Five-year-old Elderwood zero-day gang rides again

News by Steve Gold

More intelligence sharing is needed to tackle this type of zero-day threat, says Tom Cross, Lancope director of security research.

A malware group specialising in zero-day attack code has apparently re-energised its software one again, in order to allow non-technical criminals to stage zero-day exploits.

The Elderwood group - named after the darkware program code of the same name - dates back to 2009 when various cyber-criminal gangs were seen launching complex attacks on Google's servers and user accounts. 

According to a white paper on the malware's code structure published by Symantec back in 2012, Elderwood is either a parent group with a number of sub-groups - each with their own clients - or a single group willing to licence the zero-day code to anyone prepared to pay the appropriate fee for crimeware-as-a-service. 

Now the Elderwood zero-day code has been seen again by Symantec researchers, who claim that several high-profile attack groups have been known to use the Elderwood platform for many of their major campaigns over many years, including Hidden Lynx. 

Symantec says that within the space of a month at the start of this year the Elderwood platform was used to exploit three zero-day vulnerabilities, proving that this exploit set is still a significant threat. 

Based on the security firm's latest analysis, it seems likely that someone is supplying various Internet Explorer and Adobe Flash zero-day exploits to an intermediate organisation - or directly to the various groups. 

"This alone is a sign of the level of resources available to these attackers," says the company in its latest analysis of the threat. 

Gavin Watson, a senior security engineer with CESG CHECK/PCI security specialist Randomstorm, said that, given Elderwood's threat track record, the most predictable advice provided to organisations is to keep their systems patched and user passwords complex. 

"However, here we are dealing with zero-day exploits where no patch or workaround is likely to be available. It is important to note that in the majority of cases these zero-day exploits are 'client side,' requiring an action from a user such as downloading a file or clicking a malicious link within a phishing email," he said. 

Watson, who also heads up the security specialist's social engineering team, added that the success of this type of attack is not just dependent of the target using vulnerable software, but also on other factors, such as lack of awareness training, poor procedures, ineffective web proxies or ineffective web filtering. 

"As with most security issues, the best way to protect sensitive information assets and IT systems is through a pro-active 'defence in depth' strategy. All aspects of the business should be tested from a security perspective, most of all the employees themselves," he explained.

Tom Cross, director of security research with Lancope, agreed the complex nature of Elderwood. 

"In the same way that militaries purchase weapons platforms such as tanks, airplanes and warships from technology suppliers in the military industrial complex, so too are sophisticated Internet threat actors acquiring technical capabilities from their own cyber espionage industrial complex," he said. 

"We've seen the same kind of specialisation occur in the world of financially motivated computer crime - with operators purchasing toolkits and exploits from technology suppliers," he added. 

Cross went on to say that defenders can use this to their advantage, because technical details about the way that a particular attack works that are discovered in the course of analysing it could be common to other attacks that are being launched against other industries by other attackers using the same toolsets. 

Against this backdrop, Lancope's director of security research says that these technical details could help victims detect other attacks - but only, he noted, if they are aware of them. 

"This is why information sharing between defenders is so important. In a recent study by the Ponemon Institute that Lancope sponsored, only 12 percent of respondents indicated that their organisations were sharing threat indicators with industry peers. More intelligence sharing is needed if we're going to make a dent in threats like Elderwood," he explained.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews