] Backdoor.Hikit Command and Control Communications
· Trojan.Hikit – Vendor Detection
Symantec SEP/AV - Trojan.Ascesso
· Backdoor.Vasport – MSS Detection
[MSS URL Detection] Backdoor.Vasport Command and Control Communications
· Backdoor.Vasport – Vendor Detection
Symantec SEP/AV - Backdoor.Vasport
· Backdoor.Boda - MSS Detection
[MSS URL Detection] Possible Backdoor.Boda (“LadyBoyle”) Request to Command and Control
· Backdoor.Boda – Vendor Detection
Snort/SourceFire - ET CURRENT_EVENTS Adobe Flash Zero Day LadyBoyle Infection Campaign
· Symantec Endpoint Protection (SEP) IPS Signatures:
Web Attack: Oracle Java Rhino Script Engine CVE-2011-3544 3 detected
Web Attack: Oracle Java Rhino Script Engine CVE-2011-3544 attack blocked
Web Attack: MSIE Same ID Property CVE-2012-1875 attack blocked
Web Attack: MSIE MSXML CVE-2012-1889 2 attack blocked
Web Attack: MSIE MSXML CVE-2012-1889 3 detected
Web Attack: MSIE MSXML CVE-2012-1889 detected
Web Attack: Java CVE-2012-1723 RCE 2 detected
Web Attack: Java CVE-2012-1723 RCE attack blocked
Web Attack: Oracle Java SE CVE-2012-1723 Remote Code Execution Vulnerability 3 attack blocked
Web Attack: Oracle Java Type Confusion Attack CVE-2012-1723 4 detected
Web Attack: Java CVE-2013-1493 RCE 2 attack blocked
Web Attack: Java CVE-2013-1493 RCE attack blocked
· McAfee AV: Viral Signatures:
MITIGATION STRATEGIES AND RECOMMENDATIONS:
· Symantec recommends customers use a layered approach to securing their environment, using the latest Symantec technologies including Enterprise-Wide security monitoring from Edge to Endpoint.
· In the case of technologies not monitored/managed by MSS, ensure all signatures are up to date, including endpoint security systems.
· Ensure all operating systems and public facing machines have the latest security patches, and antivirus software and definitions up to date.
· Ensure systems have a running firewall, unnecessary ports are closed/blocked, and all unused services are disabled.
· Ensure that your staff is educated on Social Engineering and Phishing techniques.
WHAT TO EXPECT FROM MSS:
Symantec MSS SOC security analysts will continue to diligently monitor, analyse, and validate any events indicative of Hidden Lynx activity:
· Possible or suspect activity may be notified at a lower severity
· MSS will continue to perform ongoing refinement of detection
· MSS will continue to reach out to clients that may have had historical indicators of compromise unveiled due to new data
Please note Symantec MSS stands ready to provide security monitoring for these vulnerabilities once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices. Thanks and appreciation to the Global Intelligence Network’s analysis team for all their hard work in creating the wealth of information regarding this threat.