A threat operation that has been involved in global cyber-espionage operations over the last seven years has been detected and named as “The Mask”.
Also named Careto, it targets Government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organisations and activists. Extremely sophisticated, it has attacked more than 31 countries and gathers sensitive data from systems it has infected.
These include office documents, various encryption keys, VPN configurations, SSH keys (serving as a means of identifying a user to an SSH server) and RDP files (used by the Remote Desktop Client to automatically open a connection to the reserved computer).
It uses two encryption layers – AES and RSA to connect to its command and control centre, and its toolset contains a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS. Currently all known Careto command and control servers are offline after the owners began taking them offline in January 2014.
Infection is generally by spear phishing emails which send the user to a malicious website that contains a number of exploits. The exploits are hosted on specific folders on the website, while attackers also use subdomains on the exploit websites that simulate sub-sections of newspapers including The Guardian and Washington Post.
The Mask uses multiple vectors for attack, including at least one Adobe Flash Player exploit from 2012. Kaspersky said that what makes The Mask special is the complexity of the toolset and a customised attack against older Kaspersky products in order to hide in the system.
Costin Raiu, director of the global research and analysis team at Kaspersky Lab, said: “This level of operational security is not normal for cyber criminal groups. From infrastructure management, shutdown of the operation, avoiding curious eyes through access rules to using wiping instead of deletion of log files. These combine to put this APT ahead of Duqu in terms of sophistication, making it one of the most advanced threats at the moment.”
Commenting, Tim ‘TK’ Keanini, CTO at Lancope, said that this was not the first, and certainly not the last, of these types of threats.
He said: “I hope that, by now, everyone can see that the game has changed. It used to be that it was all about getting inside the network, but now it is all about remaining hidden. As you can see in these reports, once detected, the operations needs to rollup and shutdown – at least for some period while they retool and unfortunately evolve to their next level. Making it hard for these people to hide is the only way you can combat them because it changes their cost structure and makes it more expensive for them to operate.
“The report also highlights both standard operating systems as well as mobile. Those looking at the Internet of Things take note, because that only expands the target surface for this type of threat and the number of applications that need to be updated and patched. More endpoints to penetrate, more placed to hide and take up residence.
“With the credentials like SSH key material stolen, folks should be on high alert right now regarding anomalous connectivity. They should go back and analyse the SSH traffic (client and server) via Netflow/IPFIX records, as these act as the general ledger of the network and are the only chance to spot bad guys when they have credentialed and encrypted access. If you are a person of interest to these bad guys, and they have been in operation since 2007,
my guess is that you will find something you won’t like.”
Jaime Blasco, director of AlienVault Labs, said: “Due to the technical skills and the way they operated the whole thing, I have to say whoever is behind this are real professionals and it will be hard to uncover who is behind the Mask unless they made mistakes operating the infrastructure.”
