Hackers used Google Developers and public DNS to disguise traffic between the malware and...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
  ... The unidentified hackers had used spear-phishing attacks

What exactly is a "spear-phishing" attack?

   -------------
   With Hurricane Electric, the attacker took advantage of the fact
   that its domain name servers were configured, so anyone could
   register for a free account with the company's hosted DNS service.

   The service allowed anyone to register a DNS zone, which is a
   distinct, contiguous portion of the domain name space in the
   DNS. The registrant could then create A records for the zone
   and point them to any IP address.

   In addition, Hurricane did not check whether newly created zones
   were already registered or owned by other parties, FireEye said.
   -------------

You have got to be kidding.  Who could possibly be that sloppy?

   -------------
   Moran believed the services were victims of hacker creativity
   versus a flaw.
   -------------

What?!

It's not a flaw to not check to see if a desired domain is not already
registered?!

========================================================

How hackers used Google to steal corporate data

Attackers used Google Developers and public DNS to disguise traffic
between the malware and command-and-control servers

August 14, 2014

A group of innovative hackers used free services from Google and an
Internet infrastructure company to disguise data stolen from corporate
and government computers, a security firm reported.

FireEye discovered the campaign, dubbed Poisoned Hurricane, in March
while analyzing traffic originating from systems infected with a remote
access tool (RAT) the firm called Kaba, a variant of the better known
PlugX.

The compromised computers were discovered in multiple U.S. and Asian
Internet infrastructure service providers, a financial institution, and
an Asian government organization. FireEye did not disclose the name of
the victims.

The unidentified hackers had used spear-phishing attacks to compromise
the systems, then used the malware to steal sensitive information and
send it to remote servers, FireEye said.

What was unique about the attackers was how they disguised traffic
between the malware and command-and-control servers using Google
Developers and the public Domain Name System (DNS) service of Hurricane
Electric, based in Fremont, Calif.

In both cases, the services were used as a kind of switching station to
redirect traffic that appeared to be headed toward legitimate domains,
such as adobe.com, update.adobe.com, and outlook.com.

"It was a novel technique to hide their traffic," Ned Moran, senior
threat intelligence researcher for FireEye, said Thursday.

The attackers' tactics were clever enough to trick a network
administrator into believing the traffic was headed to a legitimate
site, Moran said.

The malware disguised its traffic by including forged HTTP headers of
legitimate domains. FireEye identified 21 legitimate domain names used
by the attackers.

In addition, the attackers signed the Kaba malware with a legitimate
certificate from a group listed as the "Police Mutual Aid Association"
and with an expired certificate from an organization called "MOCOMSYS
INC."

In the case of Google Developers, the attackers used the service to host
code that decoded the malware traffic to determine the IP address of the
real destination and edirect the traffic to that location.

Google Developers, formerly called Google Code, is the search engine's
website for software development tools, APIs, and documentation on
working with Google developer products. Developers can also use the site
to share code.

With Hurricane Electric, the attacker took advantage of the fact that
its domain name servers were configured, so anyone could register for a
free account with the company's hosted DNS service.

The service allowed anyone to register a DNS zone, which is a distinct,
contiguous portion of the domain name space in the DNS. The registrant
could then create A records for the zone and point them to any IP
address.

In addition, Hurricane did not check whether newly created zones were
already registered or owned by other parties, FireEye said.

Google and Hurricane were notified of the malicious use of their
services, Moran said. Both companies had removed the attack mechanisms.

"We appreciate FireEye discovering and documenting this unusual attack,
so that we could immediately fix our service to eliminate the
possibility of this type of abuse in the future," Mike Leber, a
spokesman for Hurricane said in an email sent to CSOonline.

Moran believed the services were victims of hacker creativity versus a
flaw.

"These are services offered online that can be used for good or ill," he
said. "A gun can be used to protect and a gun can be used to hurt."

http://www.infoworld.com/d/security/how-hackers-used-google-steal-corporate-data-247941?source=rss_infoworld_top_stories_

-----------------

See also:

Rise seen in use of Google service for mobile botnets

http://www.csoonline.com/article/2134158/mobile-security/rise-seen-in-use-of-google-service-for-mobile-botnets.html

Re: Hackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers

Virus Guy wrote on 8/14/2014 :
Quoted text here. Click to load it

It's phishing, but instead of the wide net spamming phishing you  
normally see, it is a targeted attack.



Re: Hackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers


Quoted text here. Click to load it

Not just targeting but using somewhat insider information associated with  
the target such that the Social Engineering used in the Spear Phishing has a  
greater level of credulity.  Thus causing the recipient to lower their  
defenses enough for the attack to be successful.  Spear Phishing is a  
targeted attack specifically geared trowards the "mark" using information  
that the mark uses but now being used against them.

--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Hackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers

on 8/14/2014, David H. Lipman supposed :
Quoted text here. Click to load it

Yeah, but I didn't want to waste too many words on VG. If you can make  
your phishing attempt seem to come from a more trusted source, the  
success rate of the attack is better. I was only trying to  
differentiate it from the normal 'carpet bombing' type of phishing.



Re: Hackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers


Quoted text here. Click to load it

Understood  ;-)

--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Hackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers

On Thu, 14 Aug 2014 16:46:46 -0400, FromTheRafters wrote:


Quoted text here. Click to load it

Well said.  

Thane


Re: Hackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers

Thane wrote:
Quoted text here. Click to load it

http://metaphoricalinking.com/50/

Re: Hackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers

FromTheRafters wrote:
  
Quoted text here. Click to load it

And you also didn't want to answer my other questions or comments about
what the original post was about - did you?

Or is that stuff over your heads?

You too - Lipman.

Re: Hackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers

On Fri, 15 Aug 2014 00:07:10 -0400, Virus Guy wrote:

Quoted text here. Click to load it

As others have said, you don't understand the answers when you're given  
them. It also seems you're asking questions just to start an argument. So  
why waste time and words with you, Filtered Guy?

Thane

Re: Hackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers

Thane was thinking very hard :
Quoted text here. Click to load it

He once posted something about e-mail spam he received with headers  
that seemed to come from IIRC zscaler. I told him about Hurricane  
Electric at that time. He ignored my contribution as usual. Had he not  
been so dismissive then, this wouldn't be such a surprise to him now.

He (and others) were too busy dissing me and doing MX lookups while  
ignoring the *only* data in the header that can be trusted as not  
supplied by the spammer. That being the most recent "Received: "  
header's dotted quad octet. This data *has* to be genuine because it is  
the machine at that address which actually connected to his server.

As I recall, I said "By the numbers, I get..." for a clue as to why my  
results differed from all of their fruitless MX lookup results. It  
doesn't look like *we* are the ones out of our depth here.



Re: Hackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers

LOL Thanks for the update. As I recall it was Spam Guy I told about  
Hurricane Electric being the actual source of his zscaler spoofed spam  
- not Virus Guy at all. Don't these "Guys" talk to each other?



Re: Hackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers

On Fri, 15 Aug 2014 14:39:01 -0400, FromTheRafters wrote:

Quoted text here. Click to load it

Multiple personality disorder at its finest(?) Troubled minds and s/h/it  
happens! Now expect some lame-ass rebuttal from ass@guy dot com.
:-)

Thane

Re: Hackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers

Thane formulated on Friday :
Quoted text here. Click to load it

I cannot find the post where I mentioned Hurricane Electric, but I  
found the thread where I said that I saw no zscaler in the *numbers*. I  
had looked up the number and found Hurricane Electric - but I was  
getting guff from the other posters who kept finding zscaler in the MX  
lookup so I may have decided to not send a composed post detailing what  
I had found.

Since I can't show proof, apologies to Virus Guy for my saying I  
previously told him about Hurricane Electric.

http://tinyurl.com/pecewva



Re: Hackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers

On Fri, 15 Aug 2014 15:41:54 -0400, FromTheRafters wrote:


Quoted text here. Click to load it

S/h/it's a gracious guy (dot com) and I'm sure forgiveness will be  
granted. Don't expect a Christmas card though.

Thane

Re: Hackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers

Virus Guy explained :
Quoted text here. Click to load it

That's right, I didn't.



Site Timeline